New General Data Protection Regulation
The new General Data Protection Regulation (GDPR) places a number of new and different requirements and responsibilities on organisations. It's been called both ambitious and onerous and at 260 pages long it is certainly a substantial piece of legislation.
The implementation phase for the new General Data Protection Regulation started in May 2016, when it came into force, with the Regulation applying fully from the 25 May 2018. The UK Government retained the ability to introduce some derogations for special purposes and these form part of the Data Protection Act 2018(DPA 2018) which also commenced on the 25th of May 2018. The GDPR and the DPA 2018 together form the data protection legislation in the UK.
A lot of work has been done across the University, however there are a number of actions that staff should still be taking to ensure compliance. These are summarised below along with some of the key changes that the Regulation brings. Training and briefing sessions began in early 2017 and are still available - you can find details of these here
. Please contact Governance Services if you have any queries.
Guidance from the regulator, UK Information Commissioner, is available online here
The maximum fine for the most serious infringements is now €20 million or 4% of annual global turnover. This means that the risks of processing personal data have increased substantially. There is a tiered system of fines and the UK Information Commissioner, who is the regulator, works out the level of penalty based on the severity of the breach, failures to implement technical and organisational measures to comply with the Regulation, the effects on the individuals whose data is involved, etc. There are also fines of up to €10 million or 2% of annual global turnover for failure to report a breach. Any member of staff who suspects that there has been a breach or there is the potential for a breach should contact Governance Services for guidance.
2. Definition of personal data
Personal data may now include online identifiers, device identifiers, cookie IDs, IP addresses, location data, etc. and special category (sensitive) personal data will include genetic and biometric data. This means that data which was previously not considered to be personal data, or to fall within the definition of personal data, now needs the additional protections given to personal data applied.
ACTION: Identify any information which your school/service area processes which may be encompassed by this expanded definition and ensure appropriate technical and organisational measures are in place to protect it whilst processed and stored within the University and when it is transferred/sent externally and internally.
3. Conditions for processing
The legal basis for processing personal data must be determined and documented for each different process/ activity (where personal data is processed). Organisations are required to demonstrate compliance by keeping records documenting all personal data processing activities detailing the purpose of the processing, the lawful basis (conditions/justification) for processing, who the data subjects are, details of any recipients that the data may be shared with, retention policies and security measures taken.
ACTION: Please contact Governance Services for advice. Each School/Service Area within the University needs to maintain a schedule of the personal data that they process which includes the information noted above. Governance Services will contact you in due course regarding a Data Protection Audit, which we are required to undertake.
4. Privacy Notices
New requirements for 'privacy notices' (also known as 'processing statements' or 'fair processing notices') means extensive information needs to be provided to individuals in clear and plain language, including the information required in 3. above, to demonstrate compliance e.g. the lawful basis for processing, who has access to the data/who it is shared with, purposes for processing, data subjects covered by the notice, retention period for data, security measures applied to the data, data subjects rights and how they can exercise their rights, etc.
ACTION: All privacy notices to be reviewed to ensure they are compliant. Please contact Governance Services for further guidance.
5. Contracts with Data Processors, including those who have access to personal data e.g. software providers
Legal compliance obligations are now imposed on data processors under the Regulation. Processors must guarantee and demonstrate compliance with the Regulation and sign binding written agreements. Processors are liable for any breach for which they are directly responsible.
ACTION: ALL contracts/arrangements with processors must be reviewed to ensure that a Data Sharing Agreement is included and the University is no longer liable for processors' actions.
6. Contracts with Data Processors (or other Data Controllers) holding personal data outside the European Economic Area (EEA)
- For parties processing personal data in the US - on 1 August 2016 a new scheme, the EU-US Privacy Shield, became operational for companies processing EU/UK personal data in the US. Contracts must be reviewed to ensure that data processors are signed up to the scheme - if not this is a breach of current legislation. For further information see here.
- For parties processing personal data outside the EEA, but not in the US or a third country which has been approved as having adequate protections in place - contracts must be reviewed to ensure that they include either a) standard data protection clauses adopted by the UK Information Commissioner, or b) approved binding corporate rules (BCR).
ACTION: Review ALL contracts/arrangements with third parties processing personal data outside the EEA or approved countries for which the University is the 'data controller'.
7. Privacy Impact Assessments (PIAs) for system design and/or procurement projects (Privacy by Design)
There will be a legal requirement to conduct 'Privacy Impact Assessments' for all new processes/systems which process personal data. This is to be included as part of the project plan from the start of systems design and/or procurement. Governance Services have templates and guidance available
, and will assist with guiding you through the process.
ACTION: If you are implementing new systems and processes please ensure that PIAs are considered as standard practice. This is a requirement with immediate effect as the systems are likely to be in place once the Regulation comes into force and will save doing the work retrospectively.
8. Consent, where this is required for processing personal data, including e-marketing
The controller must be able to demonstrate that consent has been 'freely given and is specific, informed and unambiguous' and hasn't been withdrawn. It must be as easy to withdraw consent as to give it. Systems should be in place to record consent/withdrawal to ensure that there is an effective audit trail. Comprehensive processing notices, mentioned in 4. above, must be provided to individuals. It is no longer possible to rely on pre-ticked consent boxes, 'opt-outs' or 'soft opt-ins'.
ACTION: Check that any e-marketing complies and ensure that where consent is relied on as the basis for processing this too is compliant with the legislation. Start asking for consent NOW, don't leave it until the new Regulation is in force.
9. Data Subject Rights - Data Portability
Individuals have the right to receive the personal data that they have provided in a 'commonly used and machine readable format.
ACTION: System administrators must ensure that data can be extracted from the systems they administer in a re-useable, open source format.
10. Data Subject Rights - Profiling
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which has a significant or legal effect on them.
There is an obligation to inform individuals specifically about profiling activities and a prohibition on profiling based on sensitive personal data (unless explicit consent has been obtained).
The UK Information Commissioner will be providing further guidance in the near future - please let Governance Services know if you would like to be advised of future updates by emailing firstname.lastname@example.org
ACTION: Review any profiling activities to ensure they comply with the new requirements.
11. Data Subject Rights - Subject Access Requests and the 'Right to be Forgotten'
Individuals have the right to receive confirmation of whether or not their personal data is being processed, where this is taking place and for what purpose. The timescales for organisations to comply with subject access requests have been reduced to one month.
There are increased rights for erasure of personal data which are not absolute rights and only apply in certain situations. Individuals can also potentially halt the processing of their data by third parties.
ACTION: Ensure records management processes and procedures are adequate to enable efficient identification and collection of personal data.