GDPR a legal overview Andrew Gilchrist and Noirin McFadden, K&L Gates LLP Copyright 2017 by K&L Gates LLP. All rights reserved.
Background to reform
WHY WAS REFORM REQUIRED? We ve had data protection laws in the UK for 20 years Data Protection Act 1998 implemented European Directive 95/46/EC into UK law. Need for harmonisation Various EU member states have taken divergent approaches to implementing the Data Protection Directive, creating compliance difficulties for many businesses. Disproportionate penalties Maximum fines: 500,000 for most serious breaches. High profile enforcements: Talk Talk / Sony. Technological change Significant advances in information technology, and fundamental changes to the ways in which individuals and organisations communicate and share information. klgates.com 3
BACKGROUND TO REFORM Key Dates: Directive 95/46/EC issued: October 1995 Reform proposed by European Commission: January 2012 Legislative hell: January 2012 December 2015 Text of GDPR Agreed: 15 December 2015 Text of GDPR Adopted: 14 April 2016 Text of GDPR Published: 4 May 2016 GDPR Enters into force: 24 May 2018 GDPR Applies from: 25 May 2018
EFFECT OF REFORM Evolution not revolution Data Protection Act 1998 Harmonised principles (different implementations). Global companies potential subject to multiple enforcement Fines limited to 500,000 Increased accountability for businesses: increased Same basic data record keeping protection principles Same basic approach to categorization of controllers and processors Same basic compliance mechanisms for transfer outside of EEA Retains a lot of same concepts GDPR Full harmonisation (but perhaps not)* Mandatory breach reporting One stop shop mechanism. Increased enforcement powers (up to 4% annual global turnover). New and enhanced subject rights: data portability, right to be forgotten etc. *Not entirely harmonised Member States can set additional (more specific) rules for processing personal data in certain circumstances klgates.com 5
BREXIT WON T SAVE US! On 25 May 2018 (from which GDPR applies) UK will still be a member of the UK. On 21 June 2017 the UK Government revealed that they will be passing legislation to bring the GDPR into UK law. Apart from various administrative changes, the UK law will be an exact equivalent of the GDPR. Brexit may affect how data protection laws are enforced How will the one stop shop model work when the UK is no longer a member of the EU? klgates.com 6
Upcoming changes under the GDPR
PERSONAL DATA What is personal data? Definition of personal data updated to reflect new technologies adds new identifying types of data e.g. location data and online identifiers. Pseudonymised data still considered personal data. Sensitive personal data Same basic categories apply. Extended to genetic and biometric data. Requires more safeguards. As in DPA, includes personal details such as ethnicity and details of an individual s health e.g. information on allergies. Children s data Special rules surrounding the control and processing of data relating to children are now more specific e.g. all individuals under 13 classified as children. klgates.com 8
WHO DOES IT IMPACT? DPA places data processing obligations on: Organisations established within the UK who process personal data in the context of that establishment GDPR places data processing obligations on: organisations that are established within the European Union where personal data is processed in the context of that establishment; OR regardless of whether data subjects are based in the UK. organisations that offer goods/services (paid or free) to individuals located within the European Union; OR organisations that monitor individuals whose behaviour takes place within the European Union. Where the business is based Where the data subjects are based. Has extra-territorial effect klgates.com 9
MORE RIGHTS FOR INDIVIDUALS Organisations need to be aware that the GDPR grants further rights to individuals in relation to their personal data: Key Rights that exist under the DPA Right to be informed Right of access (within 1 month) Right of rectification of their personal data Rights that exist under case law Rights introduced under GDPR Right of erasure (also known as the right to be forgotten) ensure all data is tracked to enable deletion if necessary Right to restrict processing Right to data portability i.e. right to request the personal data, free of charge, to be transferred to another tour operator Right to object to processing Right not to be subject to automated decisionmaking i.e. profiling klgates.com 10
INCREASED ACCOUNTABILITY PART 1 Accountability Principle, organisations are now required to provide evidence of compliance. Data protection compliance has to be managed as a risk Actions will need to be documented so that a data controller can prove what has been done. Must evidence policies / good data governance. Increased record keeping: Records of processing Increased transparency - revised privacy notices Burden of proof to demonstrate consent was obtained. May need consent for different purposes. klgates.com 11
INCREASED ACCOUNTABILITY PART 2 Mandatory Data Protection Impact Assessments Processors now directly liable to comply with certain requirements (i.e. data security). Privacy by design and default Written contracts must be entered into to cover third party processing. Requirement to appoint a data protection officer (mandatory in some instances) Up to 20 million or 4% of global turnover (whichever is higher). One stop shop enforcement / consistency mechanism. klgates.com 12
Practical steps for a legal compliance program
TYPICAL STAGES OF A LEGAL COMPLIANCE PROGRAM Akin to undertaking a global health and safety assessment but for your data. It is not just about lawyers drafting contracts that can protect you must be business-wide engagement. Phase 1: Due Diligence Audit / Questionnaires Phase 2: Gap Analysis Phase 3: Plugging the gaps Phase 4: Implementation and on-going training klgates.com 14
STAGE 1: DUE DILIGENCE What personal data does the organisation hold? What are the origins of the personal data held? Were the appropriate consents obtained? What does the organisation do with the personal data? How does it process data internally? Does the tour operator use it for marketing purposes? Organisation-wide audit Who does the organisation share the personal data with? For what purposes? Is it passed onto local tour operators? Airlines? Where are these organisations based? On what terms is the data shared? Document audit information in record of processing. Always ensure there is a paper trail. klgates.com 15
STAGE 2 /3 : GAP ANALYSIS AND PLUGGING THE GAPS Prepare policies What do you have already? What is missing? How are the policies acknowledged / enforced? Are they fit for purpose? Is there an appropriate governance structure in place to provide sufficient oversight? Revise privacy policies Do they reflect reality? Do they contain the enhanced information rights contained in the GDPR? (e.g. legal basis of processing, data retention periods). Can only do this when you know what data you process and why! Revise data processing contracts Work out where your data goes. Are written contracts in place? Do those contracts contain the minimum provisions required under the GDPR? Do they contain breach notification provisions? klgates.com 16
STAGE 4: IMPLEMENTATION / ONGOING TRAINING Implement policies / introduce risk management and governance structures. Might involve process and systems change! New systems to deal with portability, right to be forgotten, subject access requests, consent etc. Privacy by design and default when creating / procuring new products/services/systems. Carry out Privacy Impact Assessments when establishing new practices/employing new technology. Consider appointing a Data Protection Officer, even if not required under statute, who can offer training and guidance. Security audits engage a cybersecurity consultant? Staff training and updates! klgates.com 17
WHY COMPLIANCE IS CRUCIAL Increased fines Up to 20 million or 4% of global turnover (whichever is higher) Individual claims Individuals can now claim for nonmaterial damage against both processors and controllers (who are jointly and severally liable). Changing enforcement model One stop shop principle lead supervisory authority of main establishment i.e. your European HQ. More harmonised enforcement? But other supervisory authorities can object to decision built in consistency mechanism. klgates.com 18
Neil Baylis K&L Gates LLP One New Change London EC4M 9AF Phone: +44 (0)20 7360 8140 Fax: +44 (0)20 7806 0675 neil.baylis@klgates.com www.klgates.com