Aside from the change to the principles and the provisions as to processing data, what in practice are the main features of the GDPR?
Penalties – one of the most talked about aspects of the GDPR is the draconian level at which the EU have set the penalties for breach. Penalties can be levied up to the greater of ten million euros or two per cent of global turnover for infringements of recording keeping, security, breach notification and privacy impact assessment obligations. These penalties may be doubled for violations relating to legal justification for processing, lack of consent, data subject rights and cross-border data transfers.
Consent – one of the changes which is likely to have the greatest impact is that of consent. The GDPR, refers both to ‘consent’ and to ‘explicit consent’ (although the difference between the two is not clear given that both forms of consent have to be freely given, specific, informed and an unambiguous indication of the individual’s wishes).
For there to be consent under the GDPR there must be a clear affirmative action on the part of the person whose data is being processed. Implied consent arising from silence, pre-ticked boxes or inactivity does not constitute consent for these purposes. The definition in Article 4 of the GDPR states that consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
What is more, consent must be verifiable which means that some form of record must be kept of how and when consent was given.
Consent can be implied to the extent that it can be implied from the data subject’s relationship with the company. Thus, if a firm was providing services then it is assumed that the data can be used for the purposes of carrying out those services. However, it is not yet clear whether it can be implied that the data subject can be sent marketing emails from the organisation where the subject has not indicated they are happy to receive them. It may be that for that, explicit consent must be obtained.
A further factor to bear in mind is that individuals have a right to withdraw consent at any time. That means that any systems that an organisation has in place for recording consent in the first place must be sufficiently flexible to allow the organisation to remove details when requested to do so – possibly even for some specific purposes but not for others.
Finally, if the organisation has previously obtained consent, that can only be relied upon if the standard of that consent meets the new requirements under the GDPR and if not an alternative legal basis must be found or the organisation must cease or not start the processing in question.
Managing Risk – Every organisation will need to implement a risk-based approach to privacy and must, where appropriate, implement controls which take account of the degree of risk associated with a particular data processing activity. This may require the organisation to carry out privacy impact assessments, put in place data protection safeguards (which must be designed into products and services from the earliest stage of development), adopt privacy-friendly techniques such as pseudonymisation and generally ensure that systems are sufficiently robust and flexible to allow for opting out by data subjects. This will be looked at shortly in the section dealing with what firms must think about going forward.
Data Protection Officers – an area which is unlikely to affect most law firms, but which may be relevant to larger law firms or their clients is that of the appointment of Data Protection Officers.
Data Protection Officers must be appointed for all public authorities, where there is regular and systematic monitoring of data subjects on a large scale or where the entity conducts large-scale processing of “special categories of personal data” (such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like). An earlier proposal that it should apply to all organisations with more than 250 employees was dropped.
Article 39 of the GDPR[vii] states that the data protection officer shall have at least the following tasks:
1. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
3. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
4. to cooperate with the supervisory authority; and
5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
Information when Obtaining Data – The GDPR also sets out the areas of information that must be made clear to data subjects when data is being collected. These include:
1. the identity and the contact details of the organisation seeking the data;
2. the reason the data is required and the uses to which it will be put;
3. the legal basis of the processing and, where relevant, the legitimate interests that the organisation or a third party are pursuing;
4. who will be receiving the personal data and whether or not the organisation intends to transfer the personal data internationally:
5. for how long the personal data will be stored, or if not known the criteria used to determine that period;
6. the fact that the data subject has a right to access, rectify or erase the personal data, the right to portability of the data and the right to withdraw consent at any time;
7. the right to lodge a complaint.
A few of these points are worth further clarification.
So far as access to the data by the data subject is concerned, the GDPR makes it clear that the reason for allowing individuals to access their personal data is so that they can be sure the data is being used lawfully. The organisation using the data must provide a copy of the information free of charge (the £10 subject access fee under the DPA having been removed. However smaller organisations will be able to make a charge for providing access where requests are either unfounded or excessive. Where a legitimate request is made, it must be carried out “without undue delay and at the latest within one month of receipt of the request.”
The right to data portability has yet to be fully clarified but will probably apply to a right for the data subject to have their information sent between providers of services such as banks, utilities companies and telecoms providers.
The right to be forgotten – data subjects need to be told for how long their information needs to be kept. Once that date has elapsed, then the subject can apply for the data to be removed and erased – placing duties upon those controlling the data to ensure that any third parties who have been provided with the data to do likewise.
Children – Where services are offered directly to a child, then there is a duty to ensure that any privacy notice is written in such a clear and plain way that a child would be able to understand it. If the service is an online service then the organisation will need the consent of a parent or guardian to process the child’s data. The GDPR emphasises that protection is particularly significant where children’s personal information is used for the purposes of marketing and creating online profiles and it is not intended that parental/guardian consent be required where the processing is related to preventative or counselling services offered directly to a child.
Security – Article 32 of the GDPR provides for security. It states that the controller and the processor shall implement appropriate (by reference to the organisation) technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Breaches of security “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” must be reported “without undue delay and, where feasible, not later than 72 hours after having become aware of it” and if this cannot be done then the controller must provide a “reasoned justification” for the delay. However, notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals,”
In the event that the controller believes the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” then information must also be given to the affected data subjects “without undue delay” although this may not apply if the controller has “implemented appropriate technical and organisational protection measures” that “render the data unintelligible to any person who is not authorised to access it, such as encryption”