Data protection exists for lawfulness, fairness and transparency in how personal data is collected, reviewed, stored and used. Everyone everywhere is at risk of their personal data being misused, and every organisation and entity that controls and processes that data can be held responsible for its misuse. Are you at risk of non-compliance?
Data Protection is not new - it has been around for decades in various guises be it in national legislature or global trade frameworks. Most companies and organisations have paid little heed to this historically unless they operate in highly regulated industries that see compliance as part of the necessity of doing business.
The first traces of data protection law in Europe date back to 1948 when the General Assembly of the United Nations created the Universal Declaration of Human Rights. In 1950, the Council of Europe invited individual states to sign the European Convention on Human Rights to protect human rights and fundamental freedoms. In 1973, Sweden created the Data Act – the first national modern privacy law.
In the 1990’s, the European Commission formally proposed the introduction of a data protection directive. This was formally adopted on the 24th October, 1995 and became law in 1998 - known as the Data Protection Act.
To reflect the further shift in the use of personal data, on the 25th January, 2012, the first proposal of the General Data Protection Regulation (GDPR) was published, before being formally adopted by the European Parliament in 2016.
On 25th May, 2018, the GDPR became legally enforceable. On the same day, the Data Protection Act, 2018 received Royal Assent to run alongside the GDPR.
Think you’re at risk of data protection non-compliance? The penalties for non-compliance with the EU's GDPR (General Data Protection Regulation) are high, with the Information Commissioners’ Office (ICO) able to levy significant fines of up to €20m (£17m) or 4% of turnover for serious breaches. This makes it well worth your time to understand your responsibilities as a controller or processor.
In this insider’s guide, we will cover what you need to know so you can act where needed.
1. Know your Act
There are a number of differences between the Data Protection Act, 1998 and the Data Protection Act, 2018, which came into force on the 25th May, 2018.
The Data Protection Act, 1998 was a Directive, while the DPA 2018 is Regulation. A Directive - while still applicable to all EU Member States – sets certain aims and requirements that each State must create or adapt their legislation to meet. A Regulation, however, is immediately applicable and enforceable by law in all Member States.
The DPA 2018 regulates the collection, storage and use of personal data by setting out specific legal obligations on both the controller and processor of personal data. These are new obligations, so if your existing data protection policy is based on the DPA 1998, it will be outdated and in need of immediate revision. Delaying this will create a period of non-compliance.
2. The guiding principles of the GDPR
Article 5 of the GDPR sets out seven guiding principles of data protection:
· Lawfulness, fairness and transparency
· Purpose limitation
· Data minimisation
· Storage limitation
· Integrity and confidentiality (security)
These principles should form the framework of your data protection policy.
Every organisation has a role:
The GDPR and DPA 2018 set out specific legal obligations on both the controller and processor of personal data. Knowing your role to its fullest extent is the key to creating an accurate and comprehensive data protection policy.
The controller determines the purpose and means of processing personal data. Where there are two or more controllers, they become joint controllers.
The processor processes personal data on behalf of the controller. Simply, this means they use the personal data on the controller’s instruction. It is the controllers’ responsibility to ensure the data processor has the necessary governance and data privacy framework in place to satisfy the demands of the GDPR.
3. The controller and processor
The responsibilities for controllers and processors are different, and they apply to both organisations operating within the EU and organisations outside the EU that offer goods or services to individuals in the EU.
According to Article 24, the responsibility of the controller is to take into account the nature, scope, context and purposes of processing and implementing technical and organisational measures to ensure that processing is performed lawfully. In other words, the responsibility of processing lies solely with the controller. Here’s what Article 24 says:
“Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. 2Those measures shall be reviewed and updated where necessary.”
According to Article 28, the responsibility of the processor is much greater. There are ten sections to article 28, the most notable being 1: That the controller must only use processors who can provide sufficient guarantees to implement the technical and organisational measures mentioned above. This means organisations must seek assurance from their own suppliers that they meet the EU’s GDPR requirements.
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
The processor’s full obligations are expansive. Click on the thumbnail below to see these as a graphic, which you can also download for reference.
Image to insert as thumbnail: https://40uu5c99f3a2ja7s7miveqgqu-wpengine.netdna-ssl.com/wp-content/uploads/2018/05/Obligations-of-the-data-processor-summarized-source-and-more-information-LawInfographic-Jessica-Lam.gif
4. Individuals have rights
The GDPR sets out specific rights for individuals, which in turn, influence how data controllers and processors must act in the event an individual wishes to exercise any of their rights. The following individual rights apply:
· The right to be informed
· The right of access
· The right to rectification
· The right to erasure
· The right to restrict processing
· The right to data portability
· The right to object
· Rights in relation to automated decision making and profiling.
It is your duty to comply with these rights on request. You must take full responsibility for managing requests at the highest management level and evidence how you intend to meet your obligations and protect people’s rights.
5. Organisations will need to identify their legal basis to continue processing data.
There are six legal basis of processing data and the organisation will need to identify the most appropriate one for each processing activity.
· Consent – when you rely on permission from the individual to process their data, such as for marketing purposes. The specifics of obtaining consent are detailed under Article 7 of the GDPR.
· Contract – the processing is necessary as you have a contract with the individual.
· Legal obligation – the processing is necessary for you to comply with the law – for example, reporting payment information on an individual to HMRC.
· Vital interests – when the processing is necessary to protect someone’s life, such as a medical emergency.
· Public task – the processing is necessary for a task in the public interest.
· Legitimate interest – the processing is necessary in your legitimate interest, or in that of a third party. You should complete a Legitimate Interest Assessment in this instance and be prepared to use this if challenged by.
6. A DPO is now mandatory in certain processing situations
Under the GDPR, it is a legal requirement for an organisation to appoint a Data Protection Officer (DPO) if you are involved in certain processing activities.
· You are a public body (except for the Courts acting in their judicial capacity). This is covered under Section 7 of the DPA 2018.
· Your core activities require large scale, regular and systematic monitoring of individuals.
· Your core activities consist of large scale processing of special categories of data, or data relating to criminal convictions and offences – as set out by the ICO.
The DPO can be an existing employee, or an external appointment – such as an outsourced DPO which many specialist consultancies offer. If appointed internally, however the individual should, be carefully selected as the role must not cause a conflict of interests with their day-to-day role. For example, it would not be appropriate for the Head of IT, or Operations Manager to assume this role.
The DPO is not personally liable for your organisation’s compliance – they offer guidance and direction in helping you to fulfil your obligations and demonstrate accountability - in other words, that you are complying with the other principles. Finally the role of the DPO is to ensure the rights and freedoms of the data subjects are considered over and above the commercial interests of the business.
If you are unsure as to whether you should appoint a DPO, you are advised to seek specialist guidance.