Processing principles - what changes did the GDPR bring?
Under the new regulations, personal data now needs to be:
Processed lawfully, fairly and in a transparent manner in relation to the data subject;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Consent under the GDPR
The GDPR sets a high standard for consent, with the ICO defining ‘consent’ in Article 4(11), as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Some key changes to note on the issue of consent are:
- Companies now need to ask for consent before they process an individual’s data;
- Pre-ticked marketing boxes are no longer allowed;
- Individuals can withdraw consent automatically; and
- Companies regularly review consents to check that the relationship, the processing and the purposes have not changed.
We can review your existing processes for obtaining consent and provide alternative strategies where necessary to ensure compliance with the new regulations.
Privacy notices
The new laws also require companies to review their privacy notices, to incorporate the following:
Privacy notices should be presented in a concise, transparent, intelligible and easily accessible form;
- They should use clear and plain language, in particular for any information addressed specifically to a child; and
- The information should be provided in writing, or by other means, including, where appropriate, by electronic means.
We can assist you in preparing tailored privacy notices that will ensure that you are meeting your legal obligations.
Data breaches
Companies are now required to notify the regulator within 72 hours of a data breach. When the personal data breach is likely to result in a high risk to person’s rights and freedoms, the controller should communicate the personal data breach to the data subject without undue delay.
We can assist you in implementing an action plan following any breach which your organisation is involved with and in preparing a report to the ICO which complies with your organisation’s obligations but does not leave you unduly exposed.
Data Protection Officers
Under the GDPR, companies must appoint a Data Protection Officer (DPO) if they:
Are a public authority (except for courts acting in their judicial capacity);
- Carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- Carry out large scale processing of special categories of data (e.g. health data) or data relating to criminal convictions and offences.
We advise that you ensure the person in the role has a suitable level of expertise, and that you are mindful of the need for an impartial DPO, for example an IT Manager of HR Manager may not be appropriate.
We can provide you with assistance and guidance in appointing and selecting an appropriate DPO for your organisation.
Headline cases
There were 32,000 complaints within the first 10 months of the GDPR’s implementation. Most related to data subject access requests and inappropriate disclosure of data.
Case study
Complaints were brought against Google by two not-for-profit privacy rights groups representing 10,000 individuals immediately on the new regulations coming into effect on 25 May 2018. The complaint was brought in France with local regulatory body CNIL.
Google’s US HQ retained decision making powers, therefore Google LLC in the US was exposed.
Google infringed Articles 12 and 13 of GDPR relating to transparency and information obligations – examples included that there were multiple steps for people to access their information, and the information was scattered across several policies.
There were further issues around the consent for personalised adverts, with all processing operations covered by a single consent rather than being separated out.
The outcome
CNIL issued a €50 million fine against Google LLC. This was in fact far from the maximum fine that could have been issued, which could have been up to €3.84 billion.
Other cases of note include:
Our recommendations: Training
Although all staff should be familiar with your GDPR compliance processes, we recommend providing staff with regular refresher training to include:
- Recognising what a data subject request looks like
- How to escalate it within the organisation
- Ensuring the maker of the request is who they say they are
- Co-operation between teams and functions (e.g. IT, HR, individual’s team)
- Overcoming problem areas such as when data subject access requests are received during school holidays
For staff dealing with Subject Access Requests, we recommend additional training to cover:
- Ensuring the scope of the request is understood from the outset
- Knowing where to look – a genuine and extensive search
- Redaction and dealing with others’ data
- The form the data – to include information required by Article 15(1) GDPR
Our specialist team of experts can provide tailored training to meet your requirements.
Our recommendations: Data Subject Access Request
Subject Access Requests should be completed without undue delay – one month is the absolute maximum timeframe for completion.
This can be extended by two months “where necessary” – the reality is that the ICO will only deem it necessary in very limited cases, however. If you want the deadline extended the you must tell the individual within a month and give reasons why.
We can provide support with all aspects of ensuring that you comply with and meet the deadlines for any data subject access request you need. Whether this putting an action plan in force or reviewing and redacting documents on your behalf.
Our recommendations: Practical tips
Article 30 – Record keeping
- Keep comprehensive and up to date records of processing
- Ensure regular testing of internal procedures
- Demonstrate adherence to approved codes of conduct within records
- Take advantage of the ICO’s voluntary audits (available to some groups e.g. large education trusts)
Reviewing processor contracts to include
- Subject matter and duration of data processing
- The nature and purpose of data processing
- Type of personal data and categories of subject covered by the processing
- Obligations and rights of the Controller
Controller Liability
- As a data controller you are fully liable unless “not in any way responsible for the event giving rise to damage”
- Review supplier contracts for limitations and exclusions
- Include indemnities for losses the processor is liable for
- Retain claim management control
