07.06.16
The general data protection regulation 2016: what’s in store for the public sector?
Source: PSE Jun/Jul 16
Geldards LLP’s senior associate Owen Evans and partner Lowri Phillips outline what public bodies need to know ahead of significant data market reforms in 2018.
The countdown to new EU data protection laws has begun. The General Data Protection Regulation 2016 (GDPR) has now been published in the EU Official Journal and will automatically apply in all Member States from 25 May 2018. The new legislation will replace the Data Protection Directive 1995 (DPD) and the national legislation passed by Member States to implement the DPD (in the UK, this is the Data Protection Act 1998, or DPA).
Although the provisions set out in the GDPR will not “bite” for another two years, organisations are being advised to start preparing for the new laws as soon as possible. This is because the GDPR will introduce several significant changes to the current system of regulation – and to the ways in which organisations will need to approach and achieve compliance.
Key changes for the public sector
More data will be treated as ‘personal data’ and will, therefore, be subject to data protection laws. Under the GDPR, pseudonymised (e.g. encrypted) data will be classed as personal data. In addition, online identifiers (e.g. internet protocol addresses) will usually be classified as personal data.Also, genetic data and biometric data will be “upgraded” to sensitive personal data and will, therefore, be subject to tougher data protection rules.
Public bodies will need to appoint a data protection officer (DPO)
Broadly speaking, the role of a DPO will be to ensure compliance by their organisation with the GDPR. The rules relating to the appointment and responsibilities of a DPO are set out in Articles 37 to 39 of the GDPR. Key points to note are:
- Public bodies can share a DPO
- The DPO must have expert knowledge and act independently
- The DPO can be a staff member or a hired contractor
Processing data on the basis of the ‘legitimate interests’ ground
Currently, one of the legal grounds on which public bodies can process personal data is that such processing is necessary for the purposes of the controller’s legitimate interests.
This ground for processing will no longer be available to public bodies under the GDPR – so an alternative basis for processing will need to be established (e.g. that the processing is necessary for the performance of a task carried out in the public interest).
It will be harder for public bodies to rely on consent as the legal basis for their processing.
As well as a new requirement that consent must be unambiguous and involve positive action by the data subject, the recitals to the GDPR state that consent should not form the legal basis for processing where there is an imbalance of power between the data subject and the controller.
Such an imbalance of power can often arise where the controller is a public authority, though whether there is actually an imbalance of power will depend on the circumstances surrounding the consent.
However, the GDPR makes clear that the starting point for public authorities should be not to rely on consent to legitimise their data processing. In relation to sensitive personal data, consent is still required to be explicit.
Registering details
It will no longer be necessary to register details of data processing activities with the Information Commissioner’s Office (ICO). However, detailed internal records will need to be kept instead. Also, data controllers will need to be able to demonstrate their compliance with the GDPR/data protection principles.
The internal record-keeping requirements are set out in Article 30 of the GDPR. They are broader than the current registration requirements.
To create proper internal records, public bodies will need to evaluate thoroughly the type, extent and nature of data processing they undertake.
The GDPR makes provision for Approved Codes of Conduct and Approved Accreditation as ways of demonstrating compliance. However, it will be some time before these schemes are up and running.
Privacy notices
Public bodies will need to include more information in their privacy notices. The information to be included ranges from the identity and contact details of the controller to the legal basis for the processing and the data retention period.
All information provided or made available to data subjects will need to be transparent, easily accessible, concise and intelligible.
Protection impact assessments
Public bodies will need to undertake data protection by design and default, and may need to carry out data protection impact assessments (PIAs).
Data protection by design means that, from the outset, data processing systems must be designed to meet GDPR requirements. Data protection by default means that the highest security settings should be the norm and only personal data necessary for each specific purpose should be processed. PIAs will need to be undertaken before carrying out any ‘high risk’ processing activities.
Direct statutory obligations for data processors
Data processors will have direct statutory obligations and liabilities under the GDPR. Processors currently have no such statutory obligations/liabilities under the DPD or DPA.
Mandatory notification
Mandatory notification of personal data breaches to the ICO and, in certain circumstances, to data subjects, will be required.
Under the DPA, there is no system of mandatory notification (though many public bodies notify breaches to the ICO voluntarily, as a way of mitigating the consequences of a data breach).
Higher fines
Under the DPA the maximum fine is £500,000. Under the GDPR there will be two levels of fines and, under the higher tier, the maximum fine possible will be €20,000,000 or 4% of annual worldwide turnover (whichever is higher).
All obligations under the GDPR should be viewed in the light of the potentially enormous fines that can be imposed for non-compliance.
What to do next?
The most important thing is to ensure that key personnel understand the changes the GDPR is going to introduce, enabling the organisation to begin the process of evaluating exactly how it will be affected by the GDPR.
Ultimately, a detailed project plan will need to be created of the changes needed to achieve compliance by 25 May 2018.
The information in this article is intended as an overview of the law only and legal advice should be taken in relation to any specific issues. Whilst the information contained in this article is believed to be correct at the time of publication, Geldards LLP can accept no responsibility for any action taken in reliance on this article.
Tell us what you think – have your say below or email [email protected]