The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) - Are You Ready?

GDPR IMAGE

The Data Protection Act 1998 will be replaced by the General Data Protection Regulation (GDPR) on the 25th May 2018. Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), however new elements and significant enhancements, so some things will be new and other things will need to be done differently. The major shift with the implementation of the GDPR will be in giving people greater control over their data. 

  

Key changes include: new rules around consent, more informative privacy notices, mandatory data breach notification, increased fines, new or expanded rights for data subjects, wider territorial scope and the introduction of an accountability principle making some measures that were previously recommended as being good practice now legally required in certain circumstances e.g. conducting privacy impact assessments and incorporating data protection by design into projects, maintaining detailed internal records of processing activities , and ensuring that any third party data processing is done under contract in line with the requirements of the GDPR.

GDPR Key Changes

The Right to be Informed

One of the major motivations of the GDPR is to extend the rights of individuals. All rights must, by and large, be responded to within one month. Data Subjects have eight new or extended rights.

The right to be informed is one of the extended rights under the GDPR. Privacy Notices, and other documentation, will need to be updated to ensure that it is easy to understand for individuals who need to use them. For information being processed by the University that is directly obtained from the individual, they should be told at the time the information is obtained:

  • The identity and contact details of the data controller and their Data Protection Officer (DPO).
  • The purpose and legal basis for the processing.
  • The legitimate interests of the controller (or third party, where necessary)
  • Who will receive the information.
  • Any transfers to third countries and the safeguards in place.
  • For how long the information will be retained.
  • That they have rights under the GDPR and what they are.
  • That they have the right to withdraw consent at any point.
  • That they can complain to the ICO.
  • If the sharing of information is part of a legal requirement, and the possible consequences of not doing so.
  • Of any automated decision making used on them.

Privacy Notice Template

Link to ICO Guidance 

New or Extended Rights

One of the major motivations of the GDPR is to extend the rights of individuals. All rights must, by and large, be responded to within one month. Data Subjects have eight new or extended rights:

1) The right to be informed – see previous section

2) The right of access. Generally known as Subject Access Requests (SAR), these were equally available under the Data Protection Act 1998 (DPA), but some of the rules have changed.

The most significant changes to SAR processes are that:

  • Removal of the £10 subject access fee - unless the request is unfounded, excessive or repetitive. 
  • Requests must be dealt with within one month of receipt - this is a significant reduction from the current 40 day timescale.

3) The right to rectification. If personal data is identified as being inaccurate or incomplete individuals have the right for it to be rectified within one month. This extends to where any third parties have had a Data Subject’s information shared with them.

4) The right to erasure. This is often known as the right to be forgotten that can be summarised as the right to have personal data removed or deleted within one month if there is no compelling reason for it being processed. The ICO is keen to stress that this is not an absolute right to be forgotten and can only happen in certain situations, for example:-

  • When the data is no longer needed for the reason it was originally collected.
  • The Data Subject withdraws consent.
  • The Data Subject objects to processing and there is no continued legitimate reason to continue processing.
  • The processing is illegal.
  • It is required to be erased for legal reasons.
  • It is processed in relation to offer or information society services to children.

The threshold for erasure under the DPA, that the processing would cause unwarranted and substantial damage or distress, has been removed under the GDPR. There are, however, some scenarios in which it is possible to refuse a request:

  • The exercise of the right of freedom of expression and information.
  • In complying with a legal obligation.
  • For public health purposes.
  • Archiving in the public interest, statistical purposes and historical or scientific research.
  • To defend a legal claim.

If data is to be erased and it has been disclosed to a Third Party, unless it would cause disproportionate effort to do so you must also inform them of its disclosure.

5) The right to restrict processing. As with the Data Protection Act, individuals may restrict processing, which largely means an organisation can hold just enough personal data about them, but not process it any further. This can include scenarios such as:

  • A Data Subject contests the accuracy of the data, until the accuracy is confirmed.
  • Where the Data Subject has contested the processing and the organisation is considering if its legitimate interests override this.
  • When the processing is illegal.
  • If you the organisation no longer requires the personal data, but the individual needs it to defend a legal claim.

If processing is to be restricted and it has been disclosed to a Third Party, unless it would cause disproportionate effort to do so you must also inform them of the restriction.

6) The right to data portability. This allows individuals to obtain and reuse (i.e. move, copy and transfer) their information across different services free of charge within one month of the request being made. This applies to personal data held by the Data Controller, where the processing is undertaken with Consent or for the performance of a contract, and when it is carried out by automatic means.

7) The right to object. Individuals have the right to object to:-

  • Processing based on legitimate interests or use of their information in either the public interest or by an official authority exercising its rights, which includes profiling. Processing must stop unless:
    • The University can demonstrate a compelling reason to continue, which outweigh those of the Data Subject
    • It concerns a legal claim.
  • Processing for scientific or historical research and statistics. Decisions must similarly be based on the data subjects particularly situation. Where the processing is necessary in the public interest, the Data Controller is not required to comply.
  • Direct marketing, again including profiling. Such a request must be actioned immediately upon its receipt, and dealt with free of charge.

8) Rights in relation to automated decision making and profiling. This specifically offers safeguards to damaging decisions being taken about an individual by many electronic means, i.e. by computers. If this is the case, individuals have a right to get human intervention, give their own view, have the decision explained to them, and challenge that decision if they are not happy with it.

With regard to profiling, this is any processing used to judge an individual’s performance at work, economic situation, health, personal preferences, reliability, behaviour, location or movements. Such activity requires precautions including appropriate Privacy Notices, statistical procedures and information security processes, as well as robust procedures to prevent errors.

Data Protection by Design and Privacy Impact Assessments

The introduction of the new accountability principle under the GDPR requires organisations to understand the risks you create, mitigate them and be able to demonstrate that you comply. Some measures that were previously recommended as being good practice are now legally required – these include data protection by design and privacy impact assessments.

Data protection by design – when designing a new system, process or service, organisations will need to show that they have considered and integrated data protection into their processing activities from the initial stages of the design process. It is mandatory requirement to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. For example:-

  • building new IT systems for storing or accessing personal data;
  • developing legislation, policy or strategies that have privacy implications;
  • embarking on a data sharing initiative; or
  • using data for new purposes.

Ways to support the evidencing of data protection by design would include:-

  • Documenting any strategies and controls that have already been deployed
  • Involving the organisation’s Data Protection Officer to help rank and order risk mitigation.
  • Ensuring security / system providers demonstrate that they are compliant.
  • Applying the ICOs current guidance on Privacy Impact Assessments / DPIAs through all parts of the organisation.
  • Creating privacy impact assessment documentation and processes.

Taking a privacy by design approach is an essential tool in minimising privacy risks and building trust. Designing projects, processes, products or systems with privacy in mind at the outset can lead to benefits which include:-

  • Potential problems are identified at an early stage, when addressing them will often be simpler and less costly.
  • Increased awareness of privacy and data protection across an organisation. 
  • Organisations are more likely to meet their legal obligations and less likely to breach the Data Protection Act.
  • Actions are less likely to be privacy intrusive and have a negative impact on individuals. 

Privacy Impact Assessments (PIA) – a tool for organisations to use to identify effective ways to comply with the GDPR obligations. The Information Commissioner’s Office (ICO) will expect to see data protection by design demonstrated by use of a Privacy Impact Assessment or Data Protection Impact Assessment (DPIA). A privacy impact assessment is mandatory when:-

  • Using new technology - can trigger the need to carry out a privacy impact assessment as it can involve novel forms of data collection and usage, possible with high risk to individual’s rights and freedoms.
  • Where the processing is likely to result in a high risk to the rights and freedoms of individuals. High risk processing will include:
  • Evaluation or scoring, including profiling and predicting, especially from ‘aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements’. An example would be where an organisation builds behavioural or marketing profiles based on usage or navigation of its website. 
  • Automated-decision making with legal or similar significant effect. Examples of this would be where processing may lead to the exclusion or discrimination against individuals. 
  • Systematic monitoring – processing used to observe, monitor or control data subjects e.g. CCTV
  • Special categories of data or sensitive personal data – e.g. patient medical records in a hospital or a personal data relating to criminal convictions. This refers mainly to processing sensitive personal data on a large scale where there is increased possible risk to rights and freedoms of individuals. An organisation organising a corporate event collecting data on guest allergies is processing sensitive personal data however would not need to perform a PIA. 
  • Data processed on a large scale – this would depend on number of data subjects, volume of data, duration of processing activity and geographical extent of the processing activity.
  • Data concerning vulnerable data subjects.
  • Data transfer across borders outside the European Union.

If it is not clear whether a PIA is mandatory, or if you are processing sensitive personal data, you may want to consider conducting a PIA in any event – remember it is a way to demonstrate compliance under the GDPR. For details on conducting a PIA contact Bev Buckley on x6281 or email dataprotection@swansea.ac.uk.

Data Breach Notification

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority (for the UK, this is the Information Commissioner’s Office or the ICO). Organisations must report within 72 hours of becoming aware of the breach.

Failure to report a breach when required to do so can lead to significant fines for the University.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, there is also a duty to inform those individuals without undue delay.

In order to support this duty, the University will need to have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not to notify the ICO and the affected individuals.

The University will also need to keep a record of any personal data breaches, regardless of whether it is required to notify.

What is a Personal Data Breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. Personal data breaches can include:

  • access by an unauthorised third party;
  • loss or theft of paperwork;
  • personal data posted to the incorrect recipient;
  • sending personal data to an incorrect recipient via email;
  • failure to use bcc when required;
  • insecure disposal of personal data;
  • computing devices containing personal data being lost or stolen e.g. loss of USB stick containing personal data;
  • cyber incidents;
  • alteration of personal data without permission; and
  • loss of availability of personal data.

How to Report a Personal Data Breach?

If any member of staff suspects or becomes aware of a personal data breach then the following procedure must be followed immediately:-

  • Make a quick assessment of the nature and extent of the breach, so you can describe what’s happened. 
  • Report the breach as soon as you become aware stating that you believe it to be a personal data breach to the ISS Customer Service Team, via one of the following methods:- 
  • In Person:  At the Library Information Desks
  • Phone: 01792 (29) 5500
  • Online Service Desk: Via the online Service Desk, which is available to all current students and staff - Please do not include personal and sensitive personal data when completing the log online. https://servicedesk.swansea.ac.uk/ 
  • Provide as much detail as possible including:- 
  • what information is involved, to whom it pertains and the number of individuals’ data involved, date and location (if appropriate)
  • what happened to it - lost, stolen, or inadvertently disclosed
  • how the breach may have happened
  • actions taken so far
  • any contact details for an individual or individuals who will be knowledgeable on the incident and capable of coordinating the immediate investigation from the department perspective. 
  • Ensure you obtain an incident reference number for your records. 
  • Make your line manager aware. 
  • Take any remedial steps you can to limit the impact of the breach. 
  • Be prepared to work with the ISS Information Security Team and the University Data Protection Officer to carry out a more thorough review, to understand the full impact of the incident and put into place mitigating actions to prevent future incidents from happening.
  • Ensure that the incident is not further disseminated at this point and that any decisions to publicise the incident must be made with the incident team.

The New Fine Regime

The GDPR will significantly increase the maximum fines on organisations on a two tier basis, as follows:


1) Up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is greater) for violations relating to internal record keeping, data processor contracts, privacy impact assessments, data security and breach notification and data protection by design (amongst others); and

2) Up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is greater), for violations relating breaches of the data protection principles, conditions for consent, data subject’s rights and international transfers.

These tiered fines far exceed the current maximum of £500,000 under the Data Protection Act.

Contracts

The GDPR imposes a high duty of care upon data controllers (the University) in selecting personal data processing service providers.  Whenever a data controller uses a processor to process personal data on its behalf it needs to have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities.

The key difference between the Data Protection Act 1998 and the GDPR is that the GDPR now sets out what needs to be included in the contract. A list of the compulsory details to be included within a contract can be found on the ICO website:-

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/

Controllers are liable for their compliance with the GDPR and must only appoint data processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.

Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.

Examples of organisations which provide services that involve personal data processing include companies such as those providing cloud storage, IT services, HR functions, marketing services and payroll services.

Action

These requirements will apply with immediate effect from 25th May 2018 to both new contracts and existing contracts. The University has updated its standard data protection clauses for new contracts however existing contracts for where there is third party data processing will also need to be updated. Please notify the University Data Protection Officer via gdprcontracts@swansea.ac.uk if you are aware of a contract that will need to be varied in line with GDPR requirements.

Record of Processing Activities

As a data controller, the University is required to maintain a record of processing activities which covers all the processing of personal data carried out by the University. Amongst other things, this record contains details of why the personal data is being processed, the types of individuals about which information is held, who the personal information is shared with and when personal information is transferred to countries outside the EU.

The documentation of processing activities is a new requirement under the GDPR. Documenting the University’s processing activities is important, not only because it is itself a legal requirement, but also because it can support good data governance and help demonstrate compliance with other aspects of the GDPR.

The University Record of Processing Activity will be maintained by the University Data Protection Officer and will be reviewed on an annual basis.

International Transfers

Data protection law restricts data transfers to countries outside the European Union, to third countries or international organisations in order to ensure that the level of data protection afforded to individuals is not undermined. Personal Data is transferred from the originating country across borders when it is transmitted, sent, viewed or access in a different country.

Personal Data should only be transferred outside the EU if one of the following conditions applies:

  • The European Commission has issued a decision confirming that the country to which the Personal Data is transferred ensures an adequate level of protection for the individuals’ rights and freedoms (an ‘adequacy decision’).
  • The Personal Data is transferred under the EU-US Privacy Shield.
  • Appropriate safeguards are in place. Adequate safeguards may be provided for by:
    • a legally binding agreement between public authorities or bodies;
    • binding corporate rules (agreements governing transfers made between organisations within in a corporate group);
    • standard data protection clauses in the form of template transfer clauses adopted by the Commission;
    • standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission;
    • compliance with an approved code of conduct approved by a supervisory authority;
    • certification under an approved certification mechanism as provided for in the GDPR;
    • contractual clauses agreed authorised by the competent supervisory authority; or
    • provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.

Further information about the European Commission’s list of approved countries and the standard contractual clauses is available on the Information Commissioner’s Website https://ico.org.uk/for-organisations/guide-to-data-protection/principle-8-international/

Data protection law also contains a number of exemptions to the limitations on transfers of Personal Data outside the EU (regardless of the country to which the Personal Data are transferred or the receiving organisation). The exemptions are as follows:

  1. The Data Subject has given his/her explicit Consent to the transfer after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards.
  2. The transfer is necessary for the performance of a contract between the Data Subject and the University or the implementation of pre-contractual measures taken at the Data Subject’s request.
  3. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the University and Third Party.
  4. The transfer is necessary for important reasons of public interest.The transfer is necessary for the establishment, exercise or defence of legal claims.
  5. The transfer is necessary in order to protect the vital interests of the Data Subjects or other individuals.
  6. The transfer is part of Personal Data on a public register.

As the University is a public authority, the availability of the exemptions outlined in (1), (2) and (3) above are limited.

Further guidance should be sought from the Data Protection Officer in relation to transferring of Personal Data outside the EU.