General Data Protection Regulation Guidelines
Practical Guidelines for Compliance with the General Data Protection Regulation
The Office of the Data Protection Commissioner (DPC) has just released a guidance note on the General Data Protection Regulation (the GDPR). This is the first in a series to assist organisations in their preparations towards full compliance with the GDPR when it comes into force on 25 May 2018. Proper regulation of the processing of personal data is intended to help to bridge the so-called ‘trust gap’ between business and the consumer who entrusts personal data to it, with a resultant increase in electronic commerce as well as consumer business. To concentrate the mind further on compliance, it is worth knowing that potential fines for breaches of the GDPR are substantial (€20,000 or 4% of total annual global turnover, whichever is higher) and that the DPC’s powers of enforcement have been enhanced and also are now better funded. Looking at it from the other side, Helen Dixon, the DPC, suggested at a recent talk, that it may be useful to stand in the shoes of the individual and consider how damaging it could be to have your own personal data revealed or misused in some way. You can find the text of the GDPR itself at: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf.
This is the time for a review
The DPC recommends beginning with a “review and enhance” analysis of your personal data processing, present or planned for the future. This “personal data” means information you process relating to an identified or identifiable natural person known as a “data subject” but it does not include a dead person. It does not relate to any information other than personal data. Nor does it relate to anonymised data. “Processing” means any operation or set of operations performed on personal data by automated or other methods such as collection, storage (this includes data filed manually or ordered in some way, say, in a filing cabinet), alteration, dissemination or destruction etc.
Start with accountability
The first step is to find out what personal data you hold. Make an inventory of it. Draft an analysis on: Why are you are storing the personal data and why and how it was originally gathered. Decide how long you need to retain it or whether you can destroy it. If it is to be retained, how secure is it and can you make it more secure. If the data is shared with others or transferred to another country, set out the basis for doing so and the safeguards in place around that. Document all your findings and decisions.
This documented self-analysis is important because the Regulation requires data controllers to be accountable for the personal data they process AND to be able to demonstrate this accountability. However, it is not a once-off exercise – this document needs to be updated on an ongoing basis.
Now that you have carried out this review, consider whether any personal data needs to be rectified. Information that you have decided you need to collect and process must be done in a fair and accurate manner and must be kept confidential. Put systems in place so that the data is safeguarded against loss, damage, destruction, or unlawful processing. These may include pseudonymisation, data minimisation (consider whether the data can be collected more selectively in the future) and consider installing systems that automatically provide data protection by design/default in respect of collection, processing, storage and access.
Identify and document the legal basis on which you process personal data
You must fall within one of the grounds for lawful processing listed in Article 6 of the GDPR. For example, processing is considered lawful if it forms part of a contract with the data subject, or if it is necessary for the legitimate interests of the data controller or a third party. Spell out in full your company’s legitimate interests, as you will be relying on them to justify your data processing.
Processing is lawful too if you have the data subject’s consent to process for one or more specific purposes. But it will be binding only where your request for consent in a written declaration is distinguishable from other matters in the declaration and is written “in an intelligible and easily accessible form, using clear and plain language.” A request for consent must also advise data subjects of the contact details of the Data Protection Officer, (if any appointed) and also the recipient(s) of the personal data and/or details of its transfer to another country and of the existence of the data subject’s personal data rights, among other information.
Where children are accessing information society services, for example Facebook, they can consent if they are aged at least 16 years and the controller must be able to demonstrate that consent was given.
Particular care needs to be taken to ensure that processing is lawful where special categories of personal data are being processed. This type of data would reveal sensitive personal information such as, racial or ethnic origin, political or religious beliefs or data pertaining to health or sex life.
Fully review current privacy notices
Fully review current privacy notices and update them to comply with the GDPR. This requires you to provide individuals with more information than was necessary previously when collecting their personal data, for example, the period of time for which the data will be stored and the existence of the data subject’s individual rights under the Regulation.
Inform yourself about the personal privacy rights
The official website of the office of the DPC sets out these rights very clearly for the benefit of the public under its: “What you should know – For Individuals” tab. It informs the public on when and how to make a complaint to the DPC and at present, it is in the process of enhancing its online complaint form.
Under the GDPR, it will be easier for an individual to sue data controllers for compensation for infringements of their privacy rights for material or non-material damage.
You can expect that members of the public will be aware of their rights and will know how to exercise and enforce them. So it is advisable that you and your staff be aware of them too because the Regulation specifically requires data controllers to facilitate the exercise of these rights under Article 12.
The rights of data subjects include:
- The right to be informed: A data subject has the right to obtain confirmation on whether his/her personal data is being processed and for what purpose(s).
- The right of access: He/she can get a (first) copy of it free of charge or in an accessible form, if electronically stored.
- The right of rectification of inaccurate personal data or to have incomplete data be completed. (Article 16)
- The right of erasure of personal data without undue delay (and particular reference is made to a child’s personal data in relation to the offer of information society services. A possible example being the right of erasure of a teenager’s postings on Facebook.). This right is known as ‘the right to be forgotten’. (Article 17)
- The right to restrict processing. (Article 18)
- The right of data portability in a structured, commonly used and machine-readable format, or to have it directly transferred from one controller to another. (Article 20)
- The right to object to data processing for some purposes, depending on his/her particular situation.
- The right to lodge a complaint with the supervisory authority.
- Rights to object to processing in relation to automated decision-making and profiling (Section 4, Article 21 & Article 22).
Organise staff training
Make sure members of staff are informed about the new Regulation and know how to implement it in the course of their work.
Plan on how to respond to data access requests
Plan on how to respond to data access requests “without undue delay and in any event within one month” of the request, giving information on action taken on a request (though this can be extended by further two months depending on the complexity and the number of the requests). As well as providing the data requested, there is a list of other information to accompany it, such as informing the data subject of the existence of the right to complain and the existence of automated decision-making and/or profiling.
In most circumstances, you cannot charge for providing this information. Consider setting up an online system to give individuals access to their own personal data.
Personal data breaches attract fines as do failures to report breaches
Data breaches must be notified to the DPC as soon as practicable, and where feasible, not later than 72 hours after becoming aware of the breach. Set up the necessary systems and protocols now to enable compliance with this deadline. Consider whether it is possible to anonymise personal data and at the very least, encryption should be used.
Data subjects must be advised of high-risk data breaches without undue delay.
A data privacy impact assessment (DPIA) is mandatory
A data privacy impact assessment (DPIA) is mandatory for the processing of data likely to be high-risk to the rights and freedoms of natural persons, especially for processing like profiling. It is necessary in the case of the processing of large amounts of the special categories of data or data relating to criminal convictions/offences. A DPIA is also required where there is systematic monitoring, e.g. the use of CCTV, in public places. The assessment must list the measures envisaged to address the risks involved.
You must appoint a Data Protection Officer (DPO)
You must appoint a Data Protection Officer (DPO) if you are a public authority or, when your “core activities” consist of regular and systematic monitoring of data subjects on a large scale or, where you process on a large scale data under the special categories as a core activity.
The DPO is not just a compliance officer. He or she must have “expert knowledge of data protection law and practices” relevant to your business. The GDPR requires the DPO to perform his/her role with a high degree of independence and be supported by you in doing so, with access to your data/operations and by providing him/her with resources and any necessary training. The DPO shall report directly to the highest management level of the controller (i.e. the board of directors or its equivalent). The DPO must cooperate with the office of the DPC (to be known as the Supervisory Authority) and cannot be dismissed or penalised for performing of his/her tasks.
In summary, the following are suggested practical steps for GDPR compliance:
- Review the personal data you process and become accountable for it.
- Organise staff training and inform yourself and your staff about personal privacy rights and how to facilitate the exercise of them.
- Identify and document the legal basis on which you process personal data.
- Review current privacy notices and revise them.
- Plan on how to respond to data access requests.
- Plan on how to report data breaches without delay.
- Decide whether you need to draft a Data Privacy Impact Assessment.
- Decide whether you need to appoint a Data Protection Officer.
- Continue with staff training on an ongoing basis.
- Continue to update your processing review document, privacy statements and DPIA on a regular basis and as necessary.
- Facilitate the DPO in his/her role.
Copyright © McKeever Solicitors, 12 December 2016.
This article is a general review of the law on the subject and is not intended to be a complete statement of the law. Specific legal advice must be sought on a case by case basis. For further information please contact Robert Browne or Ciara Meskell.
T: +353 (0) 1 859 0100
F: +353 (0) 1 670 2988