03 October 2017

New cross-EU data processing regulations come into effect in May 2018 with the European Union's new General Data Protection Regulation (GDPR) replacing the 1995 Data Protection Directive.

The UK has an obligation to update existing data rules to match them so they are equivalent to the European Union's laws. This will allow UK-based organisations to freely send and receive data within Europe following Brexit.

What's happened so far?

The Government consulted on derogation (exemptions) contained within the General Data Protection Regulation (GDPR) in April and May this year. Responses from over 150 individuals and 170 organisations were received and can be viewed on the GOV.UK website.

The Government issued a statement of intent - New Data Protection Bill: Our planned reforms - on 7 August as a commitment to updating and strengthening data protection laws through a new Data Protection Bill which will replace the 1998 Data Protection Act.

The bill will see the government exercise the available derogations and reproduce the exemptions and safeguards currently evident in the Data Protection Act and extend protections in some areas. The Information Commissioner will provide guidance on the transition to the new law.

What does the GDPR mean for businesses?

The regulation will establish new responsibilities for those handling and processing personal data and new rights for individuals across EU member states.

What's the likely impact and scope of the GDPR? 

The GDPR is likely to be so impactful because it takes an extensive and holistic view of what might be considered personal data. Documents, spreadsheets, databases and the like are the most obvious manifestations of what we might consider data to be but GDPR also covers social network posts, names, IP addresses and more. There are some exceptions but these largely relate to national security and employment or data processing at home for personal use.

Almost all businesses can expect to have to update their processes to conform with GDPR requirements. The new regulations should, however, make it easier for those based outside of the EU to work with those companies who are with just one common set of rules to adhere to.

What are the key changes?

Some of the key changes include:

  • PrivacyOpt out boxes hidden at the end of forms and information on data use buried in Privacy policies may no longer be acceptable. Organisations must make consent to opt-in explicit and be aware of who will have access to the data and what they will do with it.
  • Personal dataAn expanded definition will bring IP addresses, cookies (and information on web browsing habits) and even DNA into scope. Organisations need to audit the data they collect and determine what falls in scope and whether the burden of collection/maintenance outweighs any burden.
  • Automated processing. Where algorithmic technology is used to form a profile of an individual, the GDPR stipulates that individuals can demand this processing is undertaken by a human and not a machine. As insurance applications and job applications increasingly rely on this kind of processing this edict could have a big impact.
  • Portability. Consumers should be able to move data between providers if required without barriers being put in their way. For example, documents stored on a cloud storage site should be able to be ported to another quickly and easily.
  • The right to be forgotten. Organisations will need to provide access to the personal data they hold on others. Requests can also be made to wipe data (including all social media posts made by individuals when they were younger than 18). Companies will need to consider data storage and retrieval systems and processes.

Will GDPR still apply after Brexit?

All British businesses will be expected to comply with the GDPR as the UK will still be a member of the European Union when it comes into force in May 2018. Current understanding is that EU legislation will be adopted into UK law so it's likely that the impact of the GDPR will continue to apply even after the country leaves the union.

You should be mindful that once the UK has left the EU then the European Commission will need to assess whether Britain's rules and regulations offer sufficient protection to allow EU member states to transfer personal data to British companies. If you trade with the EU currently, a worst-case scenario might mean you need to set up infrastructure within an EU country in order to carry on doing so if the Commission rules post-Brexit Britain's rules don't go far enough.

You also need to be aware that the GDPR restricts information being transferred outside of the bloc. If you (or a third party whose service you rely on) is handling data outside of the bloc then you'll need to come up with an alternative solution. A UK company sending emails from a UK server to EU clients would be permissible, while using a cloud-based non-EU server would find you in breach.

What do I need to do to ensure my business is compliant?

Know what you're dealing with 

A data audit is a good place to start your preparations. Only by understanding your current data collection and processing can you expect to fully understand the impact and come up with a plan to tackle any areas that fall short.

Consider privacy as you design services, products and processes

Putting privacy front and centre of your service development processes - 'privacy by design' - will save you the problem of retrofitting and reverse engineering solutions down the line. You should be aware that contracting data collection and processing to a third party does not absolve you from responsibility - under GDPR the buck stops with you when it comes to compliance.

Considering privacy extends to the kind of information you collect (is it truly essential?) and needs to be proportionate. For example, using a credit card as an age check may be considered overly risky and there are likely other ways to achieve the verification that would prove less risky if compromised. When it comes to storage you need to ensure that identifying data is anonymised where appropriate - using hash values at the point of capture, for example.

Privacy is no longer a 'nice to have' it should be an essential component of privacy protection and run throughout your processes.

Ensure you can prove you're doing the right thing

While it should go without saying that business processes need to be developed with privacy properly considered what may be a less obvious is the fact that you need to be able to show you've done this too. Much like at school if you can 'show your thinking' and how you've arrived at your final conclusions, you shouldn't have much to fear from external scrutiny. Adopting this kind of rigour will also reassure you and your customers that available protections were evaluated and the most appropriate safeguards effectively implemented.

The Information Commissioner's Office recommends conducting a Data Protection Impact Assessment (DPIA) whenever new technologies are used to process information that has the potential to put individual's privacy rights at risk. The assessment should investigate risks to individuals, whether data processing and retention is needed, mitigating measures as well as a description of your processing operations and intended purpose(s).

Doing the right thing also extends to training for those staff who might handle personal data and a robust data-protection policy to ensure appropriate safeguards are enforced. Companies with more than 250 staff have additional duties and are required to retain written records of all data-processing undertaken and safeguards around mechanisms used to transfer data.

Make sure that you actively solicit consent

The days of the sneaky pre-ticked checkbox or simply assuming that someone has opted in just because they haven't opted out should be numbered. Opting in needs to be an active process and consent cannot be implied.

Users should have a clear understanding of what they are actually opting into regardless of the mechanism being used - be it a form, online checkout or some other data collection mechanism. 

Care is needed when presenting terms and conditions this kind of data connection - such terms should be distinct from regular T's and C's and not buried among reams of extraneous detail. 

The regulations apply internally too, meaning employers must contain consent from their own employees when collecting and processing data.

To be clear, the regulations don't mean you have to start collecting data from scratch but do mean that individuals can question your use of their data or revoke consent to use it at all at any time. With this in mind, it may well be prudent to contact all contacts on your database requesting continued consent for processing their data.

Develop a procedure for erasure

The GDPR replaces a 'right to be forgotten' with a 'right to erasure' that means, in specific situations, someone can request that you remove them from your database entirely by denying consent for further processing. This includes situations where data has been obtained or processed unlawfully or where the circumstances that the data was originally gathered for cease to apply.

Your systems should allow you to quickly and easily identify and then remove individuals' data. Remember, the GDPR puts the onus on you - even if you've opted to share data with a third party for processing - to ensure compliance.

There are a number of grounds for refusing an individual's request - for example, you may retain personal data in defence of legal claims, in support of a legal retention obligation or in order to perform tasks requested by an official authority. You can also refuse a request in the interests of public health or for archival purposes - both must be 'in the public interest'.

Beware automated decision-making

Many electronic systems, particularly online, use algorithms to automate decision making. Under the terms of the GDPR if a system produces a legal effect (or similar) then the decision should not be based on such automation unless absolutely necessary and authorised by law. Users also need to have given their explicit consent for this to occur.

'Profiling' is much more common than you might first think. An e-commerce website will often tailor product suggestions based on the information they collect about a user. Social networks, mapping or health apps too all collect data and offer personalised content after processing. For employers, information on employee performance would fall into this category.

Communicate openly with your users

Under the GDPR individuals can contest how their data is being used and/or revoke your consent to use it.

A nominated data controller and data protection officer will be responsible for dealing with these kinds of interactions and their details must be made available to the country's Supervisory Authority and the general public. Each member state will have its own Supervisory Authority (the UK's is the Information Commissioner's Office (ICO)) which will investigate individuals' complaints, liaise with other Supervisory Authorities and be overseen by the European Data Protection Board.

An explanation of how customer data is used (and why it is collected) along with any interested parties in the data (who will receive, process and retain, the data, for example) should be provided. This statement should be written in plain language and be clearly set out.

There are additional requirements for situations where you acquire data from a third party and not directly from the subject (for example, a purchased mailing list). In these circumstances, you must tell subjects how you acquired their data and of the categories of personal data you are collecting.

What are the penalties for non-compliance?

The penalties for serial non-compliance are serious, with a maximum potential fine of €20m or 4% of your company’s annual worldwide turnover, whichever is greater.

What happens next?

Brexit arrangements introduce a level of uncertainty into the process but there is sufficient clarity to determine that GDPR will apply while Britain is within the UK (from May 2018) and is likely to continue to apply when we leave. There's no avoiding it - GDPR needs to be planned for appropriately.

The Information Commissioner's Office website is a good place to find the very latest information on what you need to do and when. This is sure to be a topic we return to in coming months here on theNBS.com.

Note that this article is not intended to construe legal advice or offer comprehensive guidance.