Readers will be well aware that the General Data Protection Regulation (GDPR) comes into effect in UK (and EU) law from 25 May 2018. Many will have been making arrangements to be ready for that date.
Some key changes
GDPR clarifies the definition of personal data to make it clear that it covers not only names, addresses and telephone numbers, for example, but also IP addresses and other online identifiers.
The old rules applied only to "data controllers", who decide how data is collected. Many of the new rules will now also cover "data processors" (those who process the data on behalf of data controllers). So, if a research organisation is given the contact details of every person associated with a clinical trial or is involved in data validation and redaction processes on behalf of a research and development business, they will be covered by GDPR. Further, the R&D business, as data controller, will be responsible for ensuring that its data processor, i.e., the research organisation also complies.
Busting the myths
Among all the noise being generated around GDPR compliance, a number of issues have become confused, and many myths have evolved. The UK's data regulator, the Information Commissioner's Office (the ICO) has issued a number of myth-buster blogs and here we consider three of the big myths that we regularly encounter.
MYTH: Businesses will routinely be fined millions of pounds
REALITY: Fines won't be the maximum
Because fines can now be as high as the greater of €20million or 4% of an organisation's worldwide annual turnover, it has been widely suggested that fines will be as high as the greater of the two amounts. Whilst that is theoretically true, the ICO has sought to dampen down the ever-growing fear.
Under the current cap of £500,000, there have been two £400,000 fines, most recently to Carphone Warehouse for not taking sufficient care to prevent data breaches.
In the case of Google-owned DeepMind and the Royal Free Hospital, however, the ICO issued no fines and sought undertakings in respect of data protection compliance. The ICO's decision has been criticised. However, it does perhaps show sector considerations at play.
Ultimately, the ICO is trying to make it clear that, just because it fined businesses £400,000 against a £500,000 cap, it is not going to be issuing €20 million fines under GDPR. Where appropriate, sector considerations will be accounted for.
There is also the potential for additional fines for failing to notify the ICO of notifiable personal data breaches; reaching up to €10million or 2% of global turnover. Again, in all likelihood, the ICO will not issue fines at or near the top end of this level. However, if companies haven't already, they should implement clear data record management systems with details of any data breaches arising, as well as information on the steps taken in connection with ICO notification. Failure to do so within 72 hours could put companies at risk of these additional fines.
Aside from the prospect of fines, of course, businesses need to be alive to the risk of claims (by individuals and also by way of class actions) for compensation based on damage (including distress) that they may suffer as a result of a data breach. Further, the reputational damage may be incalculable.
MYTH: You must get consent for all types of data processing
REALITY: Consent is just one lawful basis (but is needed for certain types of data)
It is a common misconception that businesses will always need consent to process personal data. In fact, they can rely on at least one of six lawful bases for processing personal data. In many cases, they or a third party might have a legitimate interest in the processing of the data, so long as that legitimate interest is not outweighed by the individual's data rights.
However, processing of genetic material, biometric data, and data revealing racial or ethnic origin would be categorised as the processing of "special category" data for which explicit consent will nearly always need to be obtained. For example, a hospital or research centre partaking in a clinical trial will be involved in the processing of special category data, for which "explicit and unambiguous" consent, specific to each data processing procedure must be obtained. As such, the data can only be processed for the purposes expressly indicated in the informed consent form. Further, any and all study subjects must be informed of how they can withdraw their consent, in full or part, to such processing.
It is worth noting that consent is also required for direct email and SMS marketing – unless a limited exemption applies. That limited exemption is: where a business has collected personal contact details in the course of a sale of goods or services, it may send electronic marketing to that person for its same or similar goods or services. That is known as the 'soft opt-in'. The rules on consent around marketing are not in fact new.
MYTH: All organisations must appoint a Data Protection Officer
REALITY: Only public authorities and those undertaking certain high-risk activities need to do so (although others might choose to)
The GDPR mandates - for certain organisations - the appointment of a Data Protection Officer (DPO) to undertake tasks such as informing and advising the organisation on its obligations under data protection law, and monitoring compliance, as well as being the first point of contact for the ICO and data subjects.
However, not all organisations must appoint a DPO. GDPR requires it in three circumstances: where the organisation is a public authority; where it carries out large scale systematic monitoring of individuals (for example, online behaviour tracking); and where it carries out large scale processing of special category data or data relating to criminal convictions and offences.
Nonetheless, some organisations, even if they don't have to, might decide to appoint a DPO, or someone with a similar title. If they decide to do this, however, they should consider what GDPR actually says about the role. For instance, GDPR requires that a DPO should have expert knowledge of data protection law and practices. Additionally it requires that the DPO reports to the highest management level of the organisation, that they be allowed to operate "independently" and not be dismissed or penalised merely for performing their task, and that adequate support resources should be provided.
GDPR does permit the appointment of a DPO on a service contract, and also says that a group of undertakings may appoint a single DPO provided that they be easily accessible from each establishment.
Organisations should give close consideration to whether they must (or will) appoint a DPO, and, where they do, they should make sure they are aware of the nature of the role, and the support it requires.
A gentle start?
Although GDPR is effective from 25 May, no-one is expected to be 'fully compliant' on day one. Compliance is an ongoing journey, and businesses - which have had two years to prepare for implementation - will be expected to continue to work towards better compliance in the months to come.
One of the key aspects of GDPR is 'accountability': businesses are expected to keep sufficiently detailed and contemporaneous records of their compliance. Whilst this accountability requirement only applies to businesses employing more than 250 people, it is a myth that GDPR generally applies only to bigger businesses. GDPR applies to all businesses, of whatever size.