Data breaches by rogue employees – employers still liable: Vicarious liability applies
John Warchus | 31.01.2019
28.06.2017 Dorothy Agnew
The new General Data Protection Regulation (GDPR) will become directly applicable in all member states on 25 May 2018. It will create clarity for businesses by establishing a single set of rules across the EU.
The GDPR will replace our existing data protection legislation and will change the rules concerning processing of personal data.
These changes will significantly impact businesses that process personal data. Set out below is a summary of the key concepts of the new GDPR:
When does it apply? The GDPR takes effect from 25 May 2018
Who does it apply to? The GDPR is a single legal framework that applies across all EU member states. Non-EU data controllers and data processors will be subject to the GDPR if they offer goods/services to data subjects in the EU or if they monitor data subjects’ behaviour and this takes place within the EU
If I’m relying on consent to processing, what form consent is acceptable? Like the current Data Protection legislation, processing of personal data under the GDPR must meet one of the fair processing conditions. Consent is one of these conditions. Under the GDPR consent to the processing of an individual’s personal data must be freely given, specific, informed and unambiguous and must be shown by clear affirmative action. An individual’s explicit consent is still required to process certain categories of personal data. The burden of proof will be on the business to show that consent was validly obtained. Where consent is relied upon it will need to be obtained to all processing purposes and may be withdrawn at any time. Consent to processing/using an individual’s data may not be a condition to signing a contract or providing a service. If there is a “clear imbalance” between the parties, consent is presumed not to have been given freely.
How do I work out if my processing is lawful?
Businesses are responsible for assessing the degree of risk that their processing activities pose to data subjects.
Data protection by design and by default is a requirement under the GDPR. When deciding on the way a data controller will process personal data and when processing personal data the business must put in place appropriate technical and organisational measures to implement the data protection principles and to put safeguards in place to protect the privacy of the data subjects.
Businesses must perform privacy impact assessments before carrying out processing that uses new technologies. The national public authority responsible for monitoring the application of the GDPR (supervisory authority) will publish a list of the kind of processing activities that require a privacy impact assessment. Privacy impact assessment will be required where processing is likely to create a high risk to people’s rights and freedoms, particularly where the processing uses new technologies. Where an impact assessment indicates that processing would result in a high risk to individuals, then business must consult with the supervisory authority before the processing takes place. Standardised icons may be used to indicate important features of the data processing activities.
What if I operate out of several offices in the EU? Where a business has several offices in different EU countries, the business’s main office where cross-border processing is involved will be the one responsible for processing activities.
Do I still need to notify/register? Businesses are no longer required to register their processing of personal data. Instead of registration businesses must keep detailed documentation that records their processing activities. The information that they record is specified in the GDPR. Data processors must keep a record of their processing activities – the GDPR specifies what this record must contain. These obligations do not apply to organisations that employ fewer than 250 people unless the organisation is processing sensitive personal data or the processing is likely to result in high risk to individuals.
Do I need to appoint a data protection officer? In some circumstances controllers or processors must appoint a data protection officer. Almost all public authorities and organisations that systematically monitor individuals on a large scale (including those using big data analytics for online behaviour tracking or profiling) must appoint a data protection officer
Do data processors have to comply? Yes, Data processors must meet certain compliance obligations under the GDPR.
Do I need to notify breaches? Businesses must notify the supervisory authority of data protection breaches without undue delay and where feasible within 72 hours. If the breach is likely to result in high risk to individuals then (subject to certain exceptions) data subjects must be informed without undue delay.
What is Pseudonymisation? The GDPR introduced a new concept of Pseudonymisation. Pseudonymous data – that is data which has been processed so that it can no longer be attributed to a specific individual without additional information – is personal data but is subject to fewer restrictions if the risk of harm is low. Any “key” that is required to identify data subjects from the coded data must be sept separate and secure to prevent accidental re-identification of the coded data.
Are BCRs recognised? The GDPR formally recognises binding corporate rules. These will require the supervisory authority’s approval, but the approval process should be less onerous.
What rights do individuals have?
Individuals have the right to access their data. Businesses must reply to data subject access requests within one month from receiving the request and must provide more information than they have to provide under the current data protection laws.
Individuals have the right to request that businesses delete their personal data in certain circumstances.
Individuals have the right to object to the processing of their personal data eg to profiling.
Data subject have the right to obtain a copy of their personal data from the data controller in a commonly used and machine-readable format and to transfer those data to another controller.
What are the maximum fines for non-compliance?
For data controllers there are 2 tiers of fines that can be imposed on data controllers and data processors for breach of the GDPR. These maximum fines will be up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is greater) or up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is greater)
Fines for non-compliance by data processors of their obligations are up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is greater)
What are the powers of the national data protection authorities?
The supervisory authority’s powers will include power to carry out audits, require information to be provided and obtain access to premises.
Many businesses will need to make changes to their IT systems and their privacy policies to comply with the new data protection regulations. Effecting and implementing these changes may take time. Businesses should take steps now to prepare for the new regulations so that they are able to comply with the new regulations once they take effect.
John Warchus | 31.01.2019
Thomas Clark | 17.10.2018
Dorothy Agnew | 16.10.2018