The General Data Protection Regulation (GDPR)

This guide provides an overview of the General Data Protection Regulation and its implications for business. It identifies strategic issues which companies will need to bear in mind when processing personal data for the purposes of their business, including the collection of data, the lawful basis on which it can be processed, subject access requests, security and the export of personal data outside the EEA.

1. Introduction to the new legislation

The General Data Protection Regulation 2016/679 (the GDPR) is intended to modernise and enhance data protection rights and to facilitate a borderless digital single market across the European Union. Although the GDPR's main concepts and principles are similar to those in current data protection law, it places a number of additional obligations on companies processing data in the EU and also extends the regime's territorial scope.

When does the GDPR come into force?

On 14 April 2016, the European Parliament adopted the GDPR. The Regulation has since been published in the EU's Official Journal. It entered into force on 24 May 2016 and its provisions will be directly applicable in all Member States two years later on 25 May 2018. A theme of the legislation is that organisations must be accountable for all their processing activities. The scope of the reform package is extensive and compliance is mandatory. Businesses will be well advised to begin planning for the changes as soon as possible.

The territorial scope

The GDPR will apply to the processing of personal data by a controller or a processor in the context of the activities of their establishment in the EU, regardless of where the processing actually takes place.

In addition, the GDPR will apply to the processing of personal data relating to individuals who are in the EU by a controller or processor which is not established in the EU where the processing is related to:

(a) the offering of goods or services to those individuals in the EU; or
(b) the monitoring of their behaviour in the EU.

This extends the territorial scope of the regime in that it applies to both controllers and processors (whereas the previous law only applied to controllers). It now also applies to controllers and processors who are not established in the EU that process data which relates to data subjects who are within the EU, irrespective of where the data is processed. Previous legislation only applied to controllers established outside the EU who processed data within the EU.

Key concepts

The key concepts such as the meaning of "data subject", "personal data", "processing", "controller" and "processor" are similar to the previous law:

"Data subject" means any identified or identifiable natural person;

"Personal data" means any information relating to a data subject;

"Processing" means any operation or set of operations performed upon personal data. The definition now explicitly includes reference to the storage or structuring of data;

"Controller" means a person who jointly or with others determines the purposes and means of the processing of personal data, which person may be designated by EU or Member State law; and

"Processor" means a person who processes personal data on behalf of the controller.

Consent now needs to be given in a manner which signifies agreement to the processing in an unambiguous manner. This will restrict the ability of businesses to rely on the processing of data by, for example, opt-out as opposed to opt-in.

There are a number of new concepts, such as "profiling" and "pseudonymisation", that this guide will deal with in due course.

2. Lawful processing

Data protection principles

The GDPR is based on the following data protection principles:

• lawfulness;
• fairness and transparency;
• purpose limitation;
• data minimisation;
• accuracy;
• storage limitation;
• integrity and confidentiality; and
• accountability.

The scope and content of these principles is similar to those set out in Directive 95/46/EC (the Data Protection Directive). Noteworthy changes include the newly introduced explicit requirement of transparency and the principle of accountability. The latter will have a material impact, as it will require corporates to demonstrate compliance with the GDPR on the basis of specific documentation. For instance, organisations implementing new IT tools will need to undertake routine compliance checks and use "privacy by design", addressing data protection issues at the outset.

Processing conditions

The grounds for processing personal data under the GDPR are materially similar to those under the Data Protection Directive, although see the section entitled "Legitimate Interests" below.

Consent

As indicated above, where the processing is based on consent, the GDPR requires the controller to be able to demonstrate that the consent is freely given, specific and informed, and that it is an "unambiguous indication" of a data subject's wishes expressed either by a statement or a clear affirmative action. Consent will be purpose-limited, i.e. it will permit processing only for explicitly specified purposes.

Consent contained in a written declaration must be distinguishable from other matters in the declaration and must be intelligible, easily accessible, and in clear and plain language. This is intended to eliminate any confusion as to whether consent has or has not been given, and whether it can be implied by a particular action (or inaction). Different types of data uses require separate consent (presenting an "all or nothing" choice to individuals is not permitted).

Data subjects must also have the right to revoke their consent at any time and it must be as easy to withdraw consent as it is to give it. Where the performance of a contract is made conditional on consent to the processing of data which is not necessary for the performance of that contract, such consent should not be regarded as freely given. This may have a significant impact in the employment sphere.

The GDPR also sets out specific conditions applicable to children's consent in relation to information society services, namely internet services: parental consent is required for the processing of personal data of children under the age of 16, unless Member State law provides for a lower age that is not under 13.

Legitimate interests

Legitimate interests may exist for processing personal data without consent, for example, in situations where the data subject is a client or in the service of the controller. This requires careful assessment, including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interests of the data controller where personal data is processed in circumstances where data subjects do not reasonably expect further processing.

Other examples of legitimate interests might be preventing fraud, ensuring network and information security, reporting possible criminal acts or threats to public security to a competent authority and direct marketing. Controllers that are part of a group of undertakings or institutions affiliated to a central body may have legitimate interests in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. However, the requirements for international data transfers will still apply, even within a corporate group.

Controllers that rely on legitimate interests should maintain a record of their assessment, so that they can demonstrate that they have given proper consideration to the rights and freedoms of data subjects.

Further processing

The GDPR sets out factors a controller must take into account to assess whether a new processing purpose is compatible with the purpose for which the data was initially collected. These include:

• any link between the original and proposed new purposes;
• the context in which data has been collected;
• the nature of the data;
• the possible consequences of the proposed processing;
• the existence of safeguards, including pseudonymisation (where an individual cannot be identified from the data); and
• disclosures in the context of corporate and finance transactions.

Sensitive data

More restrictive rules apply under the GDPR to the processing of "special categories of personal data", also referred to as "sensitive data". The categories which are considered as sensitive are data relating to:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• health; or
• sex life and sexual orientation.

Sensitive data now expressly includes "genetic data" and "biometric data" where processed "to uniquely identify a person".

Data relating to criminal convictions and offences is not categorised as "sensitive" for the purposes of the GDPR (as was the case under the Data Protection Directive).

The GDPR contains certain exceptions under which the processing of sensitive data is permitted, in particular where the explicit consent of the data subject has been obtained, the processing is necessary for the carrying out of obligations under employment or social security law and where the data was obviously made public by the data subject. It should be noted that there is no permitted exception to enable processing of sensitive data where it is in the legitimate interests of the controller.

3. Data subject rights

General

The GDPR enhances and clarifies the existing rights of data subjects. In addition, it contains a number of new rights for data subjects around data portability, the right to be forgotten and the right to object to profiling.

Fair processing notices

The GDPR requires a significant increase in the information to be provided by data controllers to data subjects. Under the current law, a data controller already has to provide the data subject with the identity of the controller, the purpose of the processing and the recipients of the data. However, under the GDPR, the list of data to be provided is expanded to include the following:

• details of any relevant data protection officer;
• the legal basis for the processing of the data;
• details of any transfers of the data outside of the EU and, if the data is being transferred, how the data will be protected;
• the retention period for the data;
• the individual's rights in relation to the data, for example in relation to access, rectification and erasure;
• the individual's right to complain to a supervisory authority; and
• whether there is a statutory or contractual requirement to provide the data and the consequences of not providing the data.

The information must be provided in a concise, transparent, intelligible and easily accessible way, using clear and plain language.

Access rights

The data subjects' access right in the GDPR is similar to the right under the existing rules. However, controllers will be required to provide more extensive information about the personal data being processed on data subjects including the legal basis for the processing, the period of storage and details of whether the data has been transferred outside of the EEA.

The current default period for compliance with a subject access request of 40 days will be replaced with an obligation to comply without undue delay and within one month, with an extension of two additional months if it is a complex request.

The £10 fee will be abolished although a new provision has been introduced which allows a company to either refuse a request or charge a "reasonable fee" where a subject access request is "manifestly unfounded or excessive".

Rectification

Individuals will now be able to require a controller to rectify inaccurate personal data which is held about them. In some circumstances, if personal data is incomplete, then the controller may also be required to complete the data.

Erasure

Individuals have the right to request that businesses delete their personal data in certain circumstances. This is not an entirely new right, but rather builds on the "right to be forgotten" principle that was established by the Court of Justice of the European Union in its ruling in Google Spain -v- AEPD and Mario Costeja Gonzalez in 2014.

The right to erasure may be exercised where any of the following apply:

• the processing of data is no longer necessary in relation to the purposes for which it was collected or processed;
• data has been unlawfully processed;
• the individual withdraws consent to processing and there is no other justification for processing; or
• the data subject objects and the controller cannot show "overriding legitimate grounds" for continuing in circumstances where the processing is based on the "legitimate interest" condition.

However, there are a number of grounds on which data controllers can rely on retaining personal data. These include compelling legitimate grounds, compliance with a legal obligation or the establishment, and the exercise or defence of legal claims.

Portability

Data subjects will now have a new right to obtain a copy of their personal data from the data controller in a commonly used and machine readable format in order to transmit that data to another controller. In exercising their right, the data subject can request that the information be transmitted directly from one controller to another, where this is possible.

The right to data portability only applies where data is processed by automated means, the data subject has consented to the processing or the processing is necessary to fulfil a contract.

Right to object

There is no right for an individual to object to processing in general. However, in certain circumstances, individuals will have the right to object to their personal data being processed for certain specific purposes. Data subjects can object to:

• processing which is for direct marketing purposes;
• processing for scientific, historical research or statistical purposes where the individual is able to establish specific grounds which relate to their own specific situation. An exception applies where the processing is necessary for the performance of a task carried out for reasons of public interest; and
• processing for legitimate interest grounds or where it is necessary for a public interest task, but again only where the data subject can establish grounds involving their own specific situation. In these circumstances, the controller must cease processing unless it can demonstrate compelling grounds which override the interests of the data subject, or where the processing is necessary for the defence or establishment of legal claims.

Profiling

The GDPR introduces a new definition of "profiling" which is defined as "any form of automated processing of personal data evaluating personal aspects relating to a natural person, in particular to analyse or predict aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements".

Data subjects will now have the right not to be subject to a decision based solely on profiling which produces a legal or other similarly significant effect, for example online credit decisions. The restriction on profiling will not apply if the decision is necessary for a contract, required by law or has the explicit consent of the data subject. There is an absolute restriction on profiling using sensitive personal data unless the data subject has given explicit consent or it is necessary for reasons of substantial personal interest.

4. Obligations on data controllers and data processors

General obligations of controllers

Under the GDPR, controllers are required to implement appropriate technical and organisational measures to ensure that processing is performed in accordance with its provisions. Where proportionate, this will include the implementation of appropriate data protection policies. Adhering to codes of conduct or approved certification mechanisms (discussed below) is one way of demonstrating compliance with this obligation.

Controllers are required to keep written records of all categories of processing carried out on their behalf, including records of any international transfers of such data and the technical or organisational measures to ensure an appropriate level of security. Furthermore, controllers must co-operate with their supervisory authority (in the UK, the Information Commissioner's Office (the ICO)) in the performance of their tasks.

Data protection by design and by default

One of the central pillars of the GDPR is the concept of data protection by design and by default. Essentially, this requires that controllers:

(a) both when determining how data will be processed and, at the time of processing, implement appropriate technical and organisational measures (e.g. pseudonymisation) to integrate necessary safeguards to meet the requirements of the legislation; and

(b) implement appropriate technical and organisational measures to ensure that, by default, only the personal data necessary for each specific purpose of the processing is processed.

General obligations of processors

Controllers can only use processors who provide sufficient guarantees to implement appropriate technical and organisational measures so that processing meets the requirements of the GDPR. The use of sub-processors is prevented without prior written authorisation.

In a key change from the previous regime, the GDPR introduces direct obligations on processors. It stipulates that a processor must be governed by a contract which contains:

(a) details of the subject matter, nature, purpose and duration of processing and types of personal data being processed;

(b) details of the categories of data subject and the obligations and rights of the controller;

(c) all of the issues set out in the detailed and prescriptive list in Article 28(3) of the GDPR; and

(d) various specific obligations placed on the processors – for example, only to process data in accordance with documented instructions from the controller.

The above content must be considered whenever a controller is looking to contract with a processor.

As with controllers, processors can show compliance by adhering to codes of conduct or certification mechanisms (see below), or through implementing standard clauses adopted by the European Commission or a supervisory authority, such as the ICO, and must co-operate with its supervisory authority in the performance of its tasks.

Processors will also fall within the sanctions and enforcement regime under the GDPR, providing further incentives for compliance. The imposition of direct obligations on processors is likely to mean that negotiations between controllers and processors will be more detailed and processors may seek to charge increased fees to offset the additional obligations they are assuming.

Data security

The GDPR requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security of personal data proportionate to the risk, e.g. using pseudonymisation and encryption, ensuring confidentiality of processing systems and having a process for regularly testing these measures.

A chain system is also established for the notification of personal data breaches:

(a) a processor must notify the controller of data breaches without undue delay;

(b) the controller must then report to the relevant supervisory authority. Where feasible, this report must take place not later than 72 hours after the controller having become aware of it; and

(c) where there is a high risk to a data subject, the controller must communicate the breach to the data subject without undue delay.

Impact assessment

Closely linked to the concept of data protection by design and by default is the requirement that a controller carries out a data protection or privacy impact assessment (PIA), for example, prior to the introduction of certain new technologies or types of processing where they are likely to pose a "high risk" to an individual's rights and freedoms.

In the UK, the ICO is expected to publish guidance setting out which types of processing operations require data protection impact assessments in order to provide greater clarity in this area. Where an assessment identifies a high potential risk to data subjects, and in the absence of measures by the controller to mitigate such risk, the controller must consult the supervisory authority prior to processing.

Data protection officers

Under the GDPR, controllers and processors are required to appoint a data protection officer if they are:

(a) a public authority or body;

(b) their core activities require regular and systematic monitoring of data subjects on a large scale; or

(c) their core activities consist of processing on a large scale special categories of data (i.e. sensitive data) and personal data relating to criminal convictions.

The role of the data protection officer is broadly to inform and advise on the controller or processor's obligations under the legislation and to monitor compliance. Data protection officers will owe a duty to co-operate with the supervisory authority and have statutory protections to allow him or her to carry out this role (see more on supervisory authorities below). It is hoped that the ICO will offer guidance regarding (a) – (c) above in order to provide greater certainty regarding when a data protection officer will be required. However, given the wide-reaching nature of the legislation and the considerable sanctions for non-compliance, any organisation that regularly processes personal data should consider allocating an officer specifically tasked with ensuring compliance.

Codes of conduct and certification

Associations may draw up codes of conduct relating to the application of the GDPR in certain areas and present them for approval by the relevant supervisory authority or the European Data Protection Board (EDPB) to oversee data protection compliance across the EU (see more on the EDPB below). Various provisions of the GDPR provide that adhering to an approved code of conduct is a way of demonstrating compliance with the legislation. It is anticipated that such codes will provide an important source of guidance in interpreting the GDPR.

Additionally, certification mechanisms and compliance seals or marks may be developed by various institutions and will be issued by certifying bodies for the purpose of showing compliance by controllers or processors. The certification process will be voluntary and a certificate, once given, will last for three years.

5. Data export outside the EEA

The GDPR contains broadly the same principles and mechanisms for transferring personal data outside of the EEA as under the Data Protection Directive, with some expansion of scope.

Such transfers may only occur if the controller and/or the processor, as applicable, comply with the conditions set out in the GDPR, which are intended to ensure that the level of protection guaranteed to data subjects is not undermined when their personal data is transferred to a third country. This section will be of particular significance to businesses that transfer personal data out of the EEA and, increasingly, businesses that use cloud platforms and remote IT services.

A breach of data transfer provisions can incur the maximum level of fines under the GDPR (up to four per cent of worldwide annual turnover – see below for more details).

Transfers of personal data are permitted in the following circumstances:

Transfer to an adequate jurisdiction: i.e. to a third country, territory, specified sector or the international organisation that the Commission has designated as ensuring an adequate level of protection. The existing list of approved jurisdictions under the Data Protection Directive (e.g. Switzerland and New Zealand) will remain valid under the GDPR, subject to periodic review. Following a recent ruling of the Court of Justice of the European Union, the EU-US Safe Harbor certification scheme is no longer valid for transatlantic data transfers. Instead, the EU-US Privacy Shield agreement was finalised and came into force on 12 July 2016, providing a mechanism for transfers from the EU to the US - see below.

Transfer from the EU to the US pursuant to Privacy Shield: under this arrangement the European Commission has declared that the US now maintains an adequate level of protection for personal data transferred to the US from the EU. From the 1 August 2016, US businesses can self-certify with the US Department of Commerce as being compliant with Privacy Shield principles.

These principles include, among others, strong obligations on US companies handling personal data, sanctions for non-compliance, and the tightening of conditions for onward transfers of personal data to third parties. US assurances have also been given that access to personal data by public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. A transfer of personal data from the EU to a US business that has signed up to Privacy Shield will be deemed to have been made in line with the Privacy Shield principles, and therefore meets the standards of protection required by EU law.

Transfer pursuant to another mechanism ensuring appropriate safeguards: in the absence of an adequacy decision for the relevant third country/international organisation, transfers will be lawful if the controller or processor has provided appropriate safeguards, and enforceable rights and effective legal remedies are available to data subjects. Such appropriate safeguard mechanisms include:

• A legally binding instrument between public bodies;
• Binding corporate rules (BCRs), which are now uniformly recognised as a valid data transfer mechanism across the EEA for both controllers and processors. They will still require approval from the competent supervisory authorities, but this will be on the basis of the consistency mechanism and so generally easier to obtain. B CRs must be legally binding and enforceable against the exporter's group entities that receive the data, grant enforceable rights to data subjects, and meet certain prescribed information requirements;
• Model clauses adopted by the European Commission, or by a supervisory authority and approved by the Commission. The existing sets of model clauses will remain valid under the GDPR. In an important distinction from the current regime, businesses will no longer have to notify or receive approval from supervisory authorities to rely on model clauses as their basis for transfer;
• An approved code of conduct by the competent supervisory authority or the EDPB and the Commission (depending on the scope that Member States are affected by the processing activities), together with binding and enforceable commitments of the controller or processor; or
• An approved certification mechanism by an accredited certification body, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards. Certificates will be issued for three years and be subject to renewal or revocation if conditions are no longer met.

Transfer pursuant to a derogation: the GDPR maintains essentially the same list of further derogations permitting transfers to non-adequate jurisdictions as under the Data Protection Directive, i.e. explicit consent, contractual necessity, litigation necessity, vital interests of the data subject and public register data. The GDPR should also, to some extent, harmonise the inconsistent application of the existing derogations. However, there are two significant changes:

• A higher threshold for consent derogation, noting the more onerous conditions set by the GDPR for valid consent (see above). Exporters must now consider if the data subject has given explicit consent to the transfer, and been sufficiently informed of the possible risks of such transfer; and
• A new (limited) derogation for transfers necessary for the legitimate interests of the controller, provided that the transfer is not repetitive, concerns only a limited number of data subjects, the interests of the controller do not override the interests or rights and freedoms of the data subjects, and the controller has assessed (and documented) all the circumstances surrounding the data transfer and put adequate safeguards for the protection of personal data in place. Controllers must inform the supervisory authority of the transfer, and also inform the data subject of the transfer and basis for legitimate interests. This derogation only applies if the transfer cannot be based on the other grounds for transfer (adequacy decision, appropriate safeguards or other derogation).

6. Supervisory authorities

Competences

Under the GDPR, national supervisory authorities (also known as data protection authorities or DPAs) will continue to exist. Each Member State must establish at least one independent supervisory authority on a national level. Member States can install more than one supervisory authority, but one of them has to be nominated as the representative on the new EDPB.

Supervisory authorities are given an extensive list of specific powers and tasks including the power to, monitor and enforce the application of the GDPR, hear, investigate and rule on complaints in the territory of their own Member State. Specific powers worth mentioning are the ability to:

• order a controller or processor to provide information;
• conduct investigatory audits;
• ban processing and trans-border data flows outside the EU; and
• approve standard contractual clauses and binding corporate rules.

DPAs are required to co-operate with the European Commission and other supervisory authorities in order to ensure the consistent application of the GDPR.

"One-stop shop" and co-operation procedure

Where the controller or processor is established in several Member States, the supervisory authority of the main establishment shall be competent as "lead authority" (the "one-stop shop"). The main establishment is the place where the principle processing activities take place. This may differ from a business's corporate headquarters but will in most cases be the same place.

The local DPA will remain competent to handle a matter if it relates only to a local establishment or affects data subjects only in its Member State (except for data transfers). Such local cases have to be notified to the lead authority which may intervene and then apply the co-operation procedure. Local DPAs can propose decisions to the lead authority. If the lead authority does not intervene, the local authority handles the case using, where necessary, the mutual assistance and joint investigation powers.

An individual will be able to make complaints to the DPA in their Member State, at which point that regulator shall engage in a co-operation procedure with other "concerned" supervisory authorities. The authorities are required to exchange information and try to reach consensus. The lead authority must submit a draft decision to concerned authorities. There is a detailed conflict resolution mechanism in case of a disagreement, with the EDPB having the final say.

The European Data Protection Board

The EDPB will be a new EU body with legal personality. It consists of one representative of each Member State's supervisory authorities and a representative of the European Commission (on a non-voting basis).

The EDPB is given an extensive list of tasks, but its primary roles are to promote co-operation between national supervisory authorities, contribute to the consistent application of the GDPR throughout the EU and to advise the Commission, in particular on the level of protection offered by third countries or international organisations.

The EDPB has to give opinions on various supervisory authority proposals, including the approval of binding corporate rules, certification criteria and codes of conduct. If the supervisory authority disagrees with an EDPB opinion, the matter goes to dispute resolution. This also applies to disputes between a lead authority and local authorities. In all these cases, the EDPB will make a binding decision.

7. Remedies and sanctions

Enforcement

The GDPR will significantly augment the right of individuals. A component of this concerns new rights of redress for unlawful processing.
Under the new legislation, an individual has the right to:

(a) lodge a complaint with a supervisory authority;

(b) an effective judicial remedy against a supervisory authority where it does not handle a complaint or inform the individual on the progress or outcome of a complaint;

(c) an effective judicial remedy against a controller or processor; and

(d) compensation from a controller or processor for damage suffered as a result of a breach of the GDPR.

Compensation

Any person who has suffered damage as a result of a breach of the GDPR is entitled to compensation from the controller or processor. The meaning of "damage" is consistent with case law concerning claims under the Data Protection Act 1998, and includes both financial and non-financial loss (i.e. damages for distress).
Representative bodies are entitled to bring complaints and recover damages on behalf of individuals. This paves the way for class actions against controllers or processors who breach the GDPR.

Fines

A key change in the new legislation is that an organisation can be fined up to four per cent of its annual worldwide turnover (or, if greater, €20,000,000) for breaches of certain provisions, and up to two per cent (or, if greater €10,000,000) for other specified breaches.

Breaches which attract the highest penalties (up to four per cent) relate to infringements of:

• the basic principles for processing, including conditions for consent;
• the data subjects' rights; and
• requirements relating to international transfers of personal data.
  In considering whether to impose a fine and the level of such fine, the supervisory body must have regard to factors such as the nature, gravity and duration of the breach and its consequences, the measures taken to ensure compliance with the GDPR and any action taken to prevent or mitigate the consequences of the breach.

 8. The UK ICO's recommendations

The ICO has made 12 recommendations to assist organisations to prepare for the GDPR.

 

The effect of Brexit

The UK Government has confirmed plans to implement the GDPR, ending uncertainty that resulted from the Brexit referendum. In her appearance before the Culture, Media and Sport Select Committee, Secretary of State Karen Bradley MP noted that the UK will still be a member of the EU in 2018, making participation in the EU's wide-ranging data protection shake-up a natural step. Her announcement has been welcomed by the UK Information Commissioner.