THE GENERAL DATA PROTECTION REGULATION – WHAT’S IN STORE FOR THE PUBLIC SECTOR?

Summer 2016 

Derby Office Icon

In recent months, after the text of the GDPR was finalised and published in the Official Journal, the UK voted to leave the EU. This has left many organisations wondering whether they still need to begin compliance programmes to meet the host of new requirements and obligations that will be introduced by the GDPR.

The view of the Information Commissioner's Office (ICO) is that you should still prepare. This is because, even though when the UK eventually leaves the EU, the GDPR (as it is an EU regulation) will automatically cease to apply to the UK (as the UK will no longer be a Member State):

  • Some UK organisations will still be caught by the GDPR as a result of its wide territorial scope (for example, it applies to organisations that offer goods and services to data subjects in the EU);
  • If the UK wishes to be able to offer data processing services to EU businesses, the UK will need to offer a similar level of protection in respect of the personal data of EU citizens –meaning that the current law will need to be reformed in any event.

The ICO has therefore gone ahead and released an overview of the law, which is the first part of its substantive guidance on the GDPR. 

Following suit, in this article, we look at some of the key areas of reform and consider how things will change for the public sector when the GDPR comes into force.

Changes to the definition of “personal data” and “sensitive” personal data

How will things change?

Personal data will usually include personal data that has been encrypted and online indentifiers such as IP addresses. Sensitive personal data will include genetic and biometric data.

How does this differ from the current position?

  • The changes to the definition of “personal data” resolve existing uncertainties about what constitutes personal data.
  • The definition of sensitive personal data does not currently include either genetic data or biometric data.

What impact is this change likely to have for the public sector?

  • More data will be subject to data protection laws.
  • The higher level protections that apply to sensitive personal data will need to be applied to genetic and biometric data.

The Data Protection Principles (“DPPs”)

How will things change?

Some changes to the DPPs, but not that many. The main change is a new requirement for “transparency”. Also, controllers will need to be able to demonstrate compliance with the DPPs.

How does this differ from the current position?

  • There is no explicit requirement for transparency in the Data Protection Act 1998 (DPA), but the ICO already requires controllers to be upfront about what they do.
  • There is currently no obligation on controllers to be able to demonstrate compliance with the DPPs – evidence of such compliance is generally only required if a complaint has been made or a breach occurs.

What impact is this change likely to have for the public sector?

  • Information provided to data subjects will need to be easily accessible, concise, transparent, intelligible and easy to understand and written in clear and plain language.
  • The requirement for transparency means that more information will need to be provided to data subjects (see Privacy Notices below).
  • Evidence of how compliance with the DPPs is achieved will need to be retained on an ongoing basis.

Processing based on the “legitimate interests” ground

How will things change?

The public sector will no longer be able to rely on this ground as a basis for processing personal data.

How does this differ from the current position?

  • Under the DPA, public bodies are able to rely on this ground (provided certain requirements are met) where they have legitimate reasons for processing personal data that the other conditions for processing do not specifically deal with.

What impact is this change likely to have for the public sector?

  • If you currently rely on this ground, you will need to find alternative grounds to justify your personal data processing before the GDPR comes into force (e.g. under Article 6(1)(c) (processing is necessary for compliance with a legal obligation) or (e) (processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority).
  • EU Member States are given certain powers under the GDPR to adapt the rules in relation to tasks carried out in the public interest or in the exercise of public authority. You will need to keep an eye on developments in this area.

Processing based on consent

How will things change?

The GDPR specifically states that, due to the imbalance of power between public bodies and data subjects, consent will not usually be a valid legal ground for processing by public bodies (as it is unlikely to satisfy the requirement that consent is “freely given”). In the limited circumstances where it may be appropriate to rely on consent, such consent will need to be unambiguous, as well as being freely given, specific and informed.

In relation to sensitive personal data, any consent based processing must be based upon explicit consent.

How does this differ from the current position?

  • Current guidance already highlights that consent may not be “freely given” where there is an imbalance of power between the controller and data subject.
  • There is currently no specific requirement in the DPA that consent is unambiguous. However, the Data Protection Directive 1995 (DPD) states that an individual must “signify” their agreement to processing - so there is already a requirement for active communication between the parties.
  • Consent based processing must already be based upon explicit consent where the data being processed is sensitive personal data.

What impact is this change likely to have for the public sector?

  • Existing consents may become invalid and new consents may therefore need to be obtained.
  • Generally speaking, however, it will be advisable for public bodies to base their processing on other legal grounds.

Privacy notices

How will things change?

These will need to contain more information (including information about the retention period and the legal basis for processing) and be transparent.

How does this differ from the current position?

  • Privacy notices are already required under the DPA (in order to satisfy the “fair processing” requirement), but less information has to be provided.

What impact is this change likely to have for the public sector?

  • Privacy notices will need to be revamped to comply with the new requirements.
  •  Keep an eye out for the development of “standardised icons” by the EU Commission, which controllers will be able to use to provide information in a “user friendly” format.

Registering with the ICO

How will things change?

Public bodies won’t need to do this anymore – but the keeping of detailed internal records will be mandatory.

How does this differ from the current position?

  • Data controllers currently need to register with the ICO.

What impact is this change likely to have for the public sector?

  • Public bodies will need to comply with Article 30 (which lists the main record keeping requirements).
  • They will also need to comply with other obligations in the GDPR to keep physical evidence of how compliance is achieved.

Subject access requests

How will things change?

More information must be supplied to data subjects if a subject access request is received and generally it must be provided for free.

How does this differ from the current position?

  • Under the DPA, data subjects already have a right to be provided with a copy of the data and certain information. Under the GDPR, however, more detailed information must be supplied.
  • Controllers can currently charge a fee of £10 in relation to data subject access requests. Under the GDPR, controllers will only be able to charge a fee if a subject access request is a repeat request or is manifestly unfounded or excessive.

What impact is this change likely to have for the public sector?

  • There is a risk that many more subject access requests will be received once the monetary barrier to making such requests is removed.
  • When responding to subject access requests you, public bodies will need to ensure they comply with the detailed rules set out in Articles 12 and 15.

Other rights of data subjects

How will things change?

Data subjects will also have other improved rights as well as certain new rights under the GDPR. In particular, there will be more rights to require that data is erased and to object to and stop processing and a new right to data portability.

How does this differ from the current position?

  • Most of the rights that data subjects will have under the GDPR already exist under the DPA – but they will be better and clearer under the GDPR
  • As well as the new right to data portability there will also be a new right to restrict the processing of data and improved rights to prohibit automated decisions and profiling in certain circumstances.

What impact is this change likely to have for the public sector?

  • Staff will need to be trained in relation to the new rights and new internal policies and procedures put in place to aid compliance.
  • Public bodies will need to ensure that their data processing systems are able to cope with the new rights (e.g. be able to isolate and permanently erase data).
  • Be aware that data subjects will be able to object to processing that is claimed to be in the public interest/necessary for the exercise of official authority (and get the data erased) – unless the relevant public body is able to prove overriding legitimate grounds for processing.

Data breaches

How will things change?

There will be mandatory requirements to report personal data breaches to the ICO and to data subjects in certain circumstances.

How does this differ from the current position?

  • Reporting of data breaches is not mandatory under the DPA, but many controllers do so as such reporting is treated as a mitigating factor by the ICO.

What impact is this change likely to have for the public sector?

  • Public bodies will need to put appropriate internal procedures in place to place to detect, report and investigate personal data breaches in accordance with the new rules and the applicable timescales.

Data Protection Officers (“DPOs”)

How will things change?

Public bodies must appoint a DPO. Detailed requirements relating to the appointment and role of the DPO are set out in the GDPR (Articles 37 to 39).

How does this differ from the current position?

  • There is no such obligation under the DPA or the DPD but of course many public bodies already have specific employees who are responsible for data protection compliance.

What impact is this change likely to have for the public sector?

  • This will not be a significant change for those public bodies that already have employees or teams responsible for data protection compliance.
  • For other public bodies this will be an onerous new obligation.
  • All public bodies will need to properly acquaint themselves with the rules relating to the appointment and role of DPOs.
  • Bear in mind that a single DPO may be appointed with responsibility for several public authorities/bodies – so you may be able to share the burden of this obligation with other organisations.

Data protection by design and default

How will things change?

Public bodies will need to adopt a data protection by design and default approach to personal data security. They will also need to carry out regular risk assessments to evaluate whether the technical and organisational measures they have put in place to ensure the security of data and compliance with the GDPR are still appropriate/adequate.

How does this differ from the current position?

  • Data protection by design is not currently mandatory, but this approach is recommended by the ICO.
  • The data protection by default requirement builds on existing requirements relating to purpose and storage limitation and data minimisation.

What impact is this change likely to have for the public sector?

  • Data protection by design means that new data processing systems will need to be designed at the outset to comply with all aspects of the GDPR. Contractors involved in the design of such systems will need to be subject to appropriate contractual obligations.
  • Data protection by default means that public bodies will, by default, need to ensure that personal data processing is kept to the minimum required.
  • Compliance will require less of a “tick certain boxes” requirement and more of an ongoing risk assessment approach.

Transfers outside the EEA

How will things change?

There are some changes to the current rules, but the same basic framework will continue to apply.

How does this differ from the current position?

  • The DPA already regulates the transfer of personal data outside the EEA.
  • Key concepts, such as adequacy decisions and the use of model contract clauses will remain.

What impact is this change likely to have for the public sector?

  • Public bodies that transfer personal data outside the EEA, will need to familiarise themselves with changes that the GDPR will introduce in relation to transfers outside the EEA.
  • Note in particular that there will be a new derogation that will permit one-off transfers of personal data in certain limited circumstances.

Statutory obligations for processors

How will things change?

For the first time data processors will be subject to specific statutory obligations. The obligations include compliance with the DPPs, the keeping of records and obligations to implement appropriate security and relating to the appointment of sub-processors.

How does this differ from the current position?

  • There are no such statutory obligations on data processors under the DPA.

What impact is this change likely to have for the public sector?

  • The new obligations will only directly affect public bodies which process data on behalf of other organisations.
  • However, public bodies that appoint data processors may find the negotiation of processing contracts more difficult (as processors will be keen to offload risk and ensure compliance with the GDPR).
  • Also, contracts between controllers and processors will need to be “beefed up” to include new obligations on processors. 

Fines

How will things change?

These will have the potential to be a lot bigger under the GDPR! The maximum fine that can be imposed is Euro 20,000,000 or 4% of annual worldwide turnover (whichever is the greater).

How does this differ from the current position?

  • Currently in the UK the maximum fine that can be imposed is £500,000. The biggest fine that has actually been imposed is £325,000.

What impact is this change likely to have for the public sector?

  • It will be more important than ever to comply with data protection laws!

What should you do next?

At this stage, one of the most useful things that you can do is ensure that key people within your organisation are informed about the changes that the GDPR will introduce so that they can start evaluating the changes that will need to be made to your systems, procedures and processes to achieve compliance by the “go live” date.

Once you have worked out what needs to be done to achieve compliance, the next step will be to create a project plan detailing the overall goals that need to be met, the actions necessary to meet those goals, the personnel with responsibility for doing so and the applicable timescales. No doubt a plethora of professional and technical services will soon become available on the market to aid this process.

At the end of the day, it will be those organisations that leave the issue of compliance to the 11th hour that will find the reforms introduced by the GDPR a real headache. Don’t let that be you…

If you any queries about the GDPR please contact either Owen Evans or Lowri Phillips.


FROM THE ADVICE CENTRE

News

Geldards advise on acquisition of Bransom Retail Systems Limited
16/07/2019
Geldards’ Midlands-based Corporate team has successfully advised on the acquisition of Bransom Retail Systems Limited by Clarity & Success Software Limited, as the managing director and owner of Bransom steps down from the business for retirement.
more...

Events

Leaving a Legacy
11/04/2018
24th September 2019
We are pleased to announce that our 3rd annual All-Wales Charity Governance, Law and Finance Conference will be held on Tuesday 24th September 2019 at the All Nations Centre, Cardiff.
more...

Blogs

Thoughts from Europe - a MIPIM blog
19/03/2019
I am European, I feel European. Grinding my way around the major assembly that is the world at MIPIM, it’s such a reminder that even Europe is not the centre of most people’s universe.
more...

Publications

Salus – Wealth and Family Protection
02/10/2018
Salus Magazine is brought to you by the Private Client team at Geldards to help you protect your wealth and family.
more...

PARTNER

Lowri Phillips

LOWRI PHILLIPS

Partner, Cardiff

+44 (0)29 2039 1758
email
more...