Father Christmas Finds Out That the New GDPR Rules Make His Annual Delivery Less Ho Ho Ho, More Oh Oh Oh !?

Well, I’ve thought a lot about what I could give you, and think I’ve found something that might actually be really valuable… Perhaps even the best gift you have ever had!

Well, I was going to wait until the 25th, but given that we are both fictional characters who only get rolled out once a month, I’m going to bend the rules and give you your present now… My gift to you is an explanation of the EU General Data Protection Regulation (GDPR), and what you need to think about to get your business compliant in advance of its implementation on 25 May 2018.

Oury, how rude! No, I am serious, this gift could potentially be the difference between you being a business leader who uses GDPR to strengthen relationships with customers, or not having a business at all.

Right, well, current law relating to data protection which was ok for an analogue world, isn’t fit for purpose in a digital one. So the EU has decided to implement one single regulation that will apply consistently across all EU member states for the purpose of better protecting the rights of the individual within the digital age.

Because it is really important for you to understand that the GDPR is not a business-focussed piece of legalisation. It is all centred around the rights of the individual, and this explains why some of the concepts you may have heard of, like the comically named ‘right to be forgotten’, may seem impractical / expensive / disproportionate to businesses, but are nonetheless going to have to be embraced, because that is the law!

Unfortunately not. The UK has already tabled its own Data Protection Bill which will implement GDPR, and even if there was the chance to deviate, it wouldn’t be in the UK’s interests to do so, as it needs to have a parity of standards with the EU to allow continued data flows to/from continental Europe. So, everyone needs to think of this as the tangible and real future with laws, regulators and penalties and not the next Y2K millennium bug as some have been suggesting.

That’s the spirit! Well, as you point out, you can’t avoid this if you are a business established within the EU, or even established outside of the EU, where you either offer goods or services to individuals within the EU, or monitor their behaviour.

Sure is, and it means that nearly every organisation that does any kind of business in Europe is going to fall within the scope of GDPR. There is no consideration given to business size, so whether you are a one-man band, an SME or Google, the GDPR will apply, and with it the penalties for non-compliance, which extend to the greater of €20 million or 4% of annual global turnover.

Yep, it’s heavy handed, but the point is that the GDPR is an enhancement of the current data protection legislation, and the existing laws are not being taken particularly seriously, so the regulators have been handed sweeping powers to ensure data privacy moves to the heart of business practices.

Let me quickly run through some key concepts to help explain. Think of them as stocking fillers:

• ‘Personal data’ means any information relating to an identified or identifiable natural person and includes names, email addresses, photos, IP addresses, biometric or genetic information. Basically anything that could be used to identify a living person.
• The ‘data controller’ is the entity that determines the purpose or means by which personal data is processed.
• The ‘data processor’ is the entity which processes information on behalf of the controller, and…

‘processing’ means doing anything with personal data – storage, transfer, access, structuring, recording, etc. Got it?

Correct Oury. There are six core GDPR data protection principles that data controllers are accountable for and will need to be able to demonstrate both they and any data processors they use, are compliant with:

Personal data must be

1. Processed lawfully, fairly and in a transparent manner,
2. Collected for specified, explicit and legitimate purposes,
3. Adequate, relevant and limited to what is necessary,
4. Accurate and, where necessary, kept up to date,
5. Retained only for as long as necessary, and
6. Processed in an appropriate manner to maintain security

Yes, exactly.

There are a few different lawful methods of processing, but for most privately owned businesses, the main alternatives to consent are to either (a) demonstrate that personal data is being processed in order to perform a contract (e.g.to fill an online order), or (b) show that such processing is in the legitimate interests of the controller’s business and does not override the fundamental rights and freedoms of the underlying data subject (e.g. customer is happy to have his address details affixed to a parcel in order that the goods he’s ordered can be delivered).

Under GDPR, consent needs to be freely given, specific, informed, granular and unambiguous. It needs to be by way of clear positive action and capable of being withdrawn as easily as it was given. So it’s now a big no-no to pre-ticked opt-in boxes or opt-out boxes! It also means it is highly likely that any consent gathered to date is going to be invalid on 25 May 2018, so consent needs to either be re-obtained or a company must have a different lawful basis on which it can process personal data. In respect of most third party marketing activities, and where special categories of personal data are involved (e.g. health information, sexual orientation, membership of a union, and others) consent is required. Bespoke consent notices will need to be drafted on an opt-in basis, and need to be regularly renewed.

If you rely on consent and don’t have the appropriate consent by 25 May 2018 then you will be holding personal data illegally and will need to destroy it. No ifs and no buts. Therefore, you need an action plan now to get the consent before you have to destroy the data.

Yes! There will be new and enhanced rights for data subjects. They:

1. can make a subject access request, requesting a copy of all data held about them, which needs to be dealt within one calendar month (extendable to 40 days). You can’t charge a data subject to respond to their request unless the request is ‘manifestly unfounded or excessive’.
2. have the ‘right to be forgotten’, meaning that all information about that data subject must be irretrievably deleted, or
3. can request that the personal information they have provided is ported to a designated third party in an accessible format, and
4. have a right to civil damages for breach of the GDPR which are entirely separate to the administrative penalties and are uncapped.

Yes, you are right, and it is something that should be addressed in the New Year just so businesses understand what internal processes they must have in place to deal with such requests and what modifications might be required to their technology.

Under GDPR the data controller is required to self-report breaches to the regulator within 72 hours of the breach occurring. The controller will likely then also have to later report this to the data subject themselves, so if an incident occurred at 6pm on the Friday then it would need to have been reported by 6pm on the Monday, even if Monday was a public holiday.

The honest answer is that nobody can know for sure. It’s like any regulatory change, businesses need to undertake their own risk analysis and work out an action plan. Dependent on the nature of the business, some will struggle to afford the compliance. And the compliance will vary a lot depending on what you are doing. Namely if you are B2B then there is a lot less risk really, as you are handling “consumers/customers/individuals” data to a far lesser degree (namely your employment contracts and employee data). But B2C you need to be thinking more carefully. Do I really think that 20million euro fines are going to be given out Willy Nilly to small B2B business putting people out of work? No it would seem unlikely, HMRC have 50,000 staff and can’t come anyway close to checking all businesses in detail. Also obviously the initial targets will be the big businesses where the govt can get some good press to make people aware, and significant fines. But if a 10 person digital agency is using mailing lists with names for which it doesn’t have proper consent – then there is every chance they’ll be in the ICO’s firing line (whether or not they’ll get a €20m fine is the subject of a crystal ball) – and certainly will be receiving many requests and complaints from individuals armed with their new rights.

The point is though – you need to start making an effort to at least understand how it affects your business. If you bury your head in the sand and make no effort – then I doubt any regulator would look on this approach in a favourable light!

Yes! The key point here is that the pressure will not just come from Govt, it will more likely initially come from difficult customers making subject access requests as above. They will be able to make your life very tricky if you can’t respond to them and they start reporting you to the authorities. And yes there will undoubtedly be a huge number of businesses who will not be compliant by 25 May next year, but remember if you do become compliant ahead of this date, there’s potentially a competitive edge to be had over your competitors.

In many ways, not much has changed, any data transfer needs to be made securely and in accordance with the businesses’ privacy policy. The so-called ‘white-listed’ countries that have been assessed by the EU Commission as having adequate safeguards all remain unchanged (there are currently only eleven including Canada, New Zealand and Israel). For transfers to the US, Privacy Shield remains available to self-certifying signatories to permit transfers., and the EU Model Contract Clauses also remain valid for controller-controller or controller-processor relationships, albeit there are expected to be updates forthcoming.

Sure, as an added extra on top of this already amazing Christmas present, here are some practical steps that you can take:

• Work out what personal and special category data your business uses and whether consent is required to continue using the data, or whether there is some other lawful grounds on which you may process this data
• Review your existing privacy policies, consent mechanisms and data retention policies and update these as required. Documents should be concise, easy to understand and reviewed on a regular basis.
• Where you have a system, software or supplier undertaking processing activities which are likely to result in a high risk to the rights and freedoms of data subjects, you will need to undertake a data privacy impact assessment. i.e. a sort of questionnaire process that interrogates the data processing functions within the new system / software /supplier. This will help you to understand where there are gaps in compliance and identify the means of plugging that gap.
• Ensure there is buy-in from key stakeholders in the business, as there needs to be a top-down cultural shift towards embracing privacy concerns.
• In an employer capacity, you should review all your employment contracts now to check if employee consent is being relied upon. If this is the case, then contract variations must be made, with the assistance of an employment specialist, as consent cannot genuinely be said to have been ‘freely given’ between employers and employees due to the unequal bargaining strength of the parties.