Introduction
The UK’s Data Protection Act 1998 (DPA) was in force for nearly 20 years and was developed to enforce EU Directive 95/46EC (The Data Protection Directive), which set the requirements on the protection of individuals regarding the processing of personal data across the European Union (EU). The Directive required each member state to transpose the guidelines into local law (hence the DPA); however, a lot can change in two decades; necessitating a new regulation to meet the demands of the current digital age.
The EU General Data Protection Regulation (“GDPR”) came into force across the EU on 25th May 2018, bringing with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The GDPR aims to standardise data protection laws and processing across the EU; affording individuals stronger, more consistent rights to access and control their personal information.
The GDPR is separated into 99 Articles that each relate to a different area of the Regulation; however, it also contains 173 Recitals that must be read in conjunction with the main Regulation, as these provide additional context and guidance in many areas. The Regulation is available in an easy to use format at https://gdpr-info.eu which offers the complete GDPR in easy to browse sections.
UK’s Data Protection Act 2018
Whilst the GDPR is an EU Regulation that applies directly to Member States, as oppose to a Directive that requires transposing into local law, it also consists of certain Articles that allow each Member State to define specific conditions and derogations (i.e. when special category data can be processed) and as such, each Member State can develop their own data protection legislation to expand upon the GDPR in these areas. The UK has therefore enacted the Data Protection Act 2018, which serves multiple purposes: –
- To enact the GDPR into UK law – the Regulation being referred to word for word in most cases
- In preparation for Brexit, when the UK will no longer be an EU Member State (the government intends to incorporate the GDPR into UK law after the transition period)
- To implement the GDPR derogations (exemptions) and limited special provisions that Member States can apply in their country
- Provide legislation for data processing that falls outside the scope of the GDPR (e. Law Enforcement Directive, National Security, Intelligence Services etc)
- To replace and supersede the Data Protection Act (1998)
Territorial Scope
Article 3 of the GDPR sets out the territorial scope of the Regulation, which is one of the biggest changes to the current data protection laws. Jurisdiction and territorial scope in the current Data Protection Act is somewhat ambiguous, however the GDPR makes it clear that the Regulation applies to: –
- Processing carried out by organisations operating within the EU, regardless of whether the processing takes place in the EU or not
- The processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law
- The processing of personal data of individuals who are in the EU by a controller or processor not established in the Union, where the processing activities are related to: –
- the offering of goods or services to individuals in the EU, irrespective of whether a payment is required
- the monitoring of data subjects’ behaviour as far as their behaviour takes place within the EU
Recital 14 advises that “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”
Definitions of Personal and Special Category Data
The definitions of personal data and sensitive data (known under the GDPR as special category data) are similar to the existing DPA, with a couple of differences. The GDPR defines “personal data” as: –
“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Personal data under the GDPR now includes genetic and location data, with Recitals referencing online identifiers provided by an individuals’ devices, applications or tools (i.e. internet protocol addresses & cookie identifiers) and genetic data resulting from the analysis of a biological samples (i.e. chromosomal, DNA or RNA analysis.) This more expansive definition allows for technology and digital mediums to be considered when defining and protecting personal data.
In relation to the ‘Special categories of Personal Data’ the GDPR advises that: –
“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited”.
Special category data under the GDPR includes: –
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data or biometric data for uniquely identifying an individual
- Health data (including mental health)
- Data relating to sex life or sexual orientation
How Does the GDPR Affect You as an Employee?
Many organisations already have an existing data protection program in place which complies with the existing data protection laws and specifies how to handle, process and store personal data. However, whilst some of the current requirements remain the same, the GDPR also brings many new regulations that need to be reviewed, understood and implemented, by both organisations and their employees.
If the organisation you work at (or on behalf of) processes personal data, you have a duty of care to understand how the GDPR applies to your company, your job role and those individuals whose data you are processing. Similar to the current DPA, the GDPR contains ‘Data Protection Principles’ that set out the main responsibilities for organisations and are the cornerstone of the Regulation.
Article 5 of the GDPR requires that personal data shall be: –
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
There is also a separate ‘principle’ in the GDPR under Article 5(2) that states ‘the controller shall be responsible for, and be able to demonstrate, compliance with the GDPR principles’ (‘accountability’) and expects firms to show how they comply with the principles.
The main difference between the DPA and GDPR is that the latter does not have specific principles relating to overseas transfers and processing in line with data subject rights; however, this is because these areas have entire sections dedicated to them in the Regulation, denoting their additional importance and extra obligations by organisations.
What is Your Legal Basis for Processing?
The GDPR specifies 6 legal bases under which personal data can be processed. Each organisation must assess, identify and record which basis they are using for each processing activity. For example, you have rights as an individual whose personal data is being processed in the course of being an employee. Your employer will be processing this information as a ‘legal obligation’ as the HMRC and employment law requires that your information is obtained and processed.
Article 6 lists each legal basis as: –
a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes
b. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
c. processing is necessary for compliance with a legal obligation to which the controller is subject
d. processing is necessary in order to protect the vital interests of the data subject or of another natural person
e. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (excluding by public authorities in the performance of their tasks
Data Subject Rights
Data subject rights is not a new requirement and has been in force under the current DPA for many years. Aspects such as individuals being allowed to access their personal data (access request), or having incorrect information rectified are already existing data protection rules.
However, the GDPR brings with it stronger rights for individuals where their personal data is concerned. The Data Subject Rights under the GDPR are: –
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights on automated decision making (including profiling)
Timeframes for responding to requests made under the above rights are now limited to 30 days (with some exceptions to extend by a further 2 months under set conditions) and fees that used to apply under the DPA, such as charging a £10 admin fee for subject access requests, have now been removed.
It is mandatory under the GDPR to provide individuals with a Privacy Notice at the point their personal data is obtained (or within a specified timeframe if not collecting directly); with mandatory information disclosures needing to be provided in the notice.
Where data is collected from the data subject, the controller must provide in a Privacy Notice: – |
The identity and the contact details of the controller (& if applicable, their representative) |
Contact details of the DPO (if applicable) |
Purposes of the intended processing and the legal basis |
If processing is based on the legitimate interests’ condition, what those interests are |
The recipients or categories of recipients of the personal data |
Where applicable, notice of data transfer to a third country or international organisation, with existence or absence of an Adequacy Decision or the suitable safeguards (and access to copies of them) |
The storage period of the data (or the criteria used to determine that period) |
Notice of the individual’s rights (including to request access, rectification or erasure of personal data, restriction of processing or to object to processing, right to data portability) |
If legal basis for processing is consent, notice of the individual’s right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal |
The right to lodge a complaint with a Supervisory Authority |
Whether the provision of personal data is a statutory or contractual requirement (or necessary to enter into a contract), and if the individual is obliged to provide the personal data (plus consequences of failing to do so) |
The existence of automated decision-making (including profiling), and meaningful information about the logic involved and the significance and envisaged consequences of such processing for the data subject |
Technical and Organisational Measures
The GDPR puts a lot of emphasis on the privacy and security of individuals and their personal information and expects firms to take every reasonable measure to protect the personal data that they process. These measures are referred in the Regulation as ‘technical and organisational measures’ and although each company will have their own measures and protocols for securing data; there are some generic measures that everyone should take, including: –
- Keep passwords secure, change them regularly and never sharing them
- Lock your screen and/or log off your computer when away from your desks
- Dispose of confidential paper securely by shredding or using secure waste bins
- Never open unknown email attachments or download internet files
- Keep your desk clear and lock away confidential material when away from desk/office
- Keep any ID tag or access cards on you at all times and report them immediately if lost/stolen
- Ensure visitors sign in and out of the building and are accompanied at all times
- Keep restricted areas locked and/or use biometric access
- Ensure confidential information is not visible through windows or doors (i.e. computer screen, paper trays, note pads etc)
- Encrypt any information that is taken off site
- Use firewalls, anti-virus and malware software on all networks and devices
The Information Commissioners Office (ICO) & Penalties
The Information Commissioners Office (ICO) will remain the oversight and enforcement body for the GDPR and the new UK data protection laws. In the GDPR, each Member State oversight body is referred to as the Supervisory Authority.
ICO’s mission statement is “to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals” and they can issue enforcement notices and fines for breaches in any of the Regulations, Acts and/or Laws regulated by them.
One of the most discussed areas of the GDPR is the increased fines and sanctions that are now available to Supervisory Authorities. There has been a significant increase in fines under the GDPR and whilst these will only apply in cases where severe breaches or non-compliance, they are a stark reminder of how important data protection is.
Breaches of the obligations of the controller, the processor, the certification body and the monitoring body, are subject to administrative fines up to €10,000,000 or 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Administrative fines up to €20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher) are applicable to breaches of: –
- the basic principles for processing
- conditions for consent
- the data subjects’ rights
- the transfers of personal data to a third country/international organisation
- non-compliance with an order by the Supervisory Authority
How Has Your Organisation Prepared for the GDPR?
**[This section is unique to your company and should be customised with what information you feel is important to tell your employees and those working with you. We have added some generic material below, but what data you process, what steps you are taking and what you require your employees to do will vary from company to company.]**
Every organisation differs in how they have prepared for the GDPR and data protection changes because there are so many variables involved such as what type of data they are processing; their size and scope; if they already comply with existing data protection laws etc. Some standard measures that organisations’ across the UK have taken include: –
- Completing information audits and GDPR checklists to identify and analyse gaps
- Developing/updating policies & procedures for key data protection areas, including: –
- Data retention
- Data breaches
- Data erasure and rectification
- Subject access requests
- Consent processes and withdrawing consent
- Data minimisation (pseudonymisation & encryptions)
- Reporting and notifications
- Educate/train all employees about the requirements of the GDPR and impacts of non-compliance
- Reviewing/revising Privacy Notices and information disclosures
- Identify key stakeholders to support the data protection compliance program
- Allocating responsibility for data protection compliance to a DPO or designated person, ensuring they have sufficient access, support and resources to perform the role
- Identifying, creating and disseminating the reporting lines within the data protection governance structure
Not all organisations are required to appoint a Data Protection Officer (DPO), but even those for who it is not mandatory are considering such an appointment or at least a data protection lead to aid GDPR preparation and ongoing compliance.
Both controllers and processors are obligated to designate a DPO where: –
- The processing is carried out by a public authority or body (except for courts acting in their judicial capacity)
- The controller/processor’s core activities involve processing that (due to their nature, scope and/or purposes), require regular and systematic monitoring of data subjects on a large scale
- The controller/processor’s core activities involve processing on a large scale of special categories of data and personal data relating to criminal convictions and offences