Following four years of deliberation, the EU General Data Protection Regulation (GDPR) was published in the EU’s Official Journal on 4 May 2016, coming into force 20 days later. Organisations will need to comply with the new law by 25 May 2018.
The GDPR will automatically apply across the European Union (EU), without the need for separate national implementation (although there is scope for additional legislation in some areas to complement the provisions). It will replace the current EU Data Protection Directive (95/46/EC) and the UK Data Protection Act 1998 (DPA) from 25 May 2018.
As with the DPA, the GDPR regulates the processing of personal data relating to individuals. It places obligations on data controllers (who determine the purposes and means of processing), and on data processors (who process personal data on behalf of a data controller).
The following is a summary of some key provisions of the GDPR, focusing on changes to the current law under the DPA. These present new requirements and risks for organisations and may require changes to current practices for management of data processing activities.
New principle of “accountability” (Article 5(2)), requiring the controller to be able to demonstrate compliance with the data protection principles. The controller must retain internal records of processing activities (Article 30(1)), including descriptions of categories of data and data subjects, purposes of processing, disclosures, the legal basis for processing (see (l) below) and transfers (see (l) below), data retention, security measures, name and contact details of the controller and, where applicable, the data protection officer (see (f) below). Where proportionate in relation to processing activities, the controller should implement appropriate data protection policies (Article 24(2)).
New definition of and requirements relating to consent (which may be relied upon as a legal basis for processing – see (l) below). Consent must be freely given, specific, informed and unambiguous (Article 4(11)). Consent may be withdrawn (Article 7(3)) and, if it forms part of a declaration about several matters, must be clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language (Article 7(2)).
New requirement to obtain parental consent when offering online services to a child below the age of 16 (or a lower age down to 13 if designated by national law) (Article 8).
The GDPR encourages the preparation of and compliance with approved codes of conduct (Article 40) and certifications, seals or marks (Article 42), to specify the application of the Regulation to specific matters, and to demonstrate compliance.
New requirements to apply data protection by design (including data minimisation) and data protection by default to processing activities (Article 25), and to carry out data protection impact assessments for high risk activities (Article 35). High risk activities include evaluation of personal details based on automated processing (including profiling) on which decisions are based, large scale processing of sensitive personal data or data relating to criminal convictions, and monitoring of publicly accessible areas on a large scale. Specific activities requiring an impact assessment are to be determined further by national supervisory authorities (including the ICO in the UK). Prior consultation with supervisory authorities is required where high risks are identified (Article 36) (see also (s) below).
New requirements to appoint a data protection officer (DPO) for public sector organisations, for organisations who carry out large-scale monitoring activities, and for organisations who process sensitive personal data on a large scale (Article 37). The DPO must be involved in all issues which relate to the protection of personal data, and its responsibilities include advising the organisation on data protection obligations, monitoring compliance, providing advice on data protection impact assessments, co-operating and, where necessary, consulting with the supervisory authority (the ICO in the UK) (Article 39).
Member States may provide more specific rules in relation to the processing of employees’ personal data in the employment context (Article 88). These must be notified to the EU Commission by the 25 May 2018 (which is also date from which organisations must comply with the GDPR).
Extended powers of the national supervisory authorities (the Information Commissioner’s Office (ICO) in the UK), including investigative powers (Article 58(1)), corrective powers (Article 58(2)), and authorisation and advisory powers (Article 58(3)). Each national supervisory authority must co-operate with and provide assistance to other national supervisory authorities (Article 60) to ensure consistency in application and enforcement of the GDPR across the EU. A new EU Data Protection Board will assist with Opinions and dispute resolution between supervisory authorities (Articles 64 and 65). See also (t) below in relation to rights of data subjects.
The GDPR allows for further EU or national law to provide restrictions or exemptions to the application of certain provisions which are necessary and proportionate to safeguard listed objectives, including national security, prevention of crime, public interest objectives, regulatory functions, protection of data subjects and others, enforcement of civil law claims (Article 23), freedom of expression and information (Article 85), research and statistics (Article 89). Note: Similar provisions are within the current EU Data Protection Directive, as incorporated into the DPA.
Derogations and exceptions for specific GDPR requirements are also set out within the GDPR within the Articles or Section containing those requirements.
There is an interesting provision at Article 11 which provides that if the purposes for which a controller processes personal data do not require the identification of the data subject, the controller shall not be obliged to maintain additional identifying information for the sole purpose of complying with the GDPR.
Increased administrative fines for breaches of up to Euro 20 million or 4% of worldwide annual turnover, whichever is higher (Article 83(5)). Some breaches give rise to lower fines of up to Euro 10 million or 2% of annual turnover (Article 83(4)).
Similar restriction to current law in transferring personal data outside the EU (Article 44) and similar options for overcoming the restrictions on transfers of personal data outside the EU (Articles 45 to 49) (adequacy decision of the Commission, EU-approved model contracts, other approved contracts, binding corporate rules), although changes to the detail of the requirements may affect an organisation’s assessment of which option(s) are appropriate in context. Codes of conduct and certifications are also options (see (d) above). Reduced scope for organisations to make their own assessment of adequacy (as currently permitted under UK law), although there is a new derogation for non-repetitive transfers concerning a limited number of data subjects made for the purposes of “compelling legitimate interests” (Article 49).
One of six conditions must be satisfied in order for processing to be lawful (Article 6(1)). These are similar to those within current law, but there is more emphasis on documenting the basis for processing (see (a) above), identifying specific legitimate interests (see (o) below) and additional requirements relating to consent (see (b) above). Public authorities cannot rely on the “legitimate interests” condition (Article 6(1)(f)) in relation to processing carried out in the performance of their tasks (although they may be able to rely on the condition that the processing is necessary in the performance of such tasks (Article 6(1)(e))).
In relation to administrative fines, see (j) above. Rules on other penalties may be set at national level, which must be effective, proportionate and dissuasive. See also enforcement at (h) above and rights of data subjects at (t) below.
Similar data protection principles to current law (Article 5), with an additional principle of accountability (see (a) above). There are some changes to the detail of the principles, including an explicit requirement for transparency (see also (o) below), and use of the term “data minimisation” in relation to limiting personal data to what is necessary for the relevant purposes.
Additional information to be provided within privacy notices or other notifications to individuals (Articles 13 and 14), including: contact details for the data controller and data protection officer, the legal basis for the processing (see (l) above) and the legitimate interests relied upon, where relevant, the recipients of data (i.e. data sharing), safeguards for international data transfers (see (k) above), data retention periods, rights of individuals (see (t) below), right to withdraw consent, where relevant (see (b) above), whether the individual is obliged to provide the relevant data and the consequences of not providing it, the source of the data (if not obtained from the data subject) and information about any profiling (see (q) below) or other automated decision-making.
Note: Identification of the data controller and the purposes of processing must also be provided, as under current law.
Direct obligations for data processors, including in relation to data security (Article 32), notification of security breaches (Article 33(2)), appointment of a data protection officer (see (f) above), record-keeping (Article 30(2)) and international data transfers (Article 44).
Additional obligations for data controllers in relation to their relationship with data processors (Article 28), including requirements for contracts to include provisions on the subject matter and context of the processing, data retention, audits, appointment of sub-processors and assistance with security breaches and data protection impact assessments.
Note: The requirements also include obligations under current law relating to security guarantees and contractual terms to act on instructions and implement security measures.
Introduction of the concept of “profiling” (Article 4(4)), meaning any form of automated processing of personal data relating to an individual, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic satiation, health, personal preferences, interests, reliability, behaviour, location or movements. See requirements relating to data protection impact assessments at (e) above and rights of data subjects at (t) below.
Introduction of the concept of “pseudonymisation” (Article 4(5)), meaning the processing of personal data in a manner that the data can no longer be attributed to a specific data subject without the use of additional information which is kept separately and is subject to security measures. Such processing still falls under the scope of the GDPR (as it is not true anonymisation), but can assist with security of the data (see (v) below).
Contrary to current law, no general requirement to register processing activities with national supervisory authorities (the ICO in the UK) (as there is more emphasis on accountability of the data controller – see (a) above). Note: This has created funding concerns for the ICO as they are currently funded by notification (i.e. registration) fees.
However, data processors and controllers must co-operate with the supervisory authorities (Article 31), and supervisory authorities must be consulted in relation to data protection impact assessments (see (e) above), and in relation to “any other matter” “where appropriate” by the data protection officer (Article 39(1)(e)). They may also be required to authorise or approve certain matters, including contracts and binding corporate rules for international data transfers (Articles 46(3) and 47).
New rights of data subjects as well as similar rights to those under current law. These rights include:
The GDPR makes it clear that risk assessments are required to determine appropriate measures to comply with the requirements. It provides that the risks to individuals should be taken into account in relation to several matters, including the data controller’s overall responsibility for compliance (Article 24(1)), security measures (Article 32(1)), security breaches (Articles 33(1) and 34(1)), data protection by design and by default (see (e) above), and data protection impact assessments (see (e) above).
Similar general obligations as under current law to implement appropriate technical and organisational measures to secure data (Article 32), taking into account risks (see (u) above), and with new direct obligations for data processors (see (p) above). Data security measures shall include, as appropriate: pseudonymisation (see (r) above) and encryption of data; the ability to ensure ongoing confidentiality, integrity, availability and resilience of systems and services; the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of the measures.
New requirement for security breaches (unless unlikely to result in a high risk) to be reported to the supervisory authority (the ICO in the UK) without undue delay and, where feasible, within 72 hours (Article 33(1)). Affected data subjects also need to be notified without undue delay where the breach is likely to result in a high risk for individuals (Article 34(1)).
Wider scope of sensitive personal data (referred to in the GDPR as “special categories of data”) which explicitly includes biometric data, genetic data and sexual orientation (Article 9(1)). Note: As under current law, special categories of data also include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health or data concerning sex life.
The processing of such data is prohibited unless one of the listed conditions is satisfied (Article 9(2)). Data relating to criminal convictions or offences are treated separately (Article 10), requiring specific justification for processing. Note: this is similar to the existing EU Data Protection Directive, although they were brought within the heading of “sensitive personal data” under the UK DPA.
Similar right of access to data as under current law, but changes to the detail of the process (Article 15). In most cases, the timescale for responding is within one month, and a fee cannot be charged. Additional information must be provided in response to a request, including the categories of personal data, data retention periods, other rights of the data subject, and safeguards for international data transfers.
Note: The purposes of processing, the recipients, the sources and the logic behind automated decisions must also be provided, as under current law.
As well as its application to organisations established in the EU, the GDPR applies to organisations not established in the EU, but who process personal data relating to the offering of goods or services to data subjects in the EU or to the monitoring of the behaviour of data subjects in the EU (Article 3).
Also published in the Official Journal on 4 May 2016 was a new EU Directive on data protection matters for the police and criminal justice sector (Directive (EU) 2016/680). This repeals Council Framework Decision 2008/977/JHA.
The Directive only applies to the processing of personal data by “competent authorities”, meaning any public authority responsible for investigation and prosecution of criminal offences, or other bodies with public authority for such matters. It will not therefore apply to most organisations. The processing of personal data by competent authorities for these purposes is expressly excluded from the GDPR.
As this is a Directive rather than a Regulation, it needs to be implemented separately by each EU Member State (including the UK). Member States have until 6 May 2018 to adopt laws necessary to comply with the Directive.
Olivia Whitcroft, principal of OBEP, 10 May 2016
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details