What will the EU’s new data protection regime mean for UK charities, asks Peter Parker.
The EU laws which founded the Data Protection Act 1998 (DPA) – now the cornerstone of the UK’s current personal data protection regime – were written well before Mark Zuckerberg was out of short trousers, let alone contemplating his Facebook empire. 25 May 2018 will see a huge shift in the regulation of data protection across the EU.
This is the date from which EU organisations will have to comply with the General Data Protection Regulation (GDPR). GDPR is designed to respond to the significant advances in information technology, and the fundamental changes to the ways in which we communicate and share information, which have occurred since the mid-1990s. In addition, it is designed to create a more harmonised approach to data protection laws across the EU, being directly applicable without the need for national implementation.
Many of the core concepts under the existing regime (the Data Protection Directive) will remain unchanged. For example, the concepts of personal data, data controllers (a person who determines the purposes for, and the manner in, which any personal data is processed), and data processors (a person who processes personal data on behalf, and under the instruction, of their data controller), are broadly similar in both DPD and GDPR. However, GDPR will introduce several new concepts and approaches, the most significant of which are as follows.
Non-EU data controllers and data processors will be subject to GDPR if they either offer goods or services to individuals in the EU, irrespective of whether payment is received; or monitor individuals’ behaviour insofar as their behaviour takes place within the EU. This means that many non-EU organisations that were not required to comply with DPD will be required to comply with GDPR. Therefore, as and when the UK leaves the EU, UK organisations which satisfy one of the above conditions will be subject to GDPR, notwithstanding that it may not be directly applicable in the UK.
GDPR requires a very high standard of consent from an individual when relied upon to legally process their personal data. This must be given by a clear affirmative action establishing a freely given, specific, informed and unambiguous consent. When the processing of personal data has multiple purposes, an individual should give their consent to each of the processing purposes. An individual has the right to withdraw their consent at any time.
Organisations will be required to implement data protection by design (eg when creating new products or services) and by default (eg data minimisation), at the time of the determination of the means for processing and of the processing itself. Organisations will also be required to perform impact assessments before carrying out any processing (eg via new technologies) that is likely to result in a high risk to individuals.
Instead of registering with their National Data Protection Authority (NDPA) (in the UK, the Information Commissioner’s Office – (ICO)), organisations must maintain detailed documentation recording their processing activities as specified by GDPR. In addition, in certain circumstances controllers or processors will be required to appoint a data protection officer. These obligations do not apply to an organisation employing fewer than 250 people, unless the processing is likely to result in high risk to individuals, is not occasional or includes sensitive personal data.
Individuals will have the right to request that organisations delete their personal data in certain circumstances (eg their data is no longer necessary for the purpose for which it was originally collected). Individuals have a new right to obtain a copy of their personal data from the data controller in a readable and usable format, and in exercising this right individuals can request the information be transmitted directly from one controller to another, where technically feasible.
Organisations must notify their NDPA of all data breaches without undue delay and where feasible within 72 hours, unless the data breach is unlikely to result in a risk to the individuals concerned. If the breach is likely to result in high risk to individuals, GDPR requires organisations to inform those individuals “without undue delay” as well.
GDPR introduces direct compliance obligations for processors, meaning they can be subject to fines. It will significantly increase the maximum fines that NDPAs will be able to impose on data controllers and data processors. The maximum fines are set on a two-tiered basis as follows:
• For violations relating to data processor contracts, data protection officers, data protection by design and default, internal record keeping and data breach notification – the greater of 2 per cent of annual worldwide turnover of the preceding financial year, or 10 million euros.
• For violations relating to individuals’ rights, conditions for consent, international data transfers and breaches of the data protection principles – the greater of 4 per cent of annual worldwide turnover of the preceding financial year, or 20 million euros.
What should charities be doing to prepare?
While the date for GDPR compliance is some way off, charities should consider taking the following actions:
- Put in place policies and procedures to ensure they can react quickly to any data breaches and notify in time where required.
- Ensure that privacy is embedded early into any new processing or product that is deployed.
- Monitor, review and assess data processing procedures with the aim of minimising data processing and the retention of data.
- Check that staff understand their data protection obligations and undertake training where necessary.
- Conduct auditable privacy impact assessments to review any risky processing activities and steps taken to address specific concerns.
- Check policies and privacy notices. They should be transparent, easily accessible and in clear and plain language.
- Analyse the legal basis on which personal data is used. If they rely on an individual’s consent, review whether their forms of consent are adequate and check that consents are freely given, specific and informed.
- In light of the increased fines, ensure that they have a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation.
The impact of Brexit?
GDPR will come into force at a time when the UK will still be a member of the EU, but possibly for not much longer. So what impact will Brexit have to the application of GDPR over UK organisations? The answer is likely to be very little impact at all. To understand that, one has to look at the options the UK is most likely to have regarding its future relationship with the EU.
If it takes the so-called Norwegian model, the UK will remain a member of the European Economic Area (EEA). This means that it will be included in the EU single market (benefiting from associated free trade arrangements), but it will have to commit to comply with certain EU laws. Those countries that have already taken this route have each implemented DPD into their respective local laws. One would assume they (and the UK if it took this route) will have to implement GDPR into their local laws as well.
Switzerland is not a member of the EEA, but it is a member of the European Free Trade Association. It does have access to the EU single market and it has its own data protection laws, but these are very similar to the laws of EU Member States. Switzerland’s data protection laws have been recognised as adequate by the European Commission – meaning that they are adequately protective of the rights of EU citizens. Crucially, this enables the legitimate transfer of personal data between organisations based within the EU and Switzerland. The Swiss government has already indicated its intention to implement laws similar to GDPR in order to retain its adequacy status after May 2018. If the UK took the Swiss model, one would assume it would do the same to gain such EC adequacy recognition.
It if takes the go-it-alone model, agreeing independent trade deals with the EU, the UK will in theory have free rein to implement its own data protection laws. However, the recent rejection by EU regulators of the EU-US privacy shield safe harbour shows the difficulties faced by EU organisations, and non-EU organisations wishing to work with them, to the transfer of personal data to countries which have not adopted EU-strength data protection laws. Therefore, in order to maintain its close links with a crucial trading partner, one would assume it likely that either GDPR, or laws that looks very similar to it, will be required in the UK after Brexit takes effect.
Regardless of Brexit, GDPR will have a significant impact on charities and is likely to require organisation-wide changes to ensure that personal data is processed in compliance with the new requirements. Failure to implement such changes now could mean that charities are left with insufficient resources to achieve compliance.
Peter Parker is a solicitor at Wrigleys Solicitors
Civil Society Media wishes to thank Wrigleys Solicitors for its support with this article