Greetings from the new Dublin offices of the Irish data protection authority and thank you to PAI for the opportunity to address you in this blog with details of a significant piece of new legislation that has important implications for the organisations every one of you reading this article represent. –
MB Donnelly, DPC Spokesperson
I’m referring to the new EU General Data Protection Regulation that will govern the processing of personal data in Europe from May 2018. Whether the only personal data your organisation collects and processes is employee personal data, or whether you are an organisation with thousands of clients whose personal data you collect and transact with, this article has important messages for you. Headline features of this new legislation are the liability of fines of up to €20m or 4% of global turnover for organisations who infringe the Regulation, and the individual’s right to compensation from organisations where they suffer either material or non-material damage from a breach of their personal data rights. Essentially, we’re talking now about massive risks for organisations who do not comply. In this article, we aim to set out the important points you need to note about the legislation and more importantly the preparatory steps you need to take now to get ready for May 2018. We hope to address many of the concerns around GDPR readiness in this article, but more information can be found in our published guidance ‘The GDPR and You – Preparing for 2018’, which are available on our website www.dataprotection.ie.
So what is data protection law about?
It’s based on a set of very pragmatic, high-level principles. For organisations, that means you should collect no more data from an individual than is necessary; you should obtain that personal data fairly from the individual by giving them notice of the collection and its specific purpose; you should retain the data for no longer than is necessary for that specified purpose; you should keep it safe and secure while it is in your possession and you should provide an individual with a copy of his or her personal data if they request it. It is common sense stuff really.
The GDPR takes a fresh look at what personal data is, and confirms that location data, online identifiers or other factors relating to an individual all qualify as ‘personal’ within the scope of the regulation. There are categories of data recognised as ‘special categories’, and these will require particular study by the public sector. These include data relating to criminal convictions and offences.
Article 37 of the Regulation will require all public bodies to appoint a Data Protection Officer. The DPO will have professional standing, independence, expert knowledge of data protection and be “involved properly and in a timely manner” in all issues relating to the protection of personal data. He or she cannot be dismissed for performing their data protection officer tasks.
Under the GDPR individuals will have a right to compensation where they suffer material or non-material damage as a result of an infringement of the regulation. There will also be mandatory breach notification for all public bodies to their data protection authority, which must be done without undue delay and, in almost all cases, within seventy-two hours. The Regulation also contains a big increase in the enumerated rights of data subjects. In addition to enhanced subject access rights, data subjects will acquire rights to data portability and erasure.
The regulation demands very high levels of accountability from public bodies, with a need to document clearly how data is processed and protected in your organisation. There is a further requirement for internal and external audits, security measures and an ability to demonstrate levels of accountability to the data protection authority if demanded to do so. Not doing so will carry significant risk.
Data protection authorities are being given a far greater enforcement role than that which exists under the current regime. The Irish DPC will, for the first time, acquire administrative fining capability under the Regulation, with an obligation to impose sanctions that are effective, proportionate and dissuasive. Aligned with this, there will be far more categories of infringements under the Regulation than currently exist. While it is not yet clear if the Irish legislature will empower the DPC to fine public bodies (or limit its remit to private industry), equivalent sanctions will be provided for in law which will be effective and dissuasive.
However, all this talk of sanctions and contravention should be the exception. Data protection is not a prohibitor of effective and efficient public service – it is in fact an enabler so long as that service is processed in the right way and data privacy is considered a core requirement from the project’s inception. What should be occupying the attention of organisations is identifying the measures they can implement now, to ensure that they are GDPR ready in 2018.
Firstly, data controllers need think in terms of risk management, and review and enhance their processes. Implementing the GDPR could have significant implications in terms of resources, especially for larger and more complex organisations. Any delay in preparations may leave your organisation susceptible to compliance issues following the GDPR’s introduction.
Think about the way your organisation collects and processes data.
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties and on what basis might you do so?
This inventory will also enable organisations to amend incorrect data or track third-party disclosures in the future, which is something that they may be required to do under GDPR.
Identify any gaps that exist between the level of data collection and processing your organisation engages in and how aware you have made your customers, staff and services users of this fact. If gaps exist, set about redressing that.
Before gathering any personal data, current legislation requires that you notify your customers of your identity, your reasons for gathering the data and the use(s) it will be put to. Under the GDPR, additional information must be communicated to individuals in advance of processing; such as the legal basis for processing the data, retention periods and the right of complaint where customers are unhappy with your implementation of any of these criteria. The GDPR also requires that the information be provided in concise, easy to understand and clear language.
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the Acts, but with some significant enhancements. Organisations who already apply these principles will find the transition to the GDPR less onerous.
Review your current procedures.
How would your organisation react if it received a request from a data subject?
- How long to locate (and correct or delete) the data from all locations where it is stored?
- Who will make the decisions about deletion?
- Can your systems respond to the data portability provision of the GDPR, where you have to provide the data electronically and in a commonly used format?
The rules for dealing with subject access requests will change under the GDPR. In most cases, you will not be able to charge for processing an access request, unless you can demonstrate that the cost will be excessive. The timescale for processing an access request will also shorten, dropping significantly from the current 40-day period.
Organisations will have some grounds for refusing to grant an access request. Where a request is deemed manifestly unfounded or excessive, it can be refused. However, organisations will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.
The logistical implications of having to deal with requests in a shorter timeframe and provide additional information will need to be factored into future planning for organisations. It could ultimately save your organisation a great deal of administrative cost if you can develop systems that allow people to access their information easily online.
You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. This is particularly important where consent is relied upon as the sole legal basis for processing data. Under the GDPR, individuals will have a stronger right to have their data deleted where customer consent is the only justification for processing. You will have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request.
For government departments and agencies, there has been a significant reduction in the number of legal bases they may reply on when processing data. It will no longer be possible to cite legitimate interests or consent to justify processing. Instead, there will be a general necessity to have specific legislative provisions underpinning one or more of the methods organisations use to process data. All organisations need to carefully consider how much personal data they gather, and why they need it. If any categories can be discontinued, they should do so. For the data that remains, consider whether it needs to be kept in its raw format, and how quickly you can begin the process of anonymisation and pseudonymisation.
If you do use customer consent when you record personal data, you should review how you seek, obtain and record that consent, and whether you need to make any changes. Consent must be ‘freely given, specific, informed and unambiguous.’ Essentially, your customer cannot be forced into consent; they must know exactly what they are agreeing to, and there can be no doubt that they are consenting. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity.
The GDPR will bring in mandatory breach notifications, which will be new to many organisations. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must be reported to the DPC within seventy-two hours. Now is the time to assess the types of data you hold and document which ones fall within the notification requirement in the event of a breach. Larger organisations will need to develop policies and procedures for managing data breaches – both at central or local level. It is worth noting that a failure to report a breach when required to do so could result in a fine, as well as the fine for the breach itself.
So the message for organisations is that action is needed now to ensure that your transition to the GDPR is a smooth one. Future-proof your systems and contracts by factoring in what your obligations will be in 2018 and start considering the privacy implications of all current and anticipated projects. May 2018 is rapidly approaching, and it brings with it significant challenges. The onus is now on all of us to meet those challenges, and to implement the provisions of the GDPR in a full, transparent and compliant way.