The EU General Data Protection Regulation (“GDPR”) is set to significantly revamp current data protection laws; due to take effect in all Member States from 25th May 2018.
General Data Protection Regulation
The EU General Data Protection Regulation (“GDPR”) is set to significantly revamp current data protection laws; due to take effect in all Member States from 25th May 2018. Its implementation will precede the UK’s exit from the EU therefore regardless of Brexit negotiations there will be a period of time where GDPR will apply in the UK and it is likely that following Brexit, UK law will more or less mirror GDPR going forward.
There has been much written already about the effect GDPR will have on UK data practices. However we take a look at what impact GDPR will have from a public authority/body perspective and what such organisations should be doing to get GDPR ready.
‘Public Authorities’ / ‘Public Bodies’
GDPR includes terms and obligations specifically relative to public authorities and public bodies; unhelpfully it does not define their scope. It is likely these terms shall be defined by individual Member States. Under the current regime, the Data Protection Act 1998 (DPA) defines ‘public authority’ as that defined under Freedom of Information (Scotland) Act 2002 (“FOISA”). FOISA’s definition of ‘public authority’ currently includes local councils; universities; colleges; NHS; Scottish Ministers; Parliament; the Police; organisations that provide a public function or are engaged by a public authority to provide a public function (e.g. public transport, water, energy, housing associations etc.); and ‘publicly owned company(ies)’ (i.e. a company wholly owned by the Scottish Ministers or by a Scottish public authority listed in Schedule 1 to FOISA) which would include e.g. wholly owned university spin-outs.
It is unclear at this stage whether the definition of ‘public authority/body’ under GDPR will mirror that used under the DPA. However it seems unlikely that it will depart from it significantly; therefore in our view, organisations that are currently caught by FOISA ought to prepare for GDPR on the assumption they will be caught not only by GDPR (which they most certainly will) but also by the obligations specific to GDPR’s public authorities and public bodies.
Changes introduced by GDPR
Fines for breaching GDPR (max - greater of 4% of turnover or €20M) are significant compared with the DPA (max £500K). PAs should use the implementation period usefully to ensure they are GDPR compliant prior to 25th May 2018. A high-level look at the main obligations placed on Public Authorities/Bodies (“PAs”) under GDPR includes:
- Accountability & Privacy By Design - PAs must be able to demonstrate compliance with GDPR and implement data protection by design reflective of PAs processing activities and risk.
- Data Protection Officer - PAs will need to appoint a Data Protection Officer. A single DPO can be designated for several PAs. The role can be contracted out.
- Data Processors - data processors can be held liable for non-compliance and PAs should review situations where it acts as a data processor for a third party. GDPR also requires enhanced contractual provisions for data processors engaged by PAs, which will necessitate a review of current contracts to ensure they are GDPR compliant and to also future proof contracts going forward.
- Extra Territorial Reach - GDPR’s reach extends to organisations outwith EU that process personal data of individuals in the EU. This could cover non- EU University spin-outs or organisations which PAs use to process personal data on its behalf.
- Consent and basis for processing - GDPR makes it much harder to rely on consent as a basis for processing personal data and PAs should check whether the basis upon which consent was obtained meets GDPR requirements. PAs will no longer be able to rely on legitimate interest exemption currently used extensively by PAs and domestic/EU legislation may be required to justify such processing.
- Fair Processing Notices - must be concise, intelligible and communicated by means likely to be noticed and read by data subjects. GDPR also requires further information to be added to privacy notices. PAs ought to review these notices and amend as necessary to reflect GDPR requirements.
- Data Subject Rights - GDPR expands rights of data subjects to include e.g. right to be forgotten, right to portability, right to prevent customer profiling. PAs can no longer charge to deal with subject access requests. Time frame for responding has changed from 40 days to 1 month.
- International Transfers – basis on which PAs can transfer personal data outwith the EEA have been restricted for PAs. For example, PAs, unlike other organisations, cannot rely on consent.
- Data Breaches - subject to limited exceptions, all data breaches must be notified to the ICO within 72 hours. It is good practice to have a plan prepared in advance setting out how data breaches will be handled; this will assist in providing a fast effective response to minimise damage.
- FOI - GDPR is not expected to change the position of PAs as regards FOI. PAs may disclose personal data where this is permitted by UK law e.g. FOIA or FOISA.
Getting GDPR Ready……
Getting ready for GDPR may be a significant exercise for many PAs and it is recommended to start now, if not already. In terms of how this is approached, a suggestion would be to (i) undertake training to educate key individuals of the impact GDPR may have on the organisation; (ii) undertaking a gap analysis to identify areas that need addressed; (iii) plan how to deal with areas of non-compliance handling high-risk issues first; and (iv) implement the changes.
If you need assistance with getting GDPR ready, please contact Loretta Maxfield within our IP and Data Management Team on 01382 229111 or lmaxfield@thorntons-law.co.uk