The €20 Million Question: Will you be ready for the General Data Protection Regulation?

Rebecca McCall, University Solicitor at the University of Huddersfield and Chair of the Association of University Legal Practitioners (AULP), looks at the new General Data Protection Regulation and gives advice on how universities should prepare for it.

The General Data Protection Regulation has finally been adopted by the European Parliament and came into force on 24th May 2016. The Regulation will apply with direct effect in all EU Member States, including the UK*, from 25th May 2018, replacing the current UK Data Protection Act 1998.

The EU has heralded the Regulation as being an essential step to strengthen citizens’ fundamental rights in the digital age and to facilitate business by simplifying rules for companies in the Digital Single Market, suggesting that this will lead to savings for businesses of €2.3 billion a year.

However, there are important changes in the way the Regulation will operate compared with current legislation, which will place a more onerous burden on institutions and will require significant attention so that we are prepared for the implementation of the Regulation in two years’ time.

What is new?

Set out below are some key changes to draw to your attention at this early stage:

Fines: Data Controllers could be fined up to 4% of their global annual turnover or €20 million for certain breaches and up to 2%/€10 million for others. This is a significant increase from the current maximum amount of £500,000 that can be enforced in the UK.

Accountability: The Regulation requires data protection “by design and by default”. Although it will no longer be necessary to maintain a notification at the ICO, there are more onerous obligations to:

  • maintain internal records of personal data being processed and retention schedules
  • prepare data protection impact assessments for riskier processing
  • have clear privacy notices in place to inform data subjects about how their data is processed.

Consent to processing must be “freely given, specific, informed and ambiguous” and must be “explicit” for sensitive data. You must be able to demonstrate that consent was given. Consent will not be considered to be “freely given” if there was no genuine or free choice. For example, if it is made a condition of entering into a contract that data will be processed in a certain way, even if this is not needed to perform the contract, then consent will not be freely given (a common example in the services sector is being required to consent to receiving marketing information in order to obtain an unrelated service, such as a wifi connection). This could have implications for the processes currently in place at institutions, for example obtaining student consent to processing, which may in future need to be broken down into different sections.

Subject Access: Organisations will no longer be able to charge for dealing with a SAR and the response will need to be provided within one month (currently 40 days).

Breaches will need to be notified to the ICO within 72 hours (subject to some exceptions) and to the data subject where the breach might result in a high risk to their rights and freedoms.

Data Protection Officer: HEIs will be required to designate a Data Protection Officer (DPO) whose details must be notified to the ICO. The DPO must have expert knowledge of data protection law; will have statutory obligations under the Regulation; and be required to report directly to the “highest management level” of the organisation.

Right to be forgotten: This principle has been retained in the final version of the Regulation allowing individuals to require erasure of their personal data in certain situations, although research is a stated exception.

Data processors now have some direct statutory obligations, which might impact the way in which data protection is approached in supply agreements and from an HE perspective, care will need to be taken where data is being processed by an institution on behalf of a third party, for example under a research contract or collaborative provision arrangement.

International Transfers: The requirements are essentially the same. With the Safe Harbour regime now invalid and the jury still out on the Privacy Shield that was intended to replace it, organisations will need to continue to ensure that appropriate security, contractual and privacy notice/consent arrangements are in place where personal data is being transferred outside the EU.

What should institutions be doing now?

It is essential to start planning your approach to compliance as soon as possible. The ICO has published its “12 Steps” to preparing for the Regulation, which sets out the key areas on which organisations should be focussing their attention now, including:

  • Raising awareness across the organisation
  • Reviewing what personal data is held, where it came from, what it is used for and who it is shared with
  • Reviewing the terms on which data is shared with third parties, including organisations processing data on your behalf (e.g. software or cloud providers)
  • Reviewing data protection policies and privacy notices (the ICO will be bringing out a revised Privacy Notice Code of Practice shortly)
  • Reviewing how consent is obtained and recorded for processing
  • Checking procedures to ensure they cover the enhanced rights of individuals, including how data can be deleted and updating subject access request processes
  • Ensuring procedures are in place and utilised to detect, report and investigate data breaches
  • Developing a culture of “privacy by design” e.g. by requiring Privacy Impact Assessments for new data processing activities
  • Designating a Data Protection Officer and assessing where this role will sit within your governance arrangements

*The Brexit Elephant in the Room

So what happens if the Leave campaign wins on 23rd June? The message coming from the ICO is that organisations should still continue to prepare for the Regulation. If the UK leaves the EU, it will still be bound by the Regulation to the extent that it processes personal data of EU data subjects.

What should you do next?

There is no question that additional time and resource will need to be spent by institutions to enable compliance with the Regulation. You might want to sit down with your Data Protection Officer or equivalent sooner rather than later to work through an appropriate action plan.

Further Information

  • View the full text of the Regulation
  • The ICO has established a separate website where they will post guidance, blogs and videos on the implementation of the Regulation. This already includes the “12 Steps” guidance referred to above and information about the timetable for introduction of further detailed guidance, which is expected to be introduced over the next six months.
  • Further guidance will be made available by the EU based on the work being carried out by the Article 29 Working Party – check the ICO site for updates.