This insight we explore the conditions and rights that will apply under the new General Data Protection Regulation (GDPR) legislation and how firms can best prepare for their new obligations.

Remind me – what is the GDPR?

The GDPR is a European Union regulation. It aims to strengthen and increase consistency in data protection for individuals within the EU. It also governs the export of personal data outside the EU.

It will replace the 1995 EU data protection directive (officially Directive 95/46/EC) and the UK Data Protection Act 1998 (DPA) when it comes into force on 25 May 2018.

Lawfulness of Processing Conditions

The onus is on a firm’s processors and/or controllers to identify and evidence their legal and/or contractual basis for processing, prior to carrying out any processing.

Once a legal basis has been established for processing data, this must be recorded and evidence of the determination retained. The processing of personal data is only considered as being lawful where one or more of the below Article 6 clauses apply: –

  • (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • (c) processing is necessary for compliance with a legal obligation to which the controller is subject
  • (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

The GDPR allows member states to introduce more specific provisions for clauses (c) and (e).

Article 6 also speaks to the continued transparency of the information provided to data subjects for the collection, processing and storage of personal data. Such information must be provided to individuals at the point their personal data is collected and must be clear and transparent as to the collection of data, use or intended use and reliance on consent to process.

With an individuals right to withdraw consent being a part of the GDPR, it it even more inportant for firms to ensure that they are collecting data in a clear, easily accessible and transparent manner.

Extended Jurisdiction

Article 3 of the GDPR sets out the territorial scope of the regulation for those processing data and is considered one of the biggest changes to the current data privacy laws.

Jurisdiction and territorial scope in the current Data Protection Act (DPA) is somewhat ambiguous, however the GDPR makes it clear that the regulation applies to the processing of personal data of data subjects who are in the EU, regardless of whether the processing takes place in the EU or not. The regulation also applies to the processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law and/or where the processing activities are related to: –

  • The offering of goods or services to EU citizens (irrespective of whether a payment is required)
  • The monitoring of a data subjects behaviour as far as their behaviour takes place within the EU

Consent

The conditions for consent have been stengthened in the GDPR, with the onus on firms to demonstrate that they have obtained the data subjects consent in a clear, intelligable and transparent manner. Consent notices must be jargon free and easily accessible with the right to withdraw and purpose for data processing made clear. All consent must be able to be verified, which means keeping records of the consent given.

Where the individual gives consent in the form of a written declaration where there are also other matters being noted, that consent has to be clear and easily distinguishable. It should stand apart from the other matters being discussed in the content and ensure that the data subject knows they are giving consent for their data to be processed and stored.

As part of the GDPR, data subjects will have the right to withdraw their consent at any time, which will in no way affect the lawfulness of processing based on consent before its withdrawal. Firms must make sure that an individual can withdraw their consent as easily and as clearly as they can give it.

Processing of Special Categories Personal Data

Referred to sensitive personal data‘ under the DPA, the GDPR lists ‘special categories’ as personal data that can or may reveal: –

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic or biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health or a natural person’s sex life or sexual orientation

Processing of special category personal data is strictly prohibited, unless the data subject has given explicit consent to the processing of such personal data for one or more specified purposes.

The processing of special category personal data is permitted where that processing is: 

  • necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject
  • necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
  • carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects
  • related to personal data which are manifestly made public by the data subject
  • necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
  • necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
  • necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3
  • necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy
  • necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The Right to be Forgotton (Right to Erasure)

Data erasure entitles the data subject to have the data controller erase their personal data and cease any further processing and/or dissemination of the data. It could also see any related third parties forced to cease processing the data as well.

Article 17 of the GDPR states that data subjects have the right to request erasure where: 

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
  • the data subject withdraws consent on which the processing is based according to point (a) of Article 6 or point (a) of Article 9, and where there is no other legal ground for the processing
  • the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2)
  • the personal data has been unlawfully processed
  • the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
  • the personal data has been collected in relation to the offer of information society services referred to in Article 8(1)

If personal data has been made public and there is a valid request to erase, data controllers will be obligated (within reason of costs and taking account of available technology) to take reasonable steps to inform all other known controllers of the individuals valid erasure request.

The data subjects right to erasure and the data controllers obligation to inform third party controllers does not apply to the extent that processing is necessary for: 

  • exercising the right of freedom of expression and information
  • compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3)
  • archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing
  • the establishment, exercise or defence of legal claims

Sanctions, Penalties and Compensation

Under the GDPR, firms who breach the regulations will be looking at much greater penalties than under the DPA. Fines can be up to 4% of the annual global turnover or €20 Million – whichever is greater, which far exceeds the ICO £500,000 maximum fine under the DPA

Records of Processing

Under the GDPR, it will be mandatory to keep strict and transparent records of all processing activites. Such records must be in writing, including in electronic form and must be available to the supervisory authority on request.

Each processing record must contain all of the following information: 

  • the name and contact details of the controller
  • any the joint controller (where applicable)
  • the controller’s representative (where applicable)
  • the data protection officer
  • the purposes of the processing
  • a description of the categories of data subjects and of the categories of personal data
  • the categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organisations
  • transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards (where applicable)
  • where possible, the envisaged time limits for erasure of the different categories of data and a general description of the technical and organisational security measures referred to in Article 32(1)

Each processor and, where applicable, the processor’s representative must maintain a record of: 

  • all categories of processing activities carried out on behalf of a controller
  • the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting (and where applicable, the name and contact details of the controller/processor’s representative and the data protection officer)
  • the categories of processing carried out on behalf of each controller
  • transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards (where applicable)
  • where possible, a general description of the technical and organisational security measures referred to in Article 32(1)

The above obligations do not apply to an enterprise or organisation employing less than 250 people, unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

If you are unsure how your activities fit within the rules, please take advantage of our Bespoke Advertising Advice or  Marketing Review services . It’s fast and confidential.

Click to Get Started

Further reading:

Have you an opinion on the above or got an article you wish to share? We’re love to hear from you. Email us today.