The General Data Protection Regulation (GDPR) aims to modernise data protection, but many businesses may be concerned over the amount of work that appears to be required in order to be GDPR-compliant.
Our dedicated team is available to steer you through the process. We will be doing so in three ways:
- Updates: We send out regular mailers to track the progress of the GDPR, identiry new laws and to highlight some of the key areas businesses should be looking at.
- Training: Seminars in both Guernsey and Jersey provide information and training on the key GDPR changes.Round table discussions identify gaps or areas where common problems may arise and where work is likely to be needed as a result of the GDPR. We can also provide tailored in-house training specific to the aspects of the GDPR that are most relevant to your business.
- Advice: Ultimately, the impact of the GDPR is likely to vary greatly from business to business, depending on the nature of your work and the jurisdictions you operate in. Our team is available to provide tailored advice to assist your business in ensuring your policies, procedures and third party contracts meet the requirements of the GDPR.
If you would like us to sign up to our GDPR mailing list to receive regular updates, please complete our online subscription form and to select the Data Protection topic.
Bookmark this page and read our updates for further news, or contact one of our GDPR specialists who would be delighted to meet over a coffee to talk through your business needs and provide guidance and advice.
GDPR the story continues...
Possible Suspension of Privacy Shield
The EU-US Privacy Shield (the Privacy Shield) may be suspended by September, and affected clients are encouraged to keep a watching brief over developments.
The Civil Liberties Committee of the European Parliament (the Committee) has passed a resolution calling on the European Commission (the Commission) to suspend the Privacy Shield, which is a certification system allowing US companies to send and receive personal data to and from organisations in Member States. A suspension would have direct relevance to clients in the Channel Islands, as transfers of personal data to and from the US under the respective local laws depend on this certification.
The resolution follows after details emerged that Facebook and Cambridge Analytica had been certified under the Privacy Shield. The Committee resolved that:
"In view of the recent revelations of misuse of personal data by companies certified under the Privacy Shield such as Facebook and Cambridge Analytica, [the Committee] calls on the US authorities competent to enforce the Privacy Shield to act upon such revelations without delay."
A draft motion is due to be voted on in July, and if passed could see the Privacy Shield suspended as of 1 September, if appropriate measures are not put in place to address adequacy concerns.
Guide to GDPR
Read our series of practical guides to getting ready for the GDPR. We will regularly publish new issues that will help you systematically prepare.
Issue 1. Are you compliant with the current law?
The first step to becoming GDPR compliant is to ensure that your business meets the requirements set out in current law. Our team can advise you on all your current data protection obligations and help you to review whether or not you meet these. You should consider three critical actions at this stage:
1. Conduct a data protection audit and map out where there are gaps:
- review all your data protection policies and ensure that you are complying with them; and
- prepare a spreadsheet of all the personal data you hold, noting all the relevant information to identify any gaps in your data-processing activities.
2. Set out a clear action plan detailing how you will bridge those gaps: identify the key people and stakeholders (both internal and external) needed to help you achieve compliance.
3. Put a timetable together so that you can monitor your actions and progress.
Issue 2. Consent
Consent remains one of the legal bases that may be relied on to process the personal data of data subjects. There are, however, some key changes to be aware of under the GDPR.
The GDPR confirms the need for "a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing".
This means that organisations will not be able to rely on silence or pre-ticked boxes to constitute consent, and will bear the burden of proving that consent has been validly obtained. Appropriate records to provide evidence of such consent will also be absolutely essential.
The GDPR confirms that consent will not be the appropriate legal basis where there is inequality between data subject and controller or where the individual has no real free choice in giving consent. In addition, as it will be easier for data subjects to withdraw their consent, where organisations currently rely on such consent to process the personal data, they will be well advised to consider whether there is a more appropriate legal basis in the circumstances.
- Consider whether or not the consent you have in place complies with the GDPR. If not, you will need to seek consent again/rely on a different legal basis.
- Review how consent is sought and recorded and ensure that you have records of consent and that they are easily accessible.
- Ensure that your consent clauses within documents, such as employment contracts, are reviewed.
- Consider whether you process the personal data of children, and if so you will need to obtain parental consent to continue to do so.
Issue 3. Data Subject Access Requirements (DSARs)
Under the GDPR, data subjects will have extended rights in respect of the personal data you hold about them and in the main, subject access requests will have to be complied with within one month of the request, subject to a two month extension where for example the request is particularly complex.
In these situations, it will be up to the controller to inform the data subjects of any such extension and the reasons for it within one month of the request.
Such requests will also have to be complied with free of charge unless they are manifestly unfounded, excessive or repetitive in which case you may charge a reasonable fee or refuse to act on the request altogether.
Remember that the burden of proving that the requests are manifestly unfounded, excessive or repetitive will rest on you. The curtailment of the right to charge a fee will not make a huge difference in practice (the current fee of £10 rarely covers the actual costs involved in complying with such requests), however, as the current time limit for responding to subject access requests is 40 days in Jersey, and 60 days in Guernsey, the reduced time period for compliance may well be harder to adapt to.
- Ensure that you have processes in place to deal with subject access requests.
- Delegate responsibility for dealing with such requests.
- Draft appropriate policies and provide appropriate training so that staff know what to do in the case of such requests.
- Consider conducting a cost/benefit analysis for providing data subjects' online access to their information.
Issue 4. Data Breaches
While it is currently regarded as best practice to report personal data breaches to the Data Protection/Information Commissioner (the Commissioner), there is no legal requirement to do so under Guernsey/Jersey law. This is, however, all set to change, with the introduction of the GDPR.
The definition of a personal data breach is wide and will include the accidental or unlawful destruction, alteration and loss of personal data.
Organisations will be required to notify the Commissioner of a personal data breach without undue delay and in any case within 72 hours of having become aware of a breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. The relevant individuals may also need to be informed of the breach but only where the potential risk to their rights and freedoms is high.
To enable the Commissioner to check that organisations are complying with their notification duties, personal data breaches will need to be documented, noting down the facts of the incident, its effects and any remedial action taken.
1. Ensure that you have processes in place to deal with personal data breaches.
2. Delegate responsibility for dealing with personal data breaches.
3. Provide staff with training so that they understand how to detect personal data breaches, who to report them to and when to do it (ASAP!).
4. Ensure that you keep appropriate records of any data breaches.
Issue 5. Fines etc.
One of, if not the most, controversial aspects of the GDPR for the Channel Islands is the introduction of fines for infringements. The Commissioner does not currently have the power to issue fines. However, the GDPR introduces a two-tiered system of fines with a maximum penalty of the higher of €20 million or 4% of the total worldwide annual turnover for the most serious breaches.
In addition, individuals who suffer damage as a result of processing in breach of the GDPR may be entitled to compensation. Whilst compensation is a potential recourse under the current legislation, this may be sought only from the data controller. The GDPR makes clear that both the data controller and data processor will be held liable for the entire damage caused and are only exempt from liability if they can show that they are not in any way responsible for the damage. Further, should judicial proceedings be initiated, the GDPR clarifies that compensation may be apportioned in accordance with local law.
Member States must also lay down other "effective, proportionate and dissuasive" penalties for infringements not caught by the administrative fines detailed above and we expect that Guernsey and Jersey will follow suit.
1. Undertake an audit to assess where the biggest data protection risks lie and take steps to protect the relevant data and mitigate those risks
2. Ensure that you have policies and training in place to avoid breaches as far as possible.
3. Ensure that you have appropriate contracts with data processors to ensure compliance with the GDPR.
Issue 6. Data Protection Officers (DPOs)
Unlike our current data protection law, the GDPR explicitly requires both controllers and processors to appoint a DPO in three cases:
(a) Where the processing is carried out by a public authority;
(b) Where there is large scale, regular and systematic monitoring of data subjects; and
(c) Where there is large scale processing of special categories of personal data or data relating to criminal convictions.
Member States may provide further cases in which a DPO is required and Guernsey/Jersey may do the same.
DPOs may be current members of staff and groups of companies may appoint a single DPO as long as he/she is easily accessible from each establishment.
The DPO must also have expert knowledge of data protection law and be able to fulfil the tasks required of him/her, including monitoring compliance with the GDPR and cooperating with the relevant supervisory authority.
DPOs shall be independent in the performance of their tasks and must report to the highest management level. They must also not be dismissed or penalised for performing their roles.
1. Consider where a DPO is necessary for your organisation or whether you simply need a GDPR point of contact.
2. Consider whether you have current employees who have the skills or can be trained to take on the DPO role.
3. Ensure that you set up appropriate reporting lines.
Issue 7. Data Processors
The GDPR defines a "processor" as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, and the "controller" as the person, authority, agency etc which determines the purposes and means of processing such data. Unlike our current law, the GDPR will apply to both processors and controllers meaning that processors may be liable for breaches of the GDPR. To ensure compliance with the GDPR, controllers will only be able to use processors which provide sufficient guarantees to comply with the GDPR.
Controllers will still be required to appoint processors on the basis of a contract, however, there are significant new provisions which will need to be included. The contract will need to, among other things, state that the processor shall only process personal data on the documented instructions of the controller; include appropriate confidentiality provisions; state that the processor shall delete or return all the personal data to the controller at the end of the provision of services (as decided by the controller); and make available to the controller all necessary information to demonstrate compliance with the GDPR.
Where a processor becomes aware of a personal data breach, they will also need to notify the controller without undue delay (and remember from issue 4 that controllers only have 72 hours to notify the Commissioner from when they become aware of a breach). Adequate procedures will thus be essential to ensure they are able to do this.
1. Update contracts between processors and controllers to ensure that they contain the new requirements of the GDPR;
2. Ensure that processors are able to comply with the requirements of the GDPR;
3. Ensure there are adequate procedures in place for processors to detect and inform controllers of data breaches as soon as possible.
Issue 8. Data protection by design and default
A key reform under GDPR is 'Data protection by design and default'. This is an expectation that proper protection of data is built into information-handling infrastructure from the outset and on an ongoing basis. For large organisations, protection of data ideally will be treated as a work-stream in managed projects, alongside (for example) Legal, Remuneration, Communications, etc. For the management of individual cases, or for smaller/less well-resourced organisations, it will mean remaining alive to data protection issues throughout an initiative.
An interesting element of this part of the Regulation is the requirement that by default, processing of data should only happen where 'necessary'. Other than consent (which must be able to be withdrawn without detriment) all of the lawful bases for processing data require that the processing be 'necessary' to be legitimate. Incidental or accidental and unnecessary 'hoarding' of data is therefore to be avoided.
This has two notable consequences:
- Alongside a requirement for clarity and care as to why and how data are processed, disposal of data no longer needed will be a key expectation
- Consent is unlikely to be the 'cure-all' under GDPR that it has sometimes been seen as under existing data protection law.
1. Consider what projects or initiatives are in your organisation's pipeline. Is protection of data being built into any project plan? How will you demonstrate this if challenged?
2. Consider who is responsible for data control and processing. Confirm the steps that they are taking to ensure data protection by design/default. Are they putting this issue before the organisation's project leaders?
3. Consider how you will handle ongoing protection of data, including disposal. What governance mechanisms do you have in place? Will you institute (for example) an annual 'spring clean' of data no longer needed? Who is responsible for this and to whom are they accountable? How will you document this?
Issue 9. Privacy Notices
Possibly one of the most noticeable changes that organisations will see in their day-to-day handling of personal data is the new requirement to provide 'privacy notices'. Where the data controller obtains the personal data directly from the data subject, the data controller will need to provide the notice at the time the personal data is collected, which in most cases will be at the start of the relationship, be it an employment or commercial relationship. Where the personal data are not obtained from the data subject, special rules as to the timing of the provision of the specific information apply.
Privacy notices need to set out a range of information, including (but not limited to) the purposes and bases for the processing, details on transfers outside the jurisdiction, and certain details about the data protection officer (if any) and data controller as applicable. Other information to be provided include the right to make complaints, the ability to withdraw consents provided, and information about how long the data is to be stored or the criteria to determine storage periods. The required content for the notices is likely to vary slightly across jurisdictions so organisations will need to ensure that they consider all relevant legislation.
Given that the new legislation will commence in the context of existing employment and commercial relationships, an immediate question is what to do about existing employees, customers and suppliers, etc. There is potential to rely on transitional provisions in Jersey (valid to May 2019) where specified information was provided under the existing Data Protection Law. However, it would be prudent for controllers to check whether the specified information has been provided and, if not, ensure that existing data subjects are provided with a privacy notice to take effect on or around the implementation of GDPR.
1. Prepare a privacy notice that complies with the GDPR requirements, considering the purpose and basis for processing personal data in your organisation. Ensure the notice is tailored for particular groups of recipients as appropriate, depending on how the data is to be used.
2. Determine the method by which the privacy notice will be brought to the attention of relevant data subjects and consider how existing individuals should receive the notice on commencement of GDPR.
3. Check the respective requirements for privacy notices in your applicable jurisdiction(s) and tailor the notice accordingly.
Issue 10. Transfers Abroad Within Group Structures
An issue facing multinational businesses is to what extent GDPR affects transfers of personal data to jurisdictions outside the GDPR regime but within the group.
Under GDPR, it does not matter whether the 'transfer' is to an external party or within a group. If the data are being processed during or after the transfer to a third country, the transfer may only take place in most cases where the third country is deemed 'adequate' or 'designated' under the law, appropriate safeguards are provided or binding corporate rules apply.
What then is a 'transfer'? The GDPR, is not entirely clear on this point; it doesn't define the term. Additionally the definition of 'processing' is so broad that even an individual working abroad who, say, accessed their emails from a server located within the EU, will have commenced 'processing' data the moment they opened and read their first email, because 'retrieval' and 'use' of personal data are included in the definition of 'processing'.
1. Consider what needs to be contained within the privacy notice. Privacy notices must specify whether jurisdictions to which data are transferred are 'adequate' or 'designated' by the EU Commission as providing sufficient data protection measures, and specify appropriate safeguards applying for transfers to non-adequate jurisdictions.
2. Review the results of their data audit. Is personal data unnecessarily flowing around the group. Can data flows reasonably be limited to Member States and adequate jurisdictions?
3. Consider the use of standard data protection clauses in contracts where transfers to third countries will occur. These template contractual clauses will be made available by the EU Commission and local data protection authorities. They have been a commonly-used tool under the existing data protection framework.
4. Seek approval from the local data protection authority for binding corporate rules. These are agreed rules within a corporate structure to ensure appropriate safeguards of information are in place, including specifying particular information such as data subject rights and complaints handling.
5. Ad-hoc transfers can be made on a range of bases, including consent, necessity to perform a contract, in the public interest, and to protect vital interests, among others.
Issue 11. Rights beyond subject access requests
This is the 11th in our series of practical guides that aim to help you to prepare for the introduction of the General Data Protection Regulation (GDPR). These short guides will help you prepare your business for the introduction of the GDPR before the 25 May 2018 deadline and beyond.
GDPR hasn't even come into effect yet, and already we're seeing a heightened interest in data subject rights. Consider for example, the recent application by the UK Information Commissioner's Office for a warrant to search the files and premises of Facebook. We can expect to see greater interest in data generally over the coming months as we pass the 25 May commencement date.
It is worth then being properly aware of the suite of rights available to data subjects, beyond the subject access request. These include:
- To receive detailed information regarding the data held about them. This is typically achieved by supplying a 'privacy notice', whether written or in such other format (such as video) as may be appropriate.
- To be notified of a data security breach within 72 hours after the controller becomes aware of the breach. This 72-hour deadline means that the plan to handle breaches should be in place in advance in order to enable effective breach handling.
- To erase personal data, also known (perhaps wrongly) as the 'right to be forgotten'. This right may present logistical challenges for search engines in particular.
- To restrict data processing. This may present challenges for employers managing disgruntled employees, who may try to use this right to attempt stymie legitimate management action.
- Receive a copy of their personal data or transfer their personal data to another data controller.
- To object to data processing.
- To correct personal data.
- To not be subject to automated decision-making.
- Ensure you meet the duty to inform, primarily by way of a privacy notice.
- Ensure a process is in place to address breaches and notify data subjects if necessary.
- Train relevant colleagues (such as HR and IT managers, for example) in the suite of rights which may be exercised.