The General Data Protection Regulation: What does it mean for you?

Transcription

1 The General Data Protection Regulation: What does it mean for you?

2

3 We are here to help The changes being introduced in the EU General Data Protection Regulation 2016 (GDPR) will be the biggest shake-up in data protection and privacy law in over two decades. Coming into force in May 2018, the changes are the culmination of four years of lobbying and debate in Europe. Navigating your way through the GDPR can be a daunting prospect. Our guide will allow you to quickly get to grips with the key issues that will affect your organisation and provide you with a series of initial practical steps to be taken as you work towards compliance. Our guide covers: 1. An introduction to the GDPR 2. Old vs new: The GDPR at a glance 3. Fines and enforcement 4. Policies and procedures 5. Transparency and consent 6. The new role of Data Protection Officer 7. Data subjects rights 8. Data breach notification 9. Your GDPR checklist: what to do next in 10 easy steps 10. How we can help you 3

4 An introduction to the GDPR Key points The GDPR updates the law. The GDPR introduces concepts and requirements that better reflect the data processing that is carried out in an increasingly digital world. The new rules strengthen the rights and protections of individuals. More data is being collected than ever before. Individuals are increasingly conscious of privacy issues. The GDPR requires organisations to be more transparent; providing individuals with greater rights to hold organisations to account. The new rules apply to all member states in the European Union. The Data Protection Act 1998 and its equivalents across Europe were implemented differently in member states. This lack of harmonisation created challenges for pan-european businesses. The GDPR does not require implementation by member states in national legislation. It is, therefore, a major step towards a Digital Single Market. The triggering of Article 50 and Brexit does not mean that the GDPR will not apply. The GDPR will come into force well before the UK leaves the EU. It is likely that organisations will have to comply with similar rules after the UK leaves, given that the UK will still wish to trade with EU member states which will still be subject to the GDPR. 4

5 Our advice? Don t be daunted! Organisations that meet current requirements are well-placed to comply with the new rules. Whilst the GDPR presents challenges, it should also be seen as an opportunity. Your customers are increasingly privacy literate; embracing the changes will increase trust and strengthen your brand. In summary, the GDPR will introduce significant changes to the way that your organisation processes and stores data and planning is key to ensuring that you are compliant when the rules come into force on 25 May Our brochure will guide you through the main changes that the GDPR will bring and will also provide you with 10 practical steps that can be taken as you prepare to become compliant with the new rules. Key date: The GDPR comes into effect on 25 May Tom Torkar Partner, Technology & Innovation tom.torkar@michelmores.com +44 (0)

6 Old vs new: The GDPR at a glance Expanded territorial reach Data Protection Act 1998 Applies to entities established in the UK. Non-UK data controllers (persons who determine the purposes for which and manner in which personal data are processed) not caught, unless equipment in UK used for processing. GDPR The GDPR is directly applicable to EU entities. Also applies to non-eu entities if they offer goods or services to individuals in the EU or if they monitor individuals behaviour insofar as the behaviour takes place within the EU. Role of the processor Applies to data controllers. The Act does not apply directly to data processors (those who process the data on behalf of the data controller). Data controllers are responsible for the actions of data processors. Covers both controllers and processors. Also, contracts with processors must now contain a much more extensive list of obligations. Reporting breaches Breach reporting is voluntary but recommended by the Information Commissioner s Office (ICO). Data breaches must be reported by the controller to the data protection authority (ICO in the UK) within 72 hours. Processors are obliged to report their breaches to controllers. Increased levels of fines Fines of up to 500,000. Fines of up to 20 million or 4% of global group turnover, whichever is higher. 6

7 Data Protection Officer Data Protection Act 1998 There is no obligation on organisations to appoint a designated individual who is responsible for data protection. GDPR Public bodies and organisations monitoring individuals or processing special kinds of data on a large scale will all have to appoint a Data Protection Officer. Accountability The Act included eight data protection principles. The data protection principles are broadly the same. New concept of accountability introduced which covers record keeping, impact assessments and consultation with supervisory authorities. Transparency and information notices Information must be given to the individual in relation to the processing of their data. Far more detailed information must be provided to the individual. Exactly what information needs to be provided depends on why the organisation is processing that data. Transfers outside of the EEA Transfers outside of the European Economic Area can only take place if there are certain security measures in place. Rules broadly the same, save that organisations are no longer able to self-assess. One of five formal measures for legitimising offshore data transfers must be used. Data subject rights The Act contained an extensive list of data subject rights, including a right to receive information and copies of personal data processed ( subject access requests ). Shorter timescales and additional rights, including a right to be forgotten and a right to data portability. 7

8 Fines and enforcement The fines that data protection authorities will be able to impose for breaches of the GDPR are significantly higher than before, rising from a maximum of 500,000 to 20 million or 4% of global group turnover (whichever is higher). The ICO can issue fines instead of, or in addition to, other measures. Since fines can be imposed even for procedural breaches of the GDPR, it is essential that businesses take action now to avoid potential infringements. The two tier system There are two tiers of fines which can apply depending on the particular infringement: 1. Fines of up to 10 million or 2% of global turnover, whichever is higher 2. Fines of up to 20 million or 4% of global turnover, whichever is higher How are fines decided? The GDPR now sets out various factors which will be taken into account when deciding the level of fines. These include: The nature of the infringement Intention or negligence of the infringement Previous infringements Categories of personal data affected Co-operation with the data protection authority What to do next 1. Review limitation of liability provisions in your current agreements. To what extent is your suppliers / processors liability limited or capped in agreements? 2. Engage with professional advisors that can support you in any dealings with the relevant data protection authorities. 8

9 Policy and procedures The GDPR introduces detailed rules on the policies and procedures that organisations must have in place. This means that your internal processes will need to be reviewed and, if necessary, redesigned. Controllers and processors will be required to keep detailed records of processing activities. There will no longer be a requirement to register processing activities with the supervisory authorities (the ICO in the UK). Instead, you will be required to put in place effective policies and procedures which focus on more high risk operations, or processing that involves new technologies. In particular controllers will be obliged to: 1. Conduct privacy impact assessments (PIA) for certain types of high risk processing 2. Consult with the relevant data protection authority (the ICO in the UK) if a PIA indicates a high risk Current legislation includes high level principles regarding the technical and organisational measures that must be adopted to safeguard and secure personal data. The GDPR goes a step further, and will require businesses to implement data protection by design (e.g. implementing technical and organisational measures to facilitate compliance) and by default (e.g. data minimisation). Where data needs to be disclosed between parties, pseudonymisation should be applied; this is a method of processing personal data so that it can no longer be attributed to a specific individual without the use of additional information. The pseudonymised data must be kept separate and secure. What to do next 1. Conduct a full audit of all data collected and all processing activities undertaken. The information collected will affect how your policies and procedures, technology changes and/or privacy impact assessments are updated. 2. Get in touch! Our dedicated Data Protection team offers a full range of GDPR support services to businesses, ranging from full data audits, through to policy and process design. 9

10 Transparency and consent Controllers will be required to consider how they engage with individuals. They must continue to provide transparent information about their processing activities to data subjects, however, the information provided will need to be more detailed than under previous regulations. Where a data subject s consent is relied on for processing, the consent will need to be freely given, specific, informed and unambiguous. Consent from data subjects must not be assumed from silence or inaction. Consents which are bundled with other written agreements or declarations should be avoided. Particular care should be taken where consent is being sought to process children s personal data. Where necessary the consent of a parent or guardian should be obtained. What to do next 1. Work with your advisors and amend existing privacy policies to ensure they meet the new transparency requirements. 2. Review consent mechanisms. Organisations should take detailed advice to ensure that, come 25 May 2018, they have appropriate consent mechanisms in place to ensure that they can continue processing the data they collect (e.g. for use in marketing databases). 10

11 The new role of Data Protection Officer The GDPR introduces an obligation on all businesses processing data on a large scale and public bodies to appoint a Data Protection Officer (DPO), whether they are controllers or processors. Even if not strictly obliged to do so, we would recommend that they appoint a person who has responsibility for data protection and privacy within an organisation. Allocating responsibility for data protection to one or more individuals can be a good way of improving overall compliance. From 25 May 2018, failure to appoint a DPO when required to do so can lead to a fine of up to 10 million or 2% of global group turnover (whichever is higher). It is clear from the GDPR that the DPO is not a minor role. The individual must be suitably qualified and an expert in data protection law. In addition, the organisation is obliged to ensure that the DPO is given the resources necessary to carry out the role. The DPO represents a senior position in an organisation. The DPO must be given the freedom to carry out the role independently and must report to the highest level of management. Michelmores can work with organisations and test potential candidates knowledge and expertise. We also provide bespoke DPO training and a legal support helpline to help DPOs in their new role. What to do next 1. Make senior stakeholders in your organisation aware of the potential need to appoint a DPO and ensure budgets and business plans allow for this. 2. Start looking at potential candidates to fulfil the role of DPO as soon as possible - there is likely to be a limited pool of suitable people available. 11

12 Data subjects rights One of the main ambitions of the European Commission when negotiating the GDPR was to enhance the rights of individuals. The GDPR sets out a range of rights of individuals including, under current legislation, a right to require information about personal data processed about them and access to such data. There is also a right to restrict certain processing and a right to object to data being used for direct marketing purposes. Under the GDPR, individuals can also ask to receive their data in a structured and commonly used format so that it can easily be transferred to another controller (this is referred to as the right to data portability ). Another new right that has received a lot of attention is the right to be forgotten. Individuals will be entitled to ask controllers to erase their personal data in certain circumstances (for example where they withdraw their consent to processing). It should be noted that the timescales for responses have been reduced to one month (previously the time limit was 40 calendar days). It will be necessary to deal with any exercise of data subjects rights promptly. A controller cannot reject a request because of the amount of time or effort that may be involved in dealing with it; although there may be a possibility of extending timescales for complex requests. What to do next 1. Ensure that processes and procedures are in place to enable you to process all possible data subjects rights efficiently. 2. Review database structures and software tools to establish whether they are adequate to enable an organisation to respond to data subjects requests. 3. Update your privacy policies in order to reflect the new rights granted to data subjects. 12

13 Data breach notification It will be mandatory for a controller to notify the relevant data protection authority (in the UK this is the ICO) within 72 hours of becoming aware of a data breach. Controllers must maintain internal records of all data breaches. In addition, processors must notify controllers of any data breach without undue delay. Controllers may be also obliged by the relevant data protection authority to notify the relevant data subjects of the breach. Failure to properly notify the data protection authority may result in a fine of up to 10 million or 2% of group worldwide turnover of the preceding financial year (whichever is higher). Where breaches occur, they should be dealt with promptly and with appropriate advice. Michelmores can provide a dedicated service and prompt support in the event of a breach. We will work with the controller to draft the breach notification form, reducing the risk of adverse findings being drawn due to incomplete forms. What to do next 1. Consider if internal procedures for notifying breaches (internally and externally) need to be revised. Personnel will need to be provided with appropriate training to ensure that breaches are notified to the appropriate person immediately. 2. Review insurance policies in light of increased obligations and potential fines. 3. Review and update contractual documents in order to put specific obligations on processors to proactively notify controllers of data breaches. 13

14 Your GDPR checklist: what to do next in 10 easy steps Review and document relevant policies for 1 GDPR compliance. This includes your privacy policy, privacy notices, data protection policy, data sharing policy and information security policy. Review and document the mechanisms that you 2 use to collect consent from data subjects. Ensure that the GDPR is on your Board 3 or management team s agenda and that sufficient resources and budget are allocated to GDPR compliance. Create a breach notification procedure 4 to ensure that appropriate breaches are identified, considered and notified to the ICO within 72 hours. 5Deliver GDPR training for your employees. This should be carried out before May Review your existing contracts and make any 6necessary amendments. 14

15 7Ensure that personal data is processed in easily accessible and searchable databases. Be aware that data subjects have enhanced rights under the GDPR! 8Appoint a Data Protection Officer if required or, if not required, appoint someone in the company to deal with data protection issues. 9Identify if you transfer personal data outside the UK and, if so, review these arrangements to ensure you are GDPR-compliant. 1 Schedule regular GDPR review meetings throughout 2017 and 2018 to ensure that you are on track with your GDPR compliance plan. 15

16 16

17 How we can help you Our dedicated Data Protection team offers a full range of GDPR support services, ranging from full data audits through to policy and process design. Our key services include, but are not limited to: 1 2 One-to-one GDPR readiness assessments: GDPR readiness audits: An initial visit from one of our specialist lawyers to assess your organisation s current data protection and privacy compliance arrangements, including a gap analysis to identify priority areas where action is required. A structured auditing service, providing support in relation to your own internal audits, through to conducting audits of existing policies, templates and procedures in order to assess maturity and compliance with the GDPR. 3 4 Privacy Impact Assessments: Data Protection Officer helpline: Assessment of privacy risk across new systems and projects. Support for Data Protection Officers in their new roles, providing access to our specialist lawyers and tailored advice to meet with the specific needs of your organisation. 5 6 Internal and external policy reviews: Data processing clauses and agreements: Review of internal data protection policies and procedures, external privacy policies, and fair processing statements and mechanisms. Includes guidance on updating documents for compliance with the GDPR and also internal training for staff. Review of current agreements and managing variations to data processing clauses in readiness for the GDPR. This can include producing a standard suite of data processing clauses and template agreements tailored to the needs of the controller. 17

18 Meet our Data Protection team: Tom Torkar, Partner +44 (0) Emily Timmins, Associate +44 (0) Andrew Oldland QC, Senior Partner +44 (0) Nathaniel Lane, Associate +44 (0) Sarah Chisholm-Batten, Partner +44 (0) Jayne Clemmens, Senior Associate +44 (0) Freya Lemon, Associate +44 (0) Justin Barrow, Solicitor +44 (0)

19

20 12 th Floor 6 New Street Square London, EC4A 3BF Broad Quay House Broad Quay Bristol, BS1 4DJ Woodwater House Pynes Hill Exeter, EX2 5WR Tel: +44 (0) Fax: +44 (0) Tel: +44 (0) Fax: +44 (0) Tel: +44 (0) Fax: +44 (0)