Data protection rules in the UK are set to be overhauled on 25th May 2018 with the introduction of the General Data Protection Regulation (GDPR) which will be applicable across the EU.
The GDPR applies to processing carried out by organisations operating within the EU, however, it also applies to organisations outside the EU in respect of activities related to:
- the offering of goods or services (free or paid) to individuals in the EU; or
- the monitoring of individuals’ behavior as far as the behavior takes place in the EU.
Until the UK leaves the EU, it will be subject to the GDPR. Post-Brexit it is expected that the GDPR will be retained in UK law by the European Union (Withdrawal) Bill and Data Protection Bill (which is currently making its way through Parliament).
Therefore, post 25th May 2018, non-EU organisations who offer goods and services in the UK (or elsewhere in the EU), or monitor individuals’ behavior in the UK (or elsewhere in the EU), will need to be GDPR-compliant in relation to those activities!
Are you caught?
The GDPR is vague on who might be caught by the above criteria (perhaps purposely so). Determinations on this will be made on a case by case basis.
For global businesses offering goods/services the position may be fairly clear cut that they are subject to GDPR obligations but for some the position will be less straightforward.
It seems unlikely that simply having a website or contact details which are accessible to those in the EU would make an organisation subject to the GDPR, however, if an organisation markets its goods/services in languages used in the member states, includes prices in EU member states currencies or cites EU customers, this may be sufficient evidence to show it is offering goods and services to those in the EU.
In relation to behavior monitoring, this may include using cookies or other technology to track individuals on the internet. This is most commonly used nowadays to identify individuals’ preferences so tailored marketing communications can be sent.
So, what should you be doing now if you are caught by the GDPR?
Parallel systems?
If only part of your business is caught by the GDPR (e.g. you are a global business with a presence in the EU but operate elsewhere also) then you need to decide whether you would want to apply the GDPR provisions to your entire business or whether you are able to separate out activities in the EU and want to run two parallel systems. This is a commercial decision, as it may well be very difficult and expensive to separate the two parts of the business in this way.
Appoint a representative
Under the GDPR data controllers and processors are required to appoint a representative (this appointment should be in writing). This representative will need to be established in the UK if the activities of the business caught by the GDPR are taking place within the UK.
There are exceptions to this where processing:
- is only occasional;
- does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences; and
- is unlikely to result in a risk to the rights and freedoms of natural persons taking into account the nature, context, scope and purposes of the processing.
It will also not apply where the controller is a public authority or body.
This representative can be a person or an organisation and will be the first point of contact within your business for data subjects and the relevant supervisory authority; in the UK that’s the ICO. They can be addressed in addition to or instead of the data controller or processor. As such, they will need to be able to communicate with the relevant data subjects and have a good knowledge of data protection and the GDPR. Their name and contact details should be published in your privacy notice.
Appointing a representative does not absolve the data controller or processor of their obligations under the GDPR which they still need to ensure full compliance with.
Understand the GDPR
It’s vital that you take steps to ensure you understand the GDPR requirements.
There’s a lot of material out there now on the GDPR, we have several publications on our GDPR Page and are on hand if you have any questions. The ICO also publishes lots of useful information and guidance on its website.
Here’s a summary of some of the key points to be aware of under the GDPR:
- The definitions: Familiarise yourself with the key definitions under the GDPR, including data controller, data processor and personal data, so that you can understand what obligations apply to you and what type of data the legislation covers.
- The ‘special categories’: There are special categories of data which attract more protection which you will need to be familiar with. This includes data on race, religion, criminal convictions and children.
- The principles: The GDPR sets out core principles that must be adhered to in respect of personal data (such as the requirement for data to be processed fairly, lawfully and in a transparent manner) and it is the controller’s responsibility to show compliance with the principles.
- The lawful basis: You must have a lawful basis to process data – there are six of these under the GDPR. The most commonly deployed are likely to be ‘consent’ or ‘legitimate interest’ but there are strict requirements around consent which may make it difficult to use.
- The data subjects’ rights: Individuals have fundamental rights under the GDPR with key ones being the right to access their personal data and the right to be informed about personal data being processed (commonly referred to as the right to a privacy notice).
- The documentation requirements: You must keep a record of particular data including the purpose of your processing and you are required to be able to demonstrate compliance (i.e. comply and show you have complied) and so it is important to keep wider records, for example, a copy of any consent given. Your contracts with those processing data on your behalf must also contain specific information.
- The reporting obligations: There are strict reporting obligations under the GDPR in the event of a breach and, in general, breaches must be notified to the ICO within 72 hours.
- International data transfers: The GDPR has specific provisions around transferring data outside of the EU and so, if personal data will be transferred about the data subjects to a country outside of the EU you will need to ensure this transfer meets the GDPR requirements. This may include checking to see if that country is the subject of an adequacy decision by the European Commission or ensuring there are binding corporate rules in place between group companies.
Data Mapping
Once you understand the key requirements of the GDPR, you need to consider the type of data you hold so that you can ensure your organisation is compliant. You’ll need to carry out an internal audit to track the data you hold – commonly referred to as data mapping.
Under the GDPR you have a duty to keep a record of certain data and so, during your data mapping exercise, it’s sensible to create a record of the data in line with your obligations.
Risk analysis
Identify where you have gaps or risks in the organisation. For example, do your contracts with data processors contain all the clauses they are legally obliged to contain? Do you have adequate privacy notices? If not, identify these as risks and take steps to mitigate them e.g. by renewing your contract wording and notices.
Provide training
Once you have appropriate steps in place to deal with any risks and have brought your policies/procedures in line with GDPR, you need to consider training of your staff. This is imperative to ensure your staff understand obligations and follow any procedures you have put in place e.g. reporting obligations.
Conflict in legal requirements
Where you have local laws which conflict with the GDPR, you need to seek legal advice about your obligations.