Understanding GDPR

Introduction

Welcome to an introduction to GDPR to enable you to understand the impact the change in Data Protection Laws will have on our business.

During this course we will cover:

  • An overview of the basic concepts.
  • An outline of main areas of change.
  • A review of data subject rights including subject access requests.
  • A summary of data breach reporting and enforcement.

What is the General Data Protection Regulation?

What is the General Data Protection Regulation?

On 25 May 2018 the UK will see the biggest ever change to its Data Protection laws with the implementation of the EU General Data Protection Regulation which will replace the current Data Protection Act 1998.

When is the implementation date for the GDPR?

  • 25 May 2018
  • 1 September 2018
  • 4 March 2019

What do the current Data Protection laws look like?

What do the current Data Protection laws look like?

All of the EU member states have taken different approaches to implementing Data Protection legislation, creating compliance difficulties for many businesses operating across the EU.

The General Data Protection Regulation will harmonise all of EU’s Data Protection laws.

The European Commission has claimed that these changes will save businesses EUR2.3 billion a year.

True or False?

  • After the GDPR has taken effect businesses will not have to look to other Member States’ data protection laws when transferring data between the EU.

Why is change needed?

Why is change needed?

The current Data Protection laws in the UK date back to an EU directive from 1995.

Since then, at a time when we were using Windows 95, there have been significant advances in information technology. For example:

  1. It wasn’t until 1996 that USB ports were invented – how easy it is now to insert a USB stick into a port and copy a mass of data?
  2. In 1997 we saw the introduction of Google followed by Facebook, YouTube and Twitter in the early noughties.
  3. In 2007 we saw the introduction of the iPhone – smart phones make copying, accessing and sharing data much easier. Since then we’ve seen tablets and wearable technology introduced making the access and sharing of data effortless.

With these technological advances came fundamental changes to the ways in which individuals and organisations communicate and share information.

The world in which we operate has changed

The world in which we operate has changed.

Not only have we seen vast improvements in technology since 1995 but the world in which we operate has changed.  For example:

  1. In 2017 we saw the massive cyber-attack on the NHS.
  2. Nearly 14 billion data records were stolen by hackers or lost during 2016.
  3. Businesses are now more than ever using cloud computing.
  4. A 2016 report identified that it currently takes 146 days on average to discover a cyber breach.

General Data Protection Regulation: overview

GDPR Overview

Many of the principles in the new legislation are much the same as those in the current Data Protection Act. But there are important new elements, and some things will need to be done differently.

What is personal data?

What is personal data?

Before we can begin to talk about GDPR we need to look at some key concepts and definitions.

Personal Data - meaning information that relates to an identifiable person. Examples:

  • Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
  • Bank account details.
  • CCTV footage
  • Photographs.
  • IP addresses.
  • Location data.

Which three of the following constitutes personal data?

  • Name of a company
  • Postcode of customer
  • Job title
  • CCTV of an individual
  • Website
  • Bank account number of sole trader

What is sensitive personal data (now called special category data)?

What is sensitive personal data (now called special category data)?

The definition of Sensitive Personal Data under the GDPR explicitly includes:

  • The definition of Sensitive Personal Data under the GDPR explicitly includes genetic and biometric data;
  • As well as data regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and sexual orientation. 
  • It also includes criminal convictions.

Mrs Smith orders balloons to be delivered to her sister’s house as she is recovering from a broken arm. The balloon shop writes this information down and then delivers a large bunch of balloons to Mrs Smith’s sister which brightens up her day. Is this?

  • Personal Data
  • Sensitive personal data
  • Neither
  • Both

Key terms

Under the GDPR there are a number of key terms.

Data Subjects: individuals to whom data relates i.e. employees, customers, consumers.

Data Controllers: organisations that collect Personal Data and responsible for and must be able to demonstrate compliance with the principles i.e. employers, businesses, companies.

Data Processor: a person or body which processes Personal Data on behalf of a Data Controller i.e. outsourced payroll, HMRC

A data processor is (choose two)?

  • An employee working in HR who collects, stores and discloses data about other employees
  • HMRC who receive details from an employer about its employees pay for tax purposes
  • An external occupational health company who is producing a report on an employee’s long term sickness
  • A new starter who gives HR their next of kin details

What is processing?

What is processing?

Processing is any adjective you can use to describe doing something with data.

The obvious examples are collecting, copying, sharing, disclosing and using but it also includes acts such as storing, archiving, deleting, shredding and destroying.

Legal basis for processing

Legal basis for processing

For processing to be lawful under the GDPR, you need to identify a legal basis before you can process  Data.

There is a greater focus on the legal basis for processing under GDPR.

It is important that you determine your legal basis for processing Data and document this.

The legal bases available for processing Personal Data:

The legal basis available for processing Personal Data:

  • Consent of the Data Subject.
  • Processing is necessary for the performance of a contract with the Data Subject or to take steps to enter into a contract.
  • Processing is necessary for compliance with a legal obligation.
  • Processing is necessary to protect the vital interests of a Data Subject or another person.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
  • Necessary for the purposes of legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the Data Subject.

Processing is necessary for the performance of a contract with the Data Subject or to take steps to enter into a contract.

Processing is necessary for the performance of a contract with the Data Subject or to take steps to enter into a contract.

Where employers process employee data to fulfil fundamental contractual obligations they will be able to rely on the ground that processing is necessary for the performance of a contract.

Processing is necessary for compliance with a legal obligation.

Processing is necessary for compliance with a legal obligation.

For example, where employers process employee data for tax or reporting purposes they will be able to rely on the ground that processing is necessary to comply with a legal obligation.

Necessary for the purposes of legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the Data Subject.

Necessary for the purposes of legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the Data Subject.

For example, employers could assert that processing employee performance data is necessary to improve workforce performance, or that processing employee data during a workplace investigation is necessary to respond to an employment dispute.

However, under the GDPR Data Controllers will also need to state their specific legitimate interests in information notices and Data Subjects will have the right to object to the processing of their data.

If a Data Subject objects to processing based on legitimate interests, the Data Controller cannot process the Data unless it shows that its legitimate interests are sufficiently compelling to override the interests or rights of the Data Subject.

The problem with consent?

The problem with consent?

The giving of consent by a Data Subject is one of the gateways through which a Data Controller can establish a legal basis for processing Personal Data.

The GDPR sets out stricter and more detailed conditions for the use of consent making it harder to obtain:

  • Consent must be freely given, specific, informed and unambiguous.

  • It will not be considered freely given if there is no genuine free choice. The onus is on the Data Controller to show that the Data Subject gave consent.

  • If consent is given by means of a written declaration, the request must be made in a manner that is clearly distinguishable from other aspects of the document.

  • A Data Subject has the right to withdraw consent at any time and must be told of this right by the Data Controller.
  • It must be as easy to withdraw consent as it is to give it.

In most cases, Data Controllers will need to move to one of the other legal grounds to process Data.

Old consent will only be valid under GDPR if it meets the GDPR requirements otherwise new consent will have to be secured.

You work in sales and want to generate more sales by contacting your existing database of people who purchased other items from you in your 2017 Summer Discount Sale.

There are two thousand potential customers and your year end is coming up in which you need to meet your sales targets.  

What do you prioritise before proceeding with the campaign?

  • Check that everyone who will be contacted has given their consent.
  • Make sure there are policies to remove people from the marketing list.
  • Make sure any deceased customers have been removed from the list.

The GDPR principles

The GDPR principles

Once a Data Controller has one or more of the legal bases to process data then it must comply with all of the following principles.

Data must be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
  6. processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

There are also restrictions to transferring data outside the European Economic Area.

You are a UK-based business and thinking of signing a contract with a Florida based company to host your IT servers as its cheaper than those in the UK.

 The US Company says that Florida’s data protection laws are strict.  

There have been three incidents where the Company has been hacked but the systems are constantly backed up so that information can never be deleted so you are reassured that even if they were hacked again the information can always be retrieved.  

Which three of the following data protection principles will most likely be impacted?

  • Fair and lawful
  • For a specific purpose
  • Adequate and necessary
  • Accurate, up to date
  • Not kept longer than needed
  • Take into account people's rights
  • Kept safe and secure
  • Not be transferred outside the EEA

Accountability

Accountability

One of the biggest changes under the GDPR is the new principle of accountability; the GDPR requires Data Controllers to demonstrate compliance with the principles.

This manifests itself in enhanced obligations for Data Controllers, including a requirement to keep extensive internal records of data processing operations, which must be produced to the supervisory authority for inspection on request.

Data Controllers should create a data register to meet their record-keeping requirements. This should be an up-to-date written record containing information about all Personal Data processed by the organisation, including:

  • the purposes for which the data is processed;
  • a description of the categories of Data Subjects and the categories of Personal Data, including if the data is sensitive Personal Data;
  • the categories of recipients of the data;
  • any transfer of the data outside the European Economic Area;
  • the anticipated periods of storage for the different categories of data; and
  • the technical and organisational security measures used to safeguard the data.

What does the accountability principle mean?

  • A Data Subject has to demonstrate compliance with the GDPR principles.
  • A Data Controller has to demonstrate compliance with the GDPR principles.

Transparency

Transparency

The transparency principle requires Data Controllers to provide significantly more information than at present.

This will include telling employees, clients and customers for example:

  • The source of the data (unless it originates from the Data Subject).
  • Who will receive Personal Data (or the categories of recipients).
  • The period for which data will be stored, or if that is not possible the criteria used to determine the period.
  • The existence of Data Subject rights.
  • The right to object to processing.
  • The right to withdraw consent.
  • The right to complain to the regulator.
  • The legal basis for the transfer of the data to a non-EU third country.

Data Subject Access Rights

Data Subject Access Requests

The Data Subject access right (SAR) is broadly similar to the right under the existing rules.

However, the Data Controller will be required to provide the following information in addition to the information that it currently needs to provide:

  • The envisaged period of storage.
  • Details of the "delete it, freeze it, correct it" rights.
  • The safeguards applied on a third country transfer of data.

The transparency principle means that when responding to a SAR Data Controllers will also need to explain how they have approached the request.

The current default period for compliance of 40 days will be replaced with an obligation to comply without undue delay and within one month.

The £10 fee applicable to requests under the Data Protection Act 1998 will be abolished.

However, where a request is "manifestly unfounded or excessive" the Data Controller may either charge a "reasonable" fee, taking into account administrative costs, or may refuse to act on the request altogether. 

New Data Subject Rights

New Data Subject rights

In addition to the Data Subject Access Right, there is a package of rights that may be summarised as "delete it, freeze it, correct it".

The right of erasure may be exercised where any of the following apply:

  • The processing of data is no longer necessary in relation to the purposes for which it was collected or processed.
  • Data has been unlawfully processed.
  • The Data Subject objects and the Data Controller cannot show "overriding legitimate grounds" for continuing in circumstances where the processing is based on the "legitimate interest" condition.

The right to restriction of processing (freezing) arises where:

  • Processing is unlawful.
  • Data accuracy is contested by a Data Subject.
  • A Data Subject has objected to processing based on the "legitimate interest" condition pending a decision as to whether or not the Data Controller has compelling legitimate grounds which override the rights of the Data Subject.

The right to rectification arises where data is inaccurate or incomplete.

Personal Data Breaches

Personal data breaches

A Personal Data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of Data.

People make mistakes; they leave laptops on trains, send emails to the wrong person, cc instead of bcc people in emails and are careless with passwords. These are all Personal Data breaches.

As well as human error, cyber theft and hacking is also a major concern for information security today.

Examples of data breaches:

  • A GP practice that revealed confidential details about a woman and her family to her estranged ex-partner was fined £40,000.
  • StaySure travel insurance provider was fined £175,000 after 110,000 customers' credit card details were stolen in a cyber-attack.
  • Dyfed-Powys Police Force was fined £150,000 after an email containing information that could be used to identify eight sex offenders was mistakenly sent to a member of the public.

Data breach reporting

Data breach reporting

Data Controllers discovering a Personal Data breach must notify the regulator (Information Commissioner's Office) promptly and within 72 hours, if feasible.

If the notification is not made within this time, the Data Controller must provide a "reasoned justification" explaining the delay.

The notification requirement does not apply if the breach is unlikely to result in a risk to Data Subjects (for example, because all data on a laptop was encrypted).

If there is a high risk to a Data Subject, he or she must also be told by the Data Controller.

Records must be kept of all data breaches and action taken, including those in respect of which there was no obligation to notify the regulator.

It is very important that if you become aware of data breaches in the organisation you tell us as a matter of urgency so that we can comply with our breach reporting requirements.

Complete the below information, delete where appropriate and fill in the missing words:

You are responsible for data protection in your business.  An employee, Jack Frost, has told you that they have lost a USB stick and tracing their steps back it must be on the train that they caught home that evening. The USB is unencrypted and contains information about changes that Jack Frost intends to make to the company website, a copy of an email from John Smith using his work email address stating that he would like to meet with Jack Frost about the website and Jane Doe’s return to work form as Jack Frost is her line manager and was going to discuss the return to work information with HR. 

I must report the breach about to the within hours.  I do not need to report the breach of personal data about because there is not a high risk to the data subject.  I will also need to report internally about  .  I do not need to report the breach about because it does not contain personal or sensitive personal data.

 

Enforcement

Enforcement

The rules in the GDPR are underpinned by a tougher penalty regime.

The fines are:

  • Up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is the greater) for violations relating to internal record keeping, Data Processor contracts, data security and breach notification, Data Protection Officers, and data protection by design and default.
  • Up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, Data Subjects rights and international data transfers.

The investigative powers of the regulator include a power to carry out audits, as well as to require information to be provided, and to obtain access to premises.

If staff commit any intentional data breaches there could be criminal consequences.

Conclusion

Conclusion

We hope that having completed this course you are now aware of the following:

  • That before doing anything with data you need to think about what the legal basis is for your proposed action.
  • Usually this will be performance of a contract, legal obligation or legitimate interests.
  • If you are relying on consent then the data subject has the right to withdraw their consent.
  • When processing data you must comply with all of the principles.
  • This means data needs to be kept secure and for no longer than is neccessary.
  • That information about colleagues, customers and clients is disclosable if they were to make a Data Access Request.
  • If you receive a request to access, freeze or erase data you should report it internally straight away.
  • If you commit a data breach or become aware one has been committed then it should be reported internally as a matter of urgency.