PRIOR TO ITS IMPLEMENTATION into law, the Office of the Data Protection Commissioner (DPC) released a guidance note on the General Data Protection Regulation (the GDPR). This was the first in a series to assist organisations in their preparations towards full compliance with the GDPR when it subsequently came into force on 25 May 2018.
To concentrate corporate minds on compliance, it is worth knowing that potential fines for breaches of the GDPR are substantial (€20,000 or 4% of total annual global turnover, whichever is higher) and that the DPC’s powers of enforcement have been enhanced and also are now better funded.
Looking at it from the other side, Helen Dixon, the DPC, suggested at a recent talk, that it may be useful to stand in the shoes of the individual and consider how damaging it could be to have your own personal data revealed or misused in some way. You can find the text of the GDPR itself at: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf.
The DPC recommends beginning with a “review and enhance” analysis of your personal data processing, present or planned for the future. This “personal data” means information you process relating to an identified or identifiable natural person known as a “data subject” but it does not include a dead person. It does not relate to any information other than personal data. Nor does it relate to anonymised data. “Processing” means any operation or set of operations performed on personal data by automated or other methods such as collection, storage (this includes data filed manually or ordered in some way, say, in a filing cabinet), alteration, dissemination or destruction etc.
The first step is to find out what personal data you hold. Make an inventory of it. Draft an analysis on: Why are you are storing the personal data and why and how it was originally gathered. Decide how long you need to retain it or whether you can destroy it. If it is to be retained, how secure is it and can you make it more secure. If the data is shared with others or transferred to another country, set out the basis for doing so and the safeguards in place around that. Document all your findings and decisions.
This documented self-analysis is important because the Regulation requires data controllers to be accountable for the personal data they process AND to be able to demonstrate this accountability. However, it is not a once-off exercise – this document needs to be updated on an ongoing basis.
Now that you have carried out this review, consider whether any personal data needs to be rectified. Information that you have decided you need to collect and process must be done in a fair and accurate manner and must be kept confidential.
Put systems in place so that the data is safeguarded against loss, damage, destruction, or unlawful processing. These may include pseudonymisation, data minimisation (consider whether the data can be collected more selectively in the future) and consider installing systems that automatically provide data protection by design/default in respect of collection, processing, storage and access.
You must fall within one of the grounds for lawful processing listed in Article 6 of the GDPR. For example, processing is considered lawful if it forms part of a contract with the data subject, or if it is necessary for the legitimate interests of the data controller or a third party. Spell out in full your company’s legitimate interests, as you will be relying on them to justify your data processing.
Processing is lawful too if you have the data subject’s consent to process for one or more specific purposes. But it will be binding only where your request for consent in a written declaration is distinguishable from other matters in the declaration and is written “in an intelligible and easily accessible form, using clear and plain language.” A request for consent must also advise data subjects of the contact details of the Data Protection Officer, (if any appointed) and also the recipient(s) of the personal data and/or details of its transfer to another country and of the existence of the data subject’s personal data rights, among other information.
Where children are accessing information society services, for example Facebook, they can consent if they are aged at least 16 years and the controller must be able to demonstrate that consent was given.
Particular care needs to be taken to ensure that processing is lawful where special categories of personal data are being processed. This type of data would reveal sensitive personal information such as, racial or ethnic origin, political or religious beliefs or data pertaining to health or sex life.
Fully review current privacy notices and update them to comply with the GDPR. This requires you to provide individuals with more information than was necessary previously when collecting their personal data, for example, the period of time for which the data will be stored and the existence of the data subject’s individual rights under the Regulation.
The official website of the office of the DPC sets out these rights very clearly for the benefit of the public under its: “What you should know – For Individuals” tab. It informs the public on when and how to make a complaint to the DPC and at present, it is in the process of enhancing its online complaint form.
Under the GDPR, it will be easier for an individual to sue data controllers for compensation for infringements of their privacy rights for material or non-material damage.
You can expect that members of the public will be aware of their rights and will know how to exercise and enforce them. So it is advisable that you and your staff be aware of them too because the Regulation specifically requires data controllers to facilitate the exercise of these rights under Article 12.
The rights of data subjects include:
Make sure members of staff are informed about the new Regulation and know how to implement it in the course of their work.
Plan on how to respond to data access requests “without undue delay and in any event within one month” of the request, giving information on action taken on a request (though this can be extended by further two months depending on the complexity and the number of the requests). As well as providing the data requested, there is a list of other information to accompany it, such as informing the data subject of the existence of the right to complain and the existence of automated decision-making and/or profiling.
In most circumstances, you cannot charge for providing this information. Consider setting up an online system to give individuals access to their own personal data.
Data breaches must be notified to the DPC as soon as practicable, and where feasible, not later than 72 hours after becoming aware of the breach. Set up the necessary systems and protocols now to enable compliance with this deadline. Consider whether it is possible to anonymise personal data and at the very least, encryption should be used.
Data subjects must be advised of high-risk data breaches without undue delay.
A data privacy impact assessment (DPIA) is mandatory for the processing of data likely to be high-risk to the rights and freedoms of natural persons, especially for processing like profiling. It is necessary in the case of the processing of large amounts of the special categories of data or data relating to criminal convictions/offences.
A DPIA is also required where there is systematic monitoring, e.g. the use of CCTV, in public places. The assessment must list the measures envisaged to address the risks involved.
You must appoint a Data Protection Officer (DPO) if you are a public authority or, when your “core activities” consist of regular and systematic monitoring of data subjects on a large scale or, where you process on a large scale data under the special categories as a core activity.
The DPO is not just a compliance officer. He or she must have “expert knowledge of data protection law and practices” relevant to your business. The GDPR requires the DPO to perform his/her role with a high degree of independence and be supported by you in doing so, with access to your data/operations and by providing him/her with resources and any necessary training.
The DPO shall report directly to the highest management level of the controller (i.e. the board of directors or its equivalent). The DPO must cooperate with the office of the DPC (to be known as the Supervisory Authority) and cannot be dismissed or penalised for performing of his/her tasks.
Copyright © McKeever Rowan Solicitors, 12 December 2016.
This article is a general review of the law on the subject and is not intended to be a complete statement of the law. Specific legal advice must be sought on a case by case basis. For further information please contact Robert Browne.