GDPR: Key things you need to know and act on now

The General Data Protection Regulation (Regulation 2016/679)

If you haven’t already done so, it’s time to sit up and take note of the new General Data Protection Regulations, or GDPR for short. The GDPR will take effect on 25 May 2018 and will be applicable in all Member States. It consists of an extensive overhaul of data protection law and will ultimately produce a single set of data protection rules for the entire EU.  

All organisations which process data (we can’t think of any that don’t) will need to take action to ensure compliance with the new regulations if they are to avoid the potential for a hefty fine.

In this article we provide some insight into the GDPR and detail some recommended first steps that you should take.

Background

The aim of the European Commission in creating and codifying the GDPR was to facilitate the free movement of data within a framework that upholds and respects the rights and privacy of data subjects. The GDPR is a major step towards a ‘digital single market’.

Jan Phillip Albrecht MEP has stated:

“This is perhaps one of the most significant milestones achieved in data protection in our lifetime and the democratisation of the world’s biggest single digital market is now complete.”

Notably, the UK government has indicated that “Brexit” will not impact the commencement or continued operation of the new regulation in the UK, so it would be unwise to do nothing in the hope this might go away.

The rights of data subjects range from:

• the right to access data
• the right to amend incorrect data
• the right to require information about data being processed about themselves
• the right to object to their personal data being used for marketing purposes

The wide-ranging rights imposed upon data subjects will subsequently have a ripple effect on employers who will be required to put in place procedures to allow them to exercise such rights.

The obligations found within the GDPR are somewhat onerous, it seems that the general consensus is to ensure that preparations are made well in advance of May 2018. If you do not already have a data controller, one should be appointed and work started on a GDPR implementation plan.

Didn’t we have the Data Protection Act anyway?

Whilst the Data Protection Act 1998 has been invaluable in its role of enhancing the legal framework for data protection in the UK, it had become somewhat outdated in the backdrop of widespread technological advances. The DPA 1998 is simply no longer adequate in protecting an individual’s personal data in the new cyber age, and therefore reform has now arrived in the form of the GDPR. The change in emphasis should not be underestimated and for many and, in particular, large, data rich organisations, getting this right is going to be a mammoth task.

Key areas of change within the GDPR pertinent to employers:

Consent

Under the GDPR, consent for employers to use and store personal data must be freely given, unambiguous, specific and informed. Employers are now expected to keep a secure record of how and when the consent was granted, what exactly the consent was granted for and for how long this consent is valid. In practice, the GDPR will require employers to be able to produce a clear audit trail of consent.  Gone are the days where consent could be assumed by a simple “pre-ticked” box included as a part of a contract or application. Consent must now be positively given by the data-subject. An opt-in rather than an opt-out process now prevails.

Moreover the 2018 Regulation also stipulates that in considering whether the consent has been freely given, consideration shall be given as to whether the performance of a contract is made conditional on the consent to processing data that is not necessary to perform that contract. If this is proven to be the case, the validity of such a consent will be questioned.

Thus, employers may need to amend contracts and/or applications to adhere to the new consent rules.

Another significant point for employers to take into account is that data subjects will have the right to withdraw their consent at any time, and this withdrawal must be as easy to do as the giving of consent.

Right of Erasure

The GDPR also incorporates the “right of erasure” or the “right to be forgotten” into EU law. This right was established in the seminal Google Spain v AEPD and Mario Costeja González 2014 CJEU judgment. It allows individuals to require the data controller to erase their personal data without undue delay in certain circumstances, e.g. where they withdraw their consent and no other legal grounds for processing apply.  Employers (i.e. data controllers) will need to know at all times exactly what data is held and where it is stored so that it may be permanently erased if a request is made by a data subject.

Accountability Programme

The 2018 Regulation enforces a broad accountability programme on data controllers. Their duties include:

• the maintenance of certain documentation;
• conducting data protection impact assessments for more risky processing;
• and implementing data protection by design and by default, for example data minimisation.

The framework to exercise such obligations must be in place before May 2018.

Data Protection Officers

The GDPR requires data controllers and processors to designate Data Protection Officers (DPOs) in certain circumstances as part of its wider accountability programme.  Data Protection Officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

An employer who collects, retains or uses personal data will be required to assign a DPO if either:

• the processing is carried out by a public authority;
• the core activities of the controller or processor consist of processing which, by its very nature, scope or purpose requires consistent and systematic monitoring of data subjects on a large scale;
• Or, the core activities consist of processing on a large scale of special categories of data.