New General Data Protection Regulation
The new General Data Protection Regulation (GDPR) places a number of new and different requirements and responsibilities on organisations. It's been called both ambitious and onerous and at 260 pages long it is certainly a substantial piece of legislation.
The implementation phase for the new General Data Protection Regulation started in May 2016, when it came into force, with the Regulation applying fully from the 25 May 2018 - that isn't a lot of time for the number of changes that need to be made. Although the UK Government retains the ability to introduce some derogations for special purposes, guidance is still to be issued for these, but in the meantime there are a number of actions that staff across the University can start taking now to ensure that we are ready by May 2018. These are summarised below along with some of the key changes that the Regulation brings. Training and briefing sessions will begin in early 2017 - details of which will be available on the Corporate Learning and Development intranet pages. Please contact Governance Services if you have any queries.
Guidance from the regulator, UK Information Commissioner, is available online using the following link: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Please let Governance Services know if you would like to be advised of future updates by emailing email@example.com
The maximum fine for the most serious infringements is now €20 million or 4% of annual global turnover. This means that the risks of processing personal data have increased substantially. There is a tiered system of fines and the UK Information Commissioner, who is the regulator, works out the level of penalty based on the severity of the breach, failures to implement technical and organisational measures to comply with the Regulation, the effects on the individuals whose data is involved, etc. There are also fines of up to €10 million or 2% of annual global turnover for failure to report a breach. Any member of staff who suspects that there has been a breach or there is the potential for a breach should contact Governance Services for guidance.
2. Definition of personal data
Personal data may now include online identifiers, device identifiers, cookie IDs, IP addresses, location data, etc. and sensitive personal data will include genetic and biometric data. This means that data which was previously not considered to be personal data, or to fall within the definition of personal data, now needs the additional protections given to personal data applied.
ACTION: Identify any information which your school/service area processes which may be encompassed by this expanded definition and ensure appropriate technical and organisational measures are in place to protect it whilst processed and stored within the University and when it is transferred/sent externally and internally.
3. Conditions for processing
The legal basis for processing personal data must be determined and documented for each different process/ activity (where personal data is processed). Organisations are required to demonstrate compliance by keeping records documenting all personal data processing activities detailing the purpose of the processing, the lawful basis* (conditions/justification) for processing, who the data subjects are, details of any recipients that the data may be shared with, retention policies and security measures taken.
*currently the University uses the 'legitimate interests' condition to process a substantial amount of personal data - this may not be available to Universities under the new Regulation (awaiting a decision by the UK Government) and we may need to look at alternatives.
ACTION: Please contact Governance Services for advice. Each School/Service Area within the University needs to maintain a schedule of the personal data that they process which includes the information noted above. Governance Services will contact you in due course regarding a Data Protection Audit, which we are required to undertake.
4. Privacy Notices
New requirements for 'privacy notices' (also known as 'processing statements' or 'fair processing notices') means extensive information needs to be provided to individuals in clear and plain language, including the information required in 3. above, to demonstrate compliance e.g. the lawful basis for processing, who has access to the data/who it is shared with, purposes for processing, data subjects covered by the notice, retention period for data, security measures applied to the data, data subjects rights and how they can exercise their rights, etc.
ACTION: All privacy notices to be reviewed to ensure they are compliant. Please contact Governance Services for further guidance.
5. Contracts with Data Processors, including those who have access to personal data e.g. software providers
Legal compliance obligations are now imposed on data processors under the Regulation. Processors must guarantee and demonstrate compliance with the Regulation and sign binding written agreements. Processors are liable for any breach for which they are directly responsible.
ACTION: ALL contracts/arrangements with processors must be reviewed to ensure that a Data Sharing Agreement is included and the University is no longer liable for processors' actions.
6. Contracts with Data Processors (or other Data Controllers) holding personal data outside the European Economic Area (EEA)
ACTION: Review ALL contracts/arrangements with third parties processing personal data outside the EEA or approved countries for which the University is the 'data controller'.
7. Privacy Impact Assessments (PIAs) for system design and/or procurement projects (Privacy by Design)
There will be a legal requirement to conduct 'Privacy Impact Assessments' for all new processes/systems which process personal data. This is to be included as part of the project plan from the start of systems design and/or procurement. Governance Services have templates and guidance available, and will assist with guiding you through the process.
ACTION: If you are implementing new systems and processes please ensure that PIAs are considered as standard practice. This is a requirement with immediate effect as the systems are likely to be in place once the Regulation comes into force and will save doing the work retrospectively.
8. Consent, where this is required for processing personal data, including e-marketing
The controller must be able to demonstrate that consent has been 'freely given and is specific, informed and unambiguous' and hasn't been withdrawn. It must be as easy to withdraw consent as to give it. Systems should be in place to record consent/withdrawal to ensure that there is an effective audit trail. Comprehensive processing notices, mentioned in 4. above, must be provided to individuals. It is no longer possible to rely on pre-ticked consent boxes, 'opt-outs' or 'soft opt-ins'.
ACTION: Check that any e-marketing complies and ensure that where consent is relied on as the basis for processing this too is compliant with the legislation. Start asking for consent NOW, don't leave it until the new Regulation is in force.
9. Data Subject Rights - Data Portability
Individuals have the right to receive the personal data that they have provided in a 'commonly used and machine readable format.
ACTION: System administrators must ensure that data can be extracted from the systems they administer in a re-useable, open source format.
10. Data Subject Rights - Profiling
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which has a significant or legal effect on them.
There is an obligation to inform individuals specifically about profiling activities and a prohibition on profiling based on sensitive personal data (unless explicit consent has been obtained).
The UK Information Commissioner will be providing further guidance in the near future - please let Governance Services know if you would like to be advised of future updates by emailing firstname.lastname@example.org .
ACTION: Review any profiling activities to ensure they comply with the new requirements.
11. Data Subject Rights - Subject Access Requests and the 'Right to be Forgotten'
Individuals have the right to receive confirmation of whether or not their personal data is being processed, where this is taking place and for what purpose. The timescales for organisations to comply with subject access requests have been reduced to one month.
There are increased rights for erasure of personal data which are not absolute rights and only apply in certain situations. Individuals can also potentially halt the processing of their data by third parties.
ACTION: Ensure records management processes and procedures are adequate to enable efficient identification and collection of personal data.
Governance Services are now providing GDPR Briefing sessions, details can be found here.