- General Data Protection Regulation (GDPR) – what is it and what should you be doing to prepare? Part Two.
General Data Protection Regulation (GDPR) – what is it and what should you be doing to prepare? Part Two.
General Data Protection Regulation (GDPR) – what is it and what should you be doing to prepare? Part Two.08 Mar 2017
Part 2 – Obligations on Data Controllers and Data Processors
This is the second in our series of articles summarising the upcoming changes to be introduced by the GDPR. As mentioned in our previous article, the GDPR imposes specific new obligations on data processors (i.e. persons who process data) and also further obligations on data controllers (i.e. persons who collect and control data).
Under the current regime, the burden is placed firmly on the controller to ensure that any party processing the data does so in accordance with data protection laws (normally by imposing contractual obligations). The GDPR does not remove this burden from controllers but, in addition, also places new obligations on processors which means they can be made directly liable for breach of the GDPR.
As mentioned previously, the GDPR increases penalties for non-compliance which can mean fines of up to 4% of worldwide turnover in the previous financial year or €20 million euros (whichever is higher). Such penalties apply to processors and controllers equally.
Obligations which now apply both to Controllers and Processors:
1. Keeping a record – records of all processing operations need to be maintained by the following businesses:
a) those with more than 250 employees; or
b) those who process personal data which:
(i) could result in a risk to the rights and freedoms of individuals;
(ii) includes sensitive personal data (which includes data relating to race or ethnic origin, political opinion, religious beliefs, medical conditions etc.);
(iii) includes information relating to criminal convictions or offences.
Even if your business does not fit within these criteria, the GDPR also introduces a general principle of accountability, and keeping a record is a good way of demonstrating your compliance with this.
2. Undertaking Data Protection Impact Assessments – this applies to businesses using new technologies and whose processing is likely to result in a high risk to the rights and freedoms of the data subject.
Again, even if you are not strictly required by the Regulation to undertake such assessments, you should consider carrying out such assessments in any case to demonstrate compliance with the principle of accountability and demonstrate that data is only being processed in so far as is necessary.
3. Appointment of a Data Protection Officer (DPO) – the following organisations are required to appoint a DPO:
a) public authorities;
b) organisations regularly and systematically monitoring individuals; and
c) organisations processing sensitive personal data and/or data relating to criminal convictions and offences on a large scale.
Even if you are not required by the GDPR to appoint a DPO, you should consider whether you have sufficient staff and skills to satisfy your various obligations under the GDPR and, if not, arrange for such shortages to be addressed.
4. Implementing appropriate technical and organisational measures – organisations must ensure appropriate levels of security are in place in accordance with the riskiness of the data being collected and/or processed. This is an ongoing responsibility which may include where there is a change to the business being carried out, a change to the data being collected, or some other reason.
Generally, the GDPR seeks to encourage businesses to incorporate data protection and security into the core of how their organisation works – rather than adding measures on as an afterthought.
5. Notification of breach – a data breach will now need to be notified to the ICO within 72 hours of its occurrence, even if it occurs on a weekend or other non-business day. In cases where the breach affects the relevant individual’s privacy or freedom the individual affected should also be notified directly. Processors will need to promptly notify the controller (but will not be directly subject to this obligation) and controllers should therefore ensure this obligation is built into any agreement with the processor.
This means you will need to have systems in place – whether by technology, staff training or a combination of the two – to identify where breaches have occurred, the extent of the breach, and promptly notify the relevant authority (and individual if required).
6. Implementation of data protection measures by “design” and “default” – this means that technologies, filing systems, business models and procedures etc. should be designed to ensure that the collection and processing of personal data is no more than is necessary to achieve the purpose for which the data was collected. You should also ensure that access to personal data is only given to those persons who require it for carrying out the purpose for which the data was collected.
Essentially, you need to be clear at the outset what the data is being collected for and keep this in mind when processing is taking place. Therefore, the use of data for marketing purposes (when it was originally collected for another reason) is likely to be increasingly difficult and businesses should be conscious of this, particularly bearing in mind the new enhanced penalties.
In our next article, we will consider the grounds that can be relied upon to establish lawful data processing and the steps you may wish to take to ensure your processing is lawful, following implementation of the GDPR.
For further information relating to the GDPR and data protection, please contact a member of our team on 0161 832 3434.