Each month we will be sharing four, carefully-chosen articles from the Latest Issue of our flagship publication ‘theHRDIRECTOR’ which exemplify the high standards we strive to archive. We hope you find this in-depth article of interest and decide to become one of our valued Subscribers.
Ground-breaking legislation or much ado about nothing? With General Data Protection Regulation (GDPR), organisations don’t have the luxury to operate a ‘wait and see’ approach, there is no grace period after the implementation date (25 May). Is revolution in the air? No, but significant changes are coming down the track.
Article by Donald MacKinnon, Director of Legal Services – Law At Work
Under the new GDPR legislation, the rights and obligations contained within the Data Protection Act 1998 (DPA) will be maintained – and expanded with new principles. Importantly, there are two new key themes running throughout the GDPR: transparency and accountability. In practice, these give rise to concrete actions organisations must take now and on an ongoing basis. For the most part, ‘transparency’ requires data controllers inform data subjects about how and why their data is being used and their rights under the GDPR, including the right to be forgotten and to have incorrect data amended. This should be done through privacy notices, containing general information on data subjects’ rights, as well as granular information on what data is held and how it is processed. The duty of accountability requires businesses to record data processing, demonstrate ongoing compliance and report data breaches. It is no longer enough to inadvertently comply with data protection rules.
“Personal data breach notifications are now mandatory unless the breach is unlikely to result in a risk to the rights and freedoms of individuals – and these breaches must be reported within 72 hours”
Employers of all shapes and sizes should now audit the personal data processed to understand what they hold and why – and then maintain this record to demonstrate active compliance. The information gathered can then be used in data protection policies / privacy notices to inform employees. This process should also involve identifying the ‘lawful basis’ for processing each category of personal data and should be retained and maintained to demonstrate active compliance with the GDPR. And while consent remains one of the lawful grounds for processing, blanket consent contained in an employment contract is unlikely to cut it under the GDPR, as it is difficult to demonstrate it was freely given. An employer could run into trouble if consent is used where another lawful basis exists, but has not been identified, and the employee then withdraws consent to processing.
Asides from carrying out a data audit, other key considerations to demonstrate accountability include deciding who is responsible for data protection within the organisation and what happens if there is a data breach. Appointing a Data Protection Officer (DPO) is one way to demonstrate this accountability. As there was no need for such an individual under the DPA, there is a severe shortage of qualified individuals across Europe – and larger firms face a struggle to find the best person for the job. A DPO needs to have expertise in national and European data protection laws, an understanding of processing operations, IT and data security and knowledge of the relevant business sector and organisation. Up until now, there has been little need for people to hone such a specific skill set. Thankfully, not all organisations have to hire a DPO under the GDPR. The designation of a DPO is only required in three specific cases: where the processing is carried out by a public authority; where the core activities of the controller or process consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or where the core activities consist or processing special categories of data on a large scale.
Those terms clearly need defining but, in typical GDPR fashion, only a few of them are covered by the regulations. Core activities means the key operations of an organisation, utilised to achieve their objectives. This covers organisations who are not in the data processing business but who do so as part of the firms activities; for example, medical organisations who process patients’ health data. Helpfully, the GDPR does not define what regular and systematic monitoring or large-scale mean in this context, however, the Article 29 Data Protection Working Party (WP29) has published guidance to suggest that regular could mean processing is ongoing or recurring whilst systematic means occurring according to a system, or taking place as a part of a general plan. Large-scale is harder to define but a standard practice may develop over time.
DPOs are responsible for monitoring compliance and on this basis, the WP29 has recommended organisations appoint a DPO voluntarily, even if they are not required to do so. However, this should be done with caution as the WP29 suggests officers appointed on a voluntary basis are subject to the same requirements as a mandatory appointment. If an organisation does not wish to go this far but would like to have a specified post responsible for oversight of GDPR compliance, it would be preferable the person’s title was ‘Data Protection Manager’ or similar and the non-statutory nature of the appointment made clear. Alternatively, organisations could allocate responsibility for data protection compliance to a team of individuals. Importantly, the DPO is not personally liable for the compliance of the organisation. Compliance is the corporate responsibility of the controller itself and is made easier by what the GDPR has described as, “privacy by design”. This essentially means compliance with data protection rules should be embedded in any organisation and businesses need to consider privacy at the initial design stages and throughout the development of any products, processes or services involving the process of personal data, not as an afterthought.
Robust processes and procedures are paramount under GDPR. Personal data breach notifications are now mandatory unless the breach is unlikely to result in a risk to the rights and freedoms of individuals – and these breaches must be reported within 72 hours. The GDPR expects organisations to achieve a substantial amount in this timeframe. From being made aware of a breach, firms must identify its nature then understand likely consequences and consider the measures taken, or proposed to be taken, by the controller to address it. This information is then provided to the supervisory authority (which, in the UK, is the ICO). Before that process begins, the organisation must have evaluated the breach and analysed if it risked the data subjects’ rights and freedoms, before deciding whether to report it at all. Additionally, there are considerations of whether the data subjects need to be notified and the requirement to keep an accurate record of all data breaches, even if they are not reported. All data controllers and processors are therefore encouraged to ensure the correct processes are in place to detect a breach and a plan is in place to report it. With encryption software a possible solution in rendering data useless to any unauthorised parties, even if there was a breach.
The DPO is not actually responsible for reporting the breach, although they may advise on this. Organisations should therefore be keen to decide who a breach should be reported to and how the line of communication will flow from the initial breach to the supervisory authority. Any delay due to lack of process will not be viewed kindly, and must be accompanied by adequate justification. A failure to report within the timeframe may be considered a failure to notify and could result in the relevant supervisory authority imposing administrative sanctions. Depending on the severity of the breach, this could be up to 20,000,000 EUR or four percent of total worldwide annual turnover. However, the ICO confirmed they will not make an example of organisations guilty of relatively minor breaches of regulations. In addition, those who engage with the reporting rules and demonstrate they have taken steps to comply with the GDPR more generally will likely receive a more sympathetic response to a breach notification.
The principle of accountability relies on ensuring that employees at all levels feel personally responsible for being compliant with GDPR. A serious breach of confidentiality or an organisation’s data protection policy can be included in a disciplinary procedure as gross misconduct. However, several organisations are considering whether to take further steps to ensure organisation-wide compliance.
Stick or carrot? Businesses remain divided. The Veritas 2017 GDPR Report surveyed 900 businesses across the UK, France, Germany, Australia and Singapore to understand how businesses are preparing for the changes. This report found 47 percent will add mandatory GDPR policy adherence into employees’ contracts, 34 percent are considering rewards for compliance and 25 percent would consider withholding benefits where the GDPR are not followed. Whatever measures are taken, everyone needs do their bit as compliance will be ongoing and there won’t be a ‘eureka moment’ with compliance met and regulations forgotten – the ICO has made that abundantly clear.