The new data protection regime: The GDPR and the Data Protection Act 2018 Robin Hopkins Robin Hopkins 4 October 2017
GDPR: an introduction • The problem: • Processing of personal data ramps up with technology • 1990s legislation (Directive 95/46/EC and the DPA 1998) creaking under 21 st -century strains • The solution: • The General Data Protection Regulation: draft text leaked in December 2011 • Agreed text published 2015 • GDPR 2016/679 passed by EU Parliament May 2016 • Adoption date: 25 May 2018
Is it a big deal? • Not a clean slate – broad architecture stays in place: • Data controllers must comply with prescribed principles in respect of all processing of personal data • Individual have rights of subject access, erasure, rectification, compensation, etc. • But there are major new challenges: • Headline grabbers: consent & transparency more onerous; data breach notifications and potential penalties more painful; data controller accountability sharpened • Also some important practical changes for local authorities – see later
How will GDPR be implemented? • Directly effective: • Regulation rather than directive; aims at harmonisation • But quite a lot is left to member states, e.g. exemptions • So implementing legislation of some sort is needed • What will happen in the UK? • Data Protection Bill put before Parliament 14 Sept 2017 • This will evolve into the Data Protection Act 2018 • Implements and extends the GDPR, and fills in the gaps • So from 2018 onwards, our DP landscape will comprise both the GDPR and the DPA 2018
GDPR: the fundamentals • The building blocks are familiar: • ‘Personal data’, ‘special categories’ (i.e. sensitive personal data), ‘data controller’, ‘processing’ largely intact • ‘Data protection principles’ – Article 5 GDPR: • Lawfulness, fairness & transparency • Purpose limitation • Data minimisation • Accuracy • Storage limitation • Integrity & confidentiality • Accountability: must be able to demonstrate compliance
What becomes of Schedule 2 DPA? • Article 6 GDPR for ‘ordinary’ personal data: • Consent for specific purposes of processing • Performance of a contract with the data subject • Compliance with a legal obligation • Protection of vital interests • Necessary for performance of public interest tasks • Legitimate interests (like the old condition 6(1) from Schedule 2 DPA) • Note the latter cannot be relied upon by public authorities “in the performance of their tasks” • What is a public authority? As per FOIA (cl. 6 DP Bill) • What are public tasks? Look to statute (cl. 7 DP Bill)
And Schedule 3 DPA? • Article 9 GDPR for ‘special category’ personal data: • Explicit consent • Employment, social security • Vital interests; medical purposes • Political/religious/philosophical organisations & trade unions • “Manifestly made public” by data subject • Legal claims • Substantial public interest – to be particularised • Public health; archiving, science, statistics, research • Those are implemented in Schedule 1 of the DP Bill • Likewise for criminal conviction data
Consent: how has it changed? • Article 4(11) GDPR: • any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data • ICO has issued draft consent guidance (March 2017): • Don’t use pre -ticked boxes/opt-outs/consent by default • Be ‘specific & granular’ but also ‘clear & concise’ • Explicit consent not much different • If you can’t offer genuine choice, don’t rely on consent • Consent may be difficult for employers & public authorities
Other duties on data controllers (1)? • DP by design & default: measures to ensure DPP-compliance (eg pseudonymisation) & only processing to extent necessary (A25) • Joint data controllers: have clear & transparent arrangements for designating duties (A26) • Selecting & using data processors: use reliable processors, have detailed contracts, control sub-processing (A28-29) • Keep records of processing (A30) • DP Impact Assessments & ICO consultation: where high risks to individual rights (A35-36)
Other duties on controllers (2)? • DP Officers (A35): • Duties (A39) & rights (A38) defined • Mandatory breach reporting (A33): • Must report a breach to ICO “unless the personal data breach is unlikely to result in a risk to rights/freedoms” • Do it within 72 hours, or justify the delay • If breach “likely to result in a high risk to the rights and freedoms of natural persons”, notify data subjects “without undue delay” • Unless: encrypted/unintelligible; initial high risk contained; disproportionate effort
Data processors have DP duties too • Keep written records (A30) • Co-operate with supervisory authority (A31) • Security duties & processing only in accordance with the instructions of the data controller (A32) • Notify data breach to data controller (A33) • May be required to appoint DPO (A37)
GDPR and data subjects’ rights (1) • Transparency will be hugely important under GDPR: • Overarching duty in A12 • Subject access rights much wider (A15) • But see A12(5) exemption/ability to charge where requests unfounded, excessive, repetitive • Very NB ICO’s Code of Practice Privacy Notices, Transparency & Control (October 2016) • Rectification of inaccurate & incomplete data: including by adding supplementary statements (A16) • Right to be forgotten (A17)
GDPR and data subjects’ rights (2) • Right to restrict & object to processing & profiling: • Restrict eg where accuracy dispute & objection pending (A18) • Object unless data controller can justify (A21) • Right not to be subject to a decision based solely on automated processing (including profiling) which produces legal or other significant effects on him/her (A22) • Data portability (A20): • Provide to data subject or transmit to another data controller
Exceptions/restrictions: A23 GDPR • National security, defence, public security • Crime • National economic concerns • Protection of judicial independence and judicial proceedings • Prevention, investigation, detection and prosecution of breaches of ethics for regulated professions • Related monitoring, inspection or regulatory functions • Protection of the data subject or the rights and freedoms of others • Eforcement of civil law claims
Exceptions: Schedules 2-4 DP Bill • Largely familiar territory: • Crime and taxation • Immigration • Legal proceedings • Regulatory or investigatory functions • Legal professional privilege • Management forecasts; negotiations • Confidential references • Health, education, social work (largely as per existing statutory instruments) • Child abuse data • Statutory disclosure obligations
Novel practical points • You will need an ‘appropriate policy document’ if you process special category or criminal conviction data: • Schedule 1, Part 4: document must explain how you comply with Article 5 GDPR + your retention/erasure practices + your Article 6 processing condition • Subject access requests and ‘mixed personal data’ • Currently an assessment of reasonableness under ss. 7(4)-(6) of the DPA 1998 • This is retained, but note presumption of reasonableness for health, social work and educational workers (Schedule 2, Pt 3)
What happens if things go wrong? • Stringent enforcement provisions (Ch VIII): • Effective judicial remedy, including compensation from controller/processor (A79 & 82) • Regulatory fines: up to £18m (A83; DP Bill cl. 150) • Increasing trend towards large-scale private compensation claims: • See Morrisons case (going to trial October 2017) • An increasingly savvy market for claimant work • Entrepeneurial innovations, e.g. claim-bots
Recommend
More recommend
