Getting ready for next year’s Data Protection law changes
From 25 May 2018 a new General Data Protection Regulation (“the GDPR”) will change the way you must deal with personal data such as HR records and customer lists. Whilst there should be little difference to practice there are some important changes that it is essential to be aware of. These are summarised below.
Who’s who in data protection?
• A data subject: Is someone whose data is processed.
• A data controller; Is the organisation/ person who determines the purposes for which and the manner in which any personal data is/is to be, processed. Data controllers will usually be organisations, but can be individuals, for example self-employed consultants.
• Data processor: Means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
What will change in May 2018?
1. Definition of ‘personal data’: This is expanded to include online identifiers such as location data and cookies, reflecting how technology has changed the way organisations collect information about people.
2. Data subject’s consent:
a. Unambiguous consent: The GDPR standard for consent is higher than that in the current Data Protection Act, which only refers to “signifying” consent. A data subject’s agreement to processing personal data will have to be unambiguous - a statement of agreement or a clear affirmative action. *Make sure that all your systems for collecting data have unambiguous provisions for consent: *
i. Verbal consent (best to have documentary evidence of this); or
ii. Written consent; or
iii. Ticking a box on a web page; or
iv. Choosing technical settings in an app; or
v. Any other statement/conduct that clearly indicates (in this context) the data subject's acceptance of the proposed processing of personal data.
b. Silence is not consent: Pre-ticked boxes, inactivity, failure to opt-out or passive acquiescence will not constitute valid consent.
c. Freely given consent: Consent will not be valid if the data subject does not have a genuine and free choice, or cannot refuse or withdraw consent without detriment. Freely given is not defined in the GDPR, however:-
i. Where there is a "clear imbalance" between the controller and the data subject (e.g., between an employer and an employee) if there was any dispute consent would be presumed not to have been freely given.
ii. If the performance of a contract is made conditional on the data subject consenting to processing activities that are not necessary for the performance of that contract, consent will not have been freely given.
d. Informed consent: The nature of the processing should be explained in clear and plain language and should not contain unfair terms. The data subject should be made aware who is collecting their data and the purposes for which it will be processed.
e. Right to withdraw consent: The GDPR introduces a right to withdraw consent to data processing. The data subject must be informed of the right to withdraw consent before they give any consent to data processing. It must be as easy to withdraw consent as to give it and you should make sure that you record and comply with any withdrawal of consent by individuals. This does not affect the lawfulness of processing based on consent before its withdrawal.
3. Data subject’s access requests:
a. In most circumstances the Data Processor can no longer charge to provide data.
b. The 40 day period for providing data is reduced to one month.
c. Individuals have the right to obtain:
i. Confirmation that their data is being processed;
ii. Access to their personal data; and
iii. Other supplementary information.
d. Data processors can refuse to provide data and/or can make a charge if a request is excessive or manifestly unfounded. They must tell the individual why and that they have a legal right to appeal this, within one month of the request being made.
4. Data subject’s right to be forgotten:
a. Data subjects have a new right to erasure of personal data (the "right to be forgotten"). This is not entirely new but currently this exists only when processing can cause substantial damage or distress, the GDPR extends this to:
i. Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
ii. When the individual withdraws consent.
iii. When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
iv. If the personal data was unlawfully processed.
b. You can refuse to deal with a request to be forgotten, where data has been processed:
i. To exercise the right of freedom of expression and information;
ii. To comply with a legal obligation for the performance of a public interest task or exercise of official authority.
iii. For public health purposes in the public interest;
iv. For archiving purposes in the public interest, scientific research historical research or statistical purposes; or
v. For the exercise or defence of legal claims.
c. If you process the personal data of children, you should pay special attention where a child has given consent to processing and they later request erasure of the data (regardless of age at the time of the request), especially on social networking sites and internet forums. This is because a child may not have been fully aware of the risks involved in the processing at the time of consent.
d. If you have disclosed the personal data being erased to third parties, you must inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
e. If you process personal information online, for example on social networks, forums or websites you should inform other organisations who process the personal data to erase links to, copies or replication of “forgotten” personal data.
5. Accountability: After May 2018 you will no longer be required to have annual registration with the ICO, however, you will need to keep new internal records of processing:
a. Name and details of your organisation.
b. Purposes of the processing.
c. Description of the categories of individuals and categories of personal data.
d. Categories of recipients of personal data.
e. Details of transfers to third countries including documentation of the transfer mechanism safeguards in place.
f. Retention schedules.
g. Description of technical and organisational security measures.