General Data Prtectin Regulatin (GDPR) 1. Backgrund The GDPR will apply in the UK frm 25 May 2018 and when it cmes int frce will replace all the data prtectin legislatin including the UK s Data Prtectin Act f 1998. The gvernment has cnfirmed that the UK s decisin t leave the EU will nt affect the implementatin f the GDPR. The text has nw been finalised and the Infrmatin Cmmissiner s Office (ICO) is prviding guidance t firms thrughut 2017 t enable them t cmply frm May 2018. Much f the current DPA regulatin will remain hwever GDPR enhances sme f the regulatin and brings in new regulatin. These are set ut in the sectins belw. 2. Data Cntrllers and Data Prcessrs The GDPR applies t cntrllers and prcessrs. The definitins are bradly the same as under the DPA i.e. the cntrller says hw and why persnal data is prcessed and the prcessr acts n the cntrller s behalf. If yu are currently subject t the DPA, it is likely that yu will als be subject t the GDPR. If yu are a prcessr, the GDPR places specific legal bligatins n yu; fr example, yu are required t maintain recrds f persnal data and prcessing activities. Yu will have significantly mre legal liability if yu are respnsible fr a breach. These bligatins fr prcessrs are a new requirement under the GDPR. Hwever, if yu are a cntrller, yu are nt relieved f yur bligatins where a prcessr is invlved the GDPR places further bligatins n yu t ensure yur cntracts with prcessrs cmply with the GDPR. The GDPR applies t prcessing carried ut by rganisatins perating within the EU. It als applies t rganisatins utside the EU that ffer gds r services t individuals in the EU. The GDPR des nt apply t certain activities including prcessing cvered by the Law Enfrcement Directive, prcessing fr natinal security purpses and prcessing carried ut by individuals purely fr persnal/husehld activities. 3. Principles The data prtectin principles, as set ut in the DPA, remain but they have been cndensed int six as ppsed t eight principles. Article 5 f the GDPR states that persnal data must be: 1. Prcessed fairly, lawfully and in a transparent manner in relatin t the data subject. 1
2. Cllected fr specified, explicit and legitimate purpses and nt further prcessed fr ther purpses incmpatible with thse purpses. 3. Adequate, relevant and limited t what is necessary in relatin t the purpses fr which data is prcessed. 4. Accurate and, where necessary, kept up t date. 5. Kept in a frm that permits identificatin f data subjects fr n lnger than is necessary fr the purpses fr which the persnal data is prcessed. 6. Prcessed in a way that ensures apprpriate security f the persnal data including prtectin against unauthrised r unlawful prcessing and against accidental lss, destructin r damage, using apprpriate technical r rganisatinal measures. Firms will need t review data retentin prcesses including electrnic data. The ICO has yet t prvide full guidance n retentin f data recrds. Once full guidance has been prvided firms will need t review n line data retentin. Changes may need t be made t this s nly base data is kept which cannt be used t identify a custmer. Cnsent Like the DPA, the GDPR will require data cntrllers t have a legitimate reasn fr prcessing persnal data. If they rely n the cnsent f the data subject, they must be able t demnstrate that it was freely given, specific, infrmed and unambiguus fr each purpse fr which the data is being prcessed. Cnsent can be given by a written, including electrnic r ral statement. This culd include the data subject ticking a bx when visiting a website, chsing technical settings fr scial netwrk accunts r by any ther statement r cnduct which clearly indicates their acceptance f the prpsed prcessing f persnal data. Silence, pre-ticked bxes r inactivity will n lnger cnstitute cnsent. There will need t be a change regarding marketing preferences. The marketing preferences will need t be pt in bxes rather than pt ut and it is likely they will need t be made separate fr email, scial media, pst, phne and text. Children The preamble t the GDPR states: Children deserve specific prtectin f their persnal data, as they may be less aware f risks, cnsequences, safeguards and their rights in relatin t the prcessing f persnal data. This cncerns especially the use f persnal data f children fr the purpses f marketing r creating persnality r user prfiles and the cllectin f child data when using services ffered directly t a child. Article 8 requires that where the persnal data f a child under 16 is being prcessed t prvide infrmatin sciety services (fr example, n-line businesses, scial netwrking sites, etc) cnsent must be btained frm the hlder f parental respnsibility fr the child. Member states are allwed t lwer this threshld where apprpriate but nt belw the age f 13 which the UK is likely t d. Firms need t review whether this applies t them. 2
4. Data subjects rights The list f rights that a data subject can exercise has been widened by sectin 2 f the GDPR. The GDPR prvides the fllwing rights fr individuals:- 1. The right t be infrmed; 2. The right f access; 3. The right t rectificatin; 4. The right t erasure; 5. The right t restrict prcessing; 6. The right t data prtability; 7. The right t bject; 8. Rights in relatin t autmated decisin making and prfiling. The subject access right, rectificatin and being able t bject t direct marketing remain. The right t have persnal data prcessed fr restricted purpses and the right t transfer data/have it transferred t anther data cntrller (data prtability) are new rights. In additin, article 17 intrduces a right t be frgtten, which means data subjects will be able t request that their persnal data is erased by the data cntrller and n lnger prcessed. This will be where the data is n lnger necessary in relatin t the purpses fr which it is prcessed, where data subjects have withdrawn their cnsent, where they bject t the prcessing f their data r where the prcessing des nt cmply with the GDPR. Hwever, the further retentin f such data will be lawful in sme cases where it is necessary fr cmpliance with a legal bligatin r fr reasns f public interest in the area f public health r fr the exercise r defence f legal claims. T strengthen the right t be frgtten nline, the GDPR requires that a data cntrller wh has made the persnal data public shuld infrm ther data cntrllers which are prcessing the data t erase any links t, r cpies r replicatins f, that data. Firms will need t review prcesses t ensure that they are able t delete data where the custmer requests it and meet the requirement where data has been shared r made public. 5. Accuntability and Gvernance The GDPR includes prvisins that prmte accuntability and gvernance. These cmplement the GDPR s transparency requirements. While the principles f accuntability and transparency have previusly been implicit requirements f data prtectin law, the GDPR s emphasis elevates their significance. 3
Yu are expected t put int place cmprehensive but prprtinate gvernance measures. Gd practice tls that the ICO has champined fr a lng time such as privacy impact assessments and privacy by design are nw legally required in certain circumstances. Ultimately, these measures shuld minimise the risk f breaches and uphld the prtectin f persnal data. Practically, this is likely t mean mre plicies and prcedures fr rganisatins, althugh many rganisatins will already have gd gvernance measures in place. Accuntability Principle The new accuntability principle in Article 5(2) requires yu t demnstrate that yu cmply with the principles and states explicitly that this is yur respnsibility. Firms must: Implement apprpriate technical and rganisatinal measures that ensure and demnstrate that they cmply. This may include internal data prtectin plicies such as staff training, internal audits f prcessing activities, and reviews f internal HR plicies. Maintain relevant dcumentatin n prcessing activities. Where apprpriate, appint a data prtectin fficer. Implement measures that meet the principles f data prtectin by design and data prtectin by default. Measures culd include: Data minimisatin; Pseudnymisatin; Transparency; Allwing individuals t mnitr prcessing; and Creating and imprving security features n an nging basis. Use data prtectin impact assessments where apprpriate. Recrds f prcessing activities (dcumentatin) As well as yur bligatin t prvide cmprehensive, clear and transparent privacy, if yur rganisatin has mre than 250 emplyees, yu must maintain additinal internal recrds f yur prcessing activities. If yur rganisatin has less than 250 emplyees yu are required t maintain recrds f activities related t higher risk prcessing, such as: prcessing persnal data that culd result in a risk t the rights and freedms f individual; r prcessing f special categries f data r criminal cnvictins and ffences. 4
Recrds that need t be kept Yu must maintain internal recrds f prcessing activities. Yu must recrd the fllwing infrmatin - there are sme similarities with registrable particulars under the DPA which must be ntified t the ICO. Name and details f yur rganisatin (and where applicable, f ther cntrllers, yur representative and data prtectin fficer); Purpses f the prcessing; Descriptin f the categries f individuals and categries f persnal data; Categries f recipients f persnal data; Details f transfers t third cuntries including dcumentatin f the transfer mechanism safeguards in place; Retentin schedules; Descriptin f technical and rganisatinal security measures. Yu may be required t make these recrds available t the relevant supervisry authrity fr purpses f an investigatin. Data prtectin by design Organisatins will be expected t include data prtectin cntrls at the design stage f new prjects invlving the prcessing f persnal data. Where they wish t prcess persnal data that pses ptentially high risks they will have t, prir t the prcessing, carry ut a data prtectin impact assessment. Data prtectin impact assessments (DPIAs) (als knwn as privacy impact assessments r PIAs) are a tl which can help rganisatins identify the mst effective way t cmply with their data prtectin bligatins and meet individuals expectatins f privacy. An effective DPIA will allw rganisatins t identify and fix prblems at an early stage, reducing the assciated csts and damage t reputatin which might therwise ccur. While nt a legal requirement under the DPA, the ICO has prmted the use f DPIAs as an integral part f taking a privacy by design apprach. Data prtectin fficer Sectin 4 f the regulatin intrduces a statutry rle f data prtectin fficer (DPO). Mst rganisatins handling persnal data, bth data cntrllers and data prcessrs, will require a DPO wh will have a key rle in ensuring cmpliance with the GDPR. A grup f undertakings may appint a single DPO prvided that s/he is easily accessible. Public bdies may als have a single DPO fr several such authrities r bdies, taking accunt f their rganisatinal structure and size. The DPO, wh can be a staff member r cntractr, shall be designated n the basis f prfessinal qualities and, in particular, knwledge f data prtectin law and practices, and the ability t fulfil the tasks referred t in article 37. These are:- 5
t infrm and advise the cntrller r the prcessr and the emplyees wh are prcessing persnal data f their bligatins pursuant t the GDPR; t mnitr cmpliance with the GDPR, including the assignment f respnsibilities, awareness-raising and training f staff invlved in the prcessing peratins, and the related audits; t prvide advice where requested as regards the data prtectin impact assessment and mnitr its perfrmance pursuant t article 33; t c-perate with the supervisry authrity (the ICO); and t act as the cntact pint fr the supervisry authrity n issues related t the prcessing f persnal data. Cdes f cnduct and certificatin mechanisms The GDPR endrses the use f apprved cdes f cnduct and certificatin mechanisms t demnstrate that yu cmply. The specific needs f micr, small and medium sized enterprises must be taken int accunt. Signing up t a cde f cnduct r certificatin scheme is nt bligatry. But if an apprved cde f cnduct r certificatin scheme that cvers yur prcessing activity becmes available, yu may wish t cnsider wrking twards it as a way f demnstrating that yu cmply. Adhering t cdes f cnduct and certificatin schemes brings a number f benefits ver and abve demnstrating that yu cmply. It can: imprve transparency and accuntability - enabling individuals t distinguish the rganisatins that meet the requirements f the law and they can trust with their persnal data; prvide mitigatin against enfrcement actin; and imprve standards by establishing best practice. When cntracting wrk t third parties, including prcessrs, yu may wish t cnsider whether they have signed up t cdes f cnduct r certificatin mechanisms. Review current prcess t ensure that it meets GDPR requirements. 6. Security breaches Under the current DPA, even in the mst serius data breaches, there is n requirement t infrm the ICO. Article 31 f the GDPR requires that, as sn as the rganisatin becmes aware a persnal data breach has ccurred, it shuld, withut undue delay and, where feasible, nt later than 72 hurs after becming aware f it, ntify the persnal data breach t the ICO, unless the rganisatin is able t demnstrate that the breach is unlikely t result in a risk fr the rights and freedms f individuals. Where this cannt be achieved within 72 hurs, an explanatin f the reasns fr the delay shuld accmpany the ntificatin t the ICO and infrmatin may be prvided in phases withut undue further delay. 6
Furthermre, data subjects shuld be ntified withut undue delay if the persnal data breach is likely t result in a high risk t their rights and freedms t allw them t take the necessary precautins. This ntificatin shuld describe the nature f the persnal data breach as well as recmmendatins fr the individual cncerned t mitigate ptential adverse effects. This shuld be dne as sn as reasnably feasible, and in clse cperatin with the ICO and respecting guidance prvided by it r ther relevant authrities (fr example, law enfrcement authrities). Firms will need t review current data breach prcesses t assess when a ntificatin t ICO is required. There will need t be a prcess in place t make the ntificatin within the 72 hur deadline. 7. Transfers f Data The GDPR impses restrictins n the transfer f persnal data utside the Eurpean Unin, t third cuntries r internatinal rganisatins, in rder t ensure that the level f prtectin f individuals affrded by the GDPR is nt undermined. 8. Fines Currently, the ICO can issue a mnetary penalty ntice f up t 500,000 fr serius breaches f the DPA. The GDPR intrduces much higher fines. Fr sme breaches f the GDPR, rganisatins can receive a fine f up t 4% f glbal annual turnver fr the preceding year (fr undertakings) r 20m. Fr ther breaches (fr example, failing t keep recrds r cmplying with security bligatins) the fine can be up t 10m r 2% f glbal annual turnver (fr undertakings). Brank Ltd prvides general insurance FCA cmpliance cnsultancy, supprt services, general management cnsultancy and prject management. Fr FCA wrk all advice given is based upn ur current understanding f the regulatins and the regulatrs nrmal practice as at the date f any reprt r recmmendatins. As regulatin is a dynamic prcess, any advice given must be reviewed frm time t time t ensure that it remains apprpriate and up t date. Current ht tpics include evaluatin f Cnduct Risk, implementatin f the Insurance Distributin Directive and effective cmplaints management. Please cntact us t discuss yur wn individual needs. 7