GDPR and the UK Data Protection Bill: What you should be doing now
On Thursday 14 September, we finally received the UK Government’s take on the General Data Protection Regulation (“GDPR”). It will have affect from 25…
On Thursday 14 September, we finally received the UK Government’s take on the General Data Protection Regulation (“GDPR”). It will have affect from 25 May 2018.
The UK Government published the much awaited UK Data Protection Bill (the “Bill”) which, although subject to change, is an important milestone which illustrates the UK’s vision for data use post-Brexit. The UK Minister for Digital, Matt Handcock has stated that “the Bill will bring data laws up to date, give citizens more control over their data, and support innovation by ensuring that….businesses can continue to process data safely”.
In this article, we refer to “organisations”. However, the GDPR will also raise issues for pension schemes and will require those parties administering such schemes to carry out a review of their compliance with the GDPR”
This means that organisations that process personal data (which I am sure that nearly all of you reading this article will to some extent) have until 25 May 2018 (which at the time of writing is a little over 8 months away) in which to ensure that their personal data processing activities are compliant with the “up to date” legislation. Failure to do so may result in heavy penalties, which includes a maximum fine of £17 million or 4% of annual global turnover.
It’s not all doom and gloom, the Information Commissioner’s Office (“ICO”) (the supervisory body responsible for data protection compliance within the UK), has stated that “if you are complying properly with the current law, then you have a strong starting point to build from. [But] there are important new elements and some things will need to be done differently”. Therefore, if your organisation has maintained its data compliance in the past then you are likely to find reviewing your organisation’s compliance with the GDPR less of a chore. However, if data protection has tended to be an afterthought, then now is the time to use this legislation change as a catalyst to kick start your compliance.
Here are a few key areas of change that will require your attention as a result of the GDPR:
- Privacy notices - (i.e. the notices which you provide to individuals setting out how you propose to use their personal data) are to become more prescriptive. The GDPR sets out what additional information must now be provided within such notices, including (amongst other details):
- The purpose of the processing and legal basis on which an organisation proposes to perform its processing activities;
- Details of legitimate interests where an organisation chooses to rely on the “legitimate interests” condition for processing personal data;
- The criteria used to determine the retention period of the personal data it holds; and
- Details of an individual’s right to withdraw their consent at any time, if the organisation has asked that individual for his/her consent to process his/her personal data.
Organisations should therefore review their privacy notices. Do such privacy notices comply with the requirements of the GDPR? Do they accurately reflect how the scheme collects, uses and discloses personal data? If not, such privacy notices should be amended and reissued.
- Accountability and record keeping – not only will organisations need to comply with the GDPR, they will also be required to maintain records which demonstrate such compliance. Where requested to do so, organisations will be required to provide such records to the ICO upon request.
Organisations should therefore review (amongst other matters) what personal data they are currently processing; where it is held; who does the personal data relate to; and on what legal basis it is processed. Do the findings comply with the GDPR? If not, action should be taken immediately and details of the organisation’s compliance should be recorded for future reference and reviewed regularly.
- Data Processing Agreements – where an organisation enters into a contract with a third party (e.g. a scheme administrator) for the processing of personal data on the organisation’s behalf, the GDPR requires that such processing shall be governed by a written agreement and such written agreement shall contain certain prescribed contractual clauses.
Organisations should review their current Data Processing Agreements (and even those contracts where the processing of personal data by a third party is secondary to the services being provided by a third party). Do such contracts contain the prescribed clauses? If not, action should be taken.
- Reporting data breaches – the GDPR imposes a mandatory requirement to report breaches of security in relation to personal data in certain circumstance. Depending on the severity of the data breach, an organisation may be required to notify such breach to the ICO and also the individuals to which the personal data relates that a data breach has occurred.
Organisations should review their current data breach notification and data security policies. Staff should also receive training in relation to the protection of personal data and how to notify the relevant parties in the event of a data breach.
- Enhanced individual’s rights – under the GDPR, individuals are now afforded enhanced rights in relation to the processing of their personal data. This includes the right to be forgotten; a right to data portability; tighter controls with regard to consent (opt-out boxes should be a thing of the past); and the right to withdraw consent.
Organisations should check their current systems. Are they set up in order to help an organisation to comply if they receive a request by an individual in the exercise of such rights? If not, this position should be rectified.