GDPR: The Overview
25 May 2017
The General Data Protection Regulation (GDPR) was ratified in mid 2016 and immediately became law. Member states now have a 2 year implementation period and enforcement will commence by mid 2018 at the latest.
This article is the first in a series of articles which will summarise the key components of the GDPR and offer practical advice and support to organisations as they try to get ready for 2018.
This first article will give you an overview of the new regime by summarising some key components of the GDPR.
Harmonisation across and beyond the EU
There will be one single set of rules across Europe which will make it simpler and cheaper for organisations to do business across the EU. In practical terms that means we’ll all be applying the same rules in determining what personal data is, who the data processors are, who the data controllers are, and so on. It also means there’ll be a uniform approach across the EU to fines and enforcement.
Data Protection Officers
If your organisation is a public authority, or its core activities involve “regular and systematic monitoring of data subjects on a large scale”, or it conducts large-scale processing of “special categories of personal data”, then it needs to appoint a Data Protection Officer who has “expert knowledge of data protection law and practices”, the level of which “should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed.”
Organisations will have to think harder about privacy and apply a “Risk Based Approach” so that privacy impact assessments are made when appropriate. There is also an increased emphasis on record keeping for controllers, this all being designed to help demonstrate and meet compliance with the GDPR and improve the capabilities of organisations to manage privacy and data effectively.
Information Provided at Data Collection
The information that must be made available to an individual when their personal data is collected has become more extensive, particularly when the data has not been obtained directly from the individual, but instead, for example, from a third party list. This is likely to cause difficulty for marketers who typically use multiple sources of third party data.
The GDPR defines profiling as any automated processing of personal data to determine certain criteria about a person. “In particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
This seems to suggest that explicit consent will now be required before subjecting an individual to any advertising or marketing techniques which rely on any degree of personalisation or profiling of behaviour or buying patterns.
Legitimate Interests & Direct Marketing
Legitimate interest is one of the grounds, like consent, that an organisation can use in order to process data and satisfy the principle that data has been fairly and lawfully processed. The GDPR specifically recognises that the processing of data for “direct marketing purposes” can be considered as a legitimate interest.
The GDPR actually says that processing is lawful if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” Unfortunately, “Direct Marketing” has not been defined by GDPR and requires clarification.
Breach & Notification
GDPR provides that a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. That means that a wilful destruction or alteration of data is as much a breach as theft.
In the event of a personal data breach data controllers must now notify the appropriate supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
Notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.” It’s not yet clear what this means in practical terms but if the controller determines that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must, subject to a few exceptions, also communicate information regarding the personal data breach to the affected data subjects “without undue delay.”
Data Subject Access Requests
Individuals will have more information on how their data is processed and this information needs to be made available in a clear and understandable way. Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access. Subject access requests must be processed “without undue delay and at the latest within one month of receipt of the request.”
The Right to Data Portability
Clearly focussed on helping drive competition between service providers, this part of the GDPR seeks to drive automated transfers of data (using a common format yet to be defined) between services which primarily process customers automatically – so for example these could include utilities, banks, telecoms and ISP’s.
Retention & The Right to be Forgotten
Data controllers must inform data subjects of the period for which their data will be retained. Should the data subject subsequently wish to have their data removed and the data is no longer required for the reasons for which it was collected then it must be erased. The controller also has a responsibility to take “reasonable steps” to notify its processors of such requests.
For more information on any of the matters detailed above or for general advice on or assistance with the new GDPR, please contact Dawn McKnight [email protected]. Dawn is a Partner at Carson McDowell and is head of the firm’s Commercial Practice.