New Data Protection Regime Part 2
Governance, Accountability and Administration
The GDPR aims to put data governance at the heart of all data controlling/processing organisations, including introducing new record-keeping, monitoring, reporting and management responsibilities. The Regulations introduce a wide-ranging obligation on data controllers and processors, to keep extensive internal records of data processing, and data protection, activities. Rigorous data protection impact assessments will also become mandatory before higher-risk data processing. Where data breaches do occur, controllers will be required to inform national data protection authorities as soon as practicable – ideally within 72 hours; it may also be necessary to inform individual data subjects.
The GDPR introduces a new obligation on data controllers – to develop ‘transparent and easily accessible’ policies on data protection. Such policies must explain to data subjects how and why their data will be collected, processed and retained, as well as what their rights are and how they may be exercised. This must be provided in an accessible form, using clear and understandable language.
Data controllers and processors whose activities include large-scale monitoring of data subjects, or large-scale processing of sensitive data, must appoint a Data Protection Officer (DPO). The DPO can be either an employee or a contractor, but must have appropriate knowledge and skill to undertake the work required, and must have a measure of independence. The DPO will be responsible for advising the controller/processor, monitoring compliance and managing relationships with the appropriate data protection authorities. If such an organisation does not have a presence in the EU, it will be required to appoint a named EU representative.
The GDPR introduces two key concepts which all businesses should be aware of: ‘privacy by default’ and ‘privacy by design’. Privacy by design means that privacy risk cannot be an afterthought: it must be accounted for throughout product/service design lifecycles. This requires thorough assessment of risks and implementation of appropriate safeguards (organisational and technical) to ensure compliance with the GDPR. Privacy by default is effectively data minimisation, requiring organisations to ensure that the amount of personal data collected, processed and retained for any given product/service is proportionate and minimal, by default.
There is some good news for those organisations that operate in – and report to data protection authorities in – multiple EU Member States. The GDPR also introduces a ‘one stop shop’, which enables the national data protection authority in a data controller or processor’s home Member State, to be responsible for decisions relating to the controller/processor’s EU-wide activities. This ought to reduce the compliance burden for organisations operating across the EU.
Perhaps the most impactful provision of the GDPR is a refined definition and scope of data subjects’ consent to data processing. This is part of a wider, radical rebalancing of power, between data controllers/processors and individual data subjects. The GDPR requires that consent should be active, unambiguous, informed and freely given. This contrasts with the current regime, which allows a controller to possess and process data for any legitimate and lawful reason, with the consent – express or implied – of the data subject. The nature of the processing must now be explained, or consent will not be informed and will therefore be invalid.
The GDPR requires consent to be given “by a statement or clear affirmative action”. This means that implied consent – such as a data subject continuing to use a website – will no longer be sufficient. Similarly, pre-ticked checkboxes will no longer be satisfy the active consent requirements. Where there is a ‘clear imbalance’ between the controller and subject, such as between employers and employees, consent is presumed not to have been given freely.
Data subjects must have the opportunity to vary or withdraw their consent, and doing so must be as easy as initially consenting. Organisations which process data from a large number of data subjects may wish to explore opportunities to automate and expedite consent management, such as providing online data control panels for consumers.
The freely given requirement has wider implications than might at first appear: for example, requiring consent from a user in order to provide a product or service, where the data is not necessary to provide the product or service, will now be illegal.
The GDPR introduces a number of new rights. Particularly important are the right to data portability, and the right to be forgotten, which finds a statutory footing for the first time.
The right to data portability enables data subjects to receive the data which a data controller holds about them, in a commonly used and machine-readable format. Where it is reasonable, data must be transmitted directly from one controller to another. Businesses which may face customers moving to competitors may wish to review ways to achieve compliance with this new right, which may require technical implementation with a long lead-time.
The right to be forgotten builds upon the right established in the Google Spain case. This provides data subjects with a new right to raise objections directly with data controllers, and to force erasure of, and prevent further disclosure of, data files. This is available in specified circumstances, which range from data no longer being necessary for the purposes for which they were collected, to the data being processed unlawfully, to consent being withdrawn. Just as at present, there are objections to requests for erasure.
The GDPR also affirms the right to remedies, and compensation, for a data controller/processor’s breach of the regulations. This is not entirely different from the current rules. One issue worth noting is the introduction of a right to compensation for immaterial breach. At present, data subjects in most EU countries (arguably) have a right to compensation only when the breach is associated with pecuniary damage, though the GDPR explicitly remove this requirement. The opportunity for group actions (‘class action lawsuits’) increases.
Healthcare, eHealth and Research
In the early stages of discussion about the GDPR, there was real concern about the impact on healthcare, including research and health technology. The regulation, as enacted, affords some measure of flexibility to data controllers using data for medical research – including allowing broader consent at the time of data collection, than might be allowed elsewhere. However, this requirement is subject to a test of ‘objective public interest’, and it remains unclear how this will impact private sector researchers. Member States will also be free to impose ‘further conditions’ for the processing of genetic, biometric and health data, which means the regulatory landscape will continue to evolve in coming months and years.
For a detailed discussion of the impact on healthcare and related research, see: http://www.scl.org/site.aspx?i=ed46972.
Preparations for compliance with the GDPR will be time-consuming, particularly for organisations which rely heavily on the use of personal data. Many organisations, such as online retailers and data processors, will be facing a heavy, direct, data protection regulatory burden for the first time.
A data audit is a great place to begin. A structured review of your organisation’s data functions should look at how personal data is collected, processed and retained, what it is used for, and how and where it is stored. This will enable you to better understand the nature and scope of any compliance required; remember that solutions are likely to be both technical and organisational. Review whether your business requires a representative in the EU, a Data Protection Officer, or both.