General Data Protection Regulation

The GDPR is a comprehensive suite of regulations by which the European Parliament, the European Council, and the European Commission intends to strengthen, unify, and update current data protection regulations for individuals within the European Union. The primary objective of the GDPR is to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying regulation within the EU.

The GDPR will apply to the United Kingdom from the 25th of May 2018 and the government has confirmed that the UK’s decision to leave the EU shall not affect the implementation of the GDPR. Furthermore, due to the extent of the changes introduced by the GDPR organisations are strongly recommended to begin the process of complying with the regulations no later than 12 months prior to May 2018.

“You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR.”

– Information Commissioner’s Office (March 2016)

Did You Know?

Prodial Ltd, a lead generation firm responsible for over 46 million automated nuisance calls, was fined £350,000 by the ICO in February 2016. It’s the regulator’s largest ever fine.

What is Personal Data?

Personal data is any data which relates to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller and may include any expressions of opinion about the individual, their racial or ethnic origin, political opinions, religious beliefs, membership in trade unions, physical or mental health or condition, sexual life, commission or alleged commission of any offense, or any proceedings for any offence committed or alleged to have been committed.

“As personal data may only be processed if adequate, relevant, and not excessive in relation to the purposes for which they are collected, a strict assessment of the necessity and proportionality of the processed data should take place.”
– Article 6, Data Protection Directive 95/46/EC

Key Changes under the GDPR

Expanded Territorial Reach
The GDPR will extend its territorial scope to include data controllers and processors outside of the EU if their processing activities relate to the offering of goods or services (even if for free) to, or monitoring the behaviour (within the EU) of, EU data subjects. In this context, the GDPR considers that “monitoring of behaviour” will occur, for example, where individuals are tracked on the internet by techniques which apply a profile to enable decisions to be made or to predict personal preferences. A common example of monitoring behaviour is the placement of tracking cookies by analytics services such as Google Analytics as this enables third-parties to deliver context specific advertising.

Data Protection Officers (DPO)
In certain circumstances data controllers and processors will be required to designate a Data Protection Officer as part of the new accountability programme. The DPO will need sufficient expert knowledge in this field. If an organisation lacks an individual with sufficient expertise then the DPO may be employed under a separate service contract or contracted through a third-party.

Privacy by Design

The GDPR places onerous accountability obligations on data controllers to demonstrate compliance. This includes requiring them to:

  • Maintain certain procedural and policy documentation
  • Conduct a data protection impact assessment for more risky processing
  • Implement data protection by design and by default (i.e. data minimisation)

 

The onus of proof to demonstrate appropriate security measures, compliance, testing, and reporting shall fall upon the data controller.

Myth: Big Companies Store Passwords Securely

50% of web apps store credentials unencrypted. As in plain text. As in someone who gains access to the app’s database can simply read the passwords. LinkedIn is about as legitimate as companies come, but they weren’t following basic best practices (namely, not using a salt) before their breach. – Brent Jensen, Stormpath Indentity Infrastructure

Role of Data Processors

Data processors will have direct obligations for the first time. These include an obligation to:

Maintain a written record of processing activities carried out on behalf of each controller

  • Designate a DPO where required or appoint a representative (when not established in the EU) in certain circumstances.
  • Notify the data controller on becoming aware of a personal data breach without undue delay.

The new status of data processors will likely impact how data protection matters are addressed in supply and other commercial agreements. The underlying rationale for increasing data protection obligations on data processors stemmed from concerns that data processors were not required to be bound to the same standards or levels of compliance as data controllers.

Consent

Although the DPA already places an obligation on the data controller to obtain consent from a data subject prior to processing their personal data, the GDPR has taken this a step further by stating that consent
must be “explicit”. In this regard, the data controller is required to be able to demonstrate that consent was given and must retain a record of this event. Existing consents may still work, but only provided they
meet the new conditions under the GDPR.
Consent is not freely given if the data subject had no genuine and free choice or is unable to withdraw or refuse consent without detriment.

Fair Processing Notices

Data controllers will continue to be required to provide transparent information to data subjects. Such information must be presented atthe time the personal data is obtained and subjects should always be
able to easily access the organisations data policies. Existing forms of fair processing notice (particularly websites) will have to be re-examined as the requirements in the GDPR are more detailed than those in the DPA. For example, the data controller must inform the data subject of certain rights (such as the ability to withdraw consent) and the period for which the data will be stored.

Fines

The current cap on fines under the DPA is £500,000. This will be significantly increased under the GDPR with the introduction of a tiered approach to penalties for breaches. Depending on the circumstances and extent of the breach the Information Commissioner’s Office will be able to impose fines up to 4% of annual worldwide turnover or €20 Million (whichever is greater).

“In legal terms “explicit consent” is understood as having the same meaning as express consent. It encompasses all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information andthey respond actively to the question, orally or in writing.”

– Article 29 Data Protection Working Party

An Indepth Look…

Subject Access Requests

A Subject Access Request (SAR) is a means by which an individual can obtain a copy of the information that is held by a certain organisation. SAR’s are submitted to data controllers and an individual can submit a SAR to any organisation that they think is holding, using, or sharing their personal information.

The current legislation states that organisations may charge fees when providing copies of paper and computer records and related information. The fees may not exceed the following amounts:

  • £10.00 per SAR
  • £50.00 where health based records are requested
  • £1.00 to £50.00 for educational records (sliding scale)

Right to be Forgotten

The right to be forgotten “reflects the claim of an individual to have certain data deleted so that third persons can no longer trace them.”
– Prof. Dr. Rolf H. Weber, University of Zurich

However, under the GDPR, data controllers must provide information free of charge. That said, a reasonable fee, based on the administrative cost, may be charged in circumstances where a SAR is manifestly unfound, excessive, or repetitive.

Organisations will also have less time to comply with a SAR – information will need to be provided without delay and no later than one (1) month from the date of receipt. The delivery date may be extended by up to a further two (2) months if requests are complex or numerous. In the event of an extension, it is the obligation of the data controller to inform the individual that their request shall be prolonged and explain why an extension is necessary.

If a data controller refuses to comply with a SAR on the basis that it is repetitive, unfounded, or excessive then a detailed explanation must be issued to the individual, including details of how to complain to the Information Commissioner’s Office and judicial remedies. Again, all such refusals must be dealt with without undue delay, and at the latest within one (1) month.

The data controller must verify the identity of the person making a SAR. Verification should, ideally, be in person and include, at least, two pieces of ID, including one piece of valid overnment
issued photographic ID (passport; driver’s license). Overseas documentation should be assessed on a case by case basis.

Accountability & Data Security

The GDPR introduces a new accountability principle which requires the data controller to comply with the GDPR and explicitly state that it is the data controller’s responsibility to uphold this principle.

From a data security perspective, the Data Protection Act 1998 (DPA) already included a requirement that organisations implement appropriate technical and organisational measures to ensure and demonstrate compliance (including staff training, internal auditing, and reviewof HR policies and practices).

However, the GDRP has placed significantly greater emphasis on data security including:

  • Encryption and pseudonymisation of data
  • Measuring system resilience
  • Measuring data restoration and availability of access
  • Frequent testing of the effectiveness of security measures
  • Appointment of a DPO
  • Producing data protection impact assessments
  • Internal records of processing activities (if more than 250 employees)
  • Privacy by design approach to physical and digital security

“…the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,
including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity,availability and resi ience of processing systems and services;..”
– Article 32(1) General Data Protection Regulation

The DPO is required to report directly to the highest level of management in an organisation (board level), cannot be dismissed or penalised for performing their tasks, and must be provided with adequate resources to enable compliance with the GDPR. There are no specific qualification requirements for a DPO but the individual should have professional experience and knowledge of data protection legislation.

Data security breaches are a board level issue. If a business fails to comply with its data security obligations then the Information Commissioner’s Office may fine the organisation up to €10 Million or 2% of its total worldwide turnover, whichever is higher. This can be increased to €20 Million and 4% of total worldwide turnover if the breach is severe or repetitive. The Information Commissioner’s Office will also operate a public
“name and shame” program to draw attention to organisations that lose personal data.

Breaches must be notified to the Information Commissioner’s Office and, in certain circumstances, must also be notified to each individual unless the data is rendered unintelligible (i.e. encryption).
If a data controller refuses to comply with a SAR on the basis that it is repetitive, unfounded,or excessive then a detailed explanation must be issued to the individual, including details of how to complain to the Information Commissioner’s Office and judicial remedies. Again, all such refusals must be dealt with without undue delay, and at the latest within one (1) month.

The data controller must verify the identity of the person making a SAR. Verification should, ideally, be in person and include, at least, two pieces of ID, including one piece of valid government issued photographic ID (passport; driver’s license). Overseas documentation should be assessed on a case by case basis.

Access Control Basics

  • Each user must have and use their own username and password.
  • Each user should use an account that has permissions appropriate to the job they are carrying out at the time. You should also only use administrator accounts when strictly
  • necessary (eg for installing known and trusted software).
  • A brute force password attack is a common method of attack, perhaps even by casual users trying to access your Wi-Fi so you need to enforce strong passwords, limit the number of failed login attempts and enforce regular password changes.
  • Passwords or other access should be cancelled immediately if a staff member leaves the organisation

Retention of Data

The DPA states that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

This requirement will not change under the GDPR. However, it is important to understand that data cannot be kept indefinitely without an underlying justifiable rationale. Therefore, both the DPA and the GDPR requires that data controllers review the length of time that they keep personal data, the purpose or purposes for holding that information, and archive, update, or securely delete personal information as and when required.

Hacking/Breaking into Networks

Hacking, cracking, and/or breaking into computer systems and networks is not governed by the DPA or the GDPR. These acts generally fall within criminal law and are governed by different acts including the Computer Misuse Act, the Serious Crime Act, the Terrorism Act, Human Rights Act, Digital Economy Act, and Regulation of Investigatory Powers Act, amongst others. Additionally, many acts have been amended over the years and further, some of these acts are only partly relevant or relevant only to specific cases.

Although criminal liability for an act falls on the individual or organisation that executed the attack if, as a result of the attack, personal information is lost or stolen, then the organisation who was the victim of the attack may come under the scrutiny of the Information Commissioner’s Office for failing to implement adequate security measures. Therefore, an organisation may be indirectly drawn into becoming liable through the acts of a third-party.

Interesting Fact…

Over the last year the average age of suspected cyber criminals featured in investigations involving the National Cyber Crime Agency (NCA) has been 17 years old, compared to 24 in the previous year. Research commissioned by the NCA has indicated that the majority of young people and their parents are not aware of what constitutes a cyber crime or the consequences of engaging in it.

– National Cyber Crime Agency, December 2015

To summarise

The GDPR represents the greatest shift in data protection legislation since the introduction of the DPA in March 2000.

It is not a question of IF a data breach will occur, but WHEN.

Organisations are strongly encouraged to put in place clear policies and procedures to enable prompt responses to data breaches and subsequent notifications. These policies ought to incorporate a clear framework of accountability in order to monitor, review, and assess data processing procedures and demonstrate compliance to any relevant authorities.

The starting point for any organisation should be an analysis of the legal basis for processing personal data. Organisations must demonstrate that data is processed for a legitimate interest and appropriate consent has been obtained. The burden of proof lies with the data controller.

Privacy policies, consent notices, terms of service, and relevant record keeping must be in clear and plain language. These notices must be easily accessible and, where children under the age of 16 access services, must be clearly comprehensible to children.

For More Information Contact:
Graham Millar
Mobile: 07841920102
Direct Dial: 0141 530 2023
Email:gmillar@gilsongray.co.uk

For More Information Contact:
John Kielski
Direct Dial: 0141 530 2028
Email: jkielski@gilsongray.co.uk


For More Information Contact:
Derek Hamill
Mobile: 0797 392 4333
Direct Dial: 0141 530 2022
Email:dhamill@gilsongray.co.uk