ITIJ 207, April 2018
Dan Hyde, partner at international law firm Penningtons Manches, advises insurance and assistance providers on how to prepare for General Data Protection Regulation (GDPR)
It is hard to imagine that anyone involved in running a business in Europe has not heard of GDPR, yet these regulations, which were conceived and born out of the European Union (EU), were largely ignored until the clock had ticked down to around 12 months. At that point, it began to dawn on the international business community that non-compliance was not an option, and that businesses caught by these regulations would need to adapt or face potentially crippling fines.
A need-to-know basis
The first question that urgently needs answering is whether or not GDPR applies to your business. It should be noted that GDPR has an extra-territorial effect, so that it applies to all businesses offering goods or services in the European Union or monitoring individuals in the European Union. It applies whether or not the business has any branch or office in the EU or indeed any server. In short, GDPR will apply to most – if not all – businesses that have an EU customer base. This is because GDPR focuses on the protection of the European individual’s data wherever that data may be processed. Businesses that handle the personal information of Europeans will be snagged regardless of where they conduct their operations. Insurance companies, assistance companies and healthcare providers will be undoubtedly caught due to the data-rich nature of their businesses.
GDPR comes into force in all EU member states on 25 May 2018. The UK will still be a member state on that date and GDPR will consequently become UK law on that date. There are a number of derogations within the regulation that are specific options upon which member states can decide. At around the same time as GDPR will become UK law, the new UK Data Protection Bill will commence, which will largely reflect GDPR, but will further introduce some UK-specific variations that are permitted. An example of this is that GDPR refers to children, but it allows a member state to decide how a child is defined (the UK has decided to opt for age 13 or under).
Process, subject and controller
Once you have decided whether GDPR will apply to your business, you next need to understand the important concepts in GDPR and data protection. The first of these is data processing. Any operation performed on personal data such as collection, recording, organising, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, making available or transferring, disseminating or deleting, will constitute data processing. Virtually any action in relation to personal data will constitute data processing.
A data subject is the person the data is about. For example, a customer or patient is a data subject when their personal data is processed for a purpose of the business. We will look at some of the legitimate purposes later in this article. It should be noted that GDPR grants rights to data subjects in order to protect their personal data. The protection is afforded to European data subjects and applies wherever their data is processed.
Next is a data controller. This is the person or entity (whether public or private) that collects and processes the personal data. The controller determines the purpose and means of processing personal data. Finally, personal data means exactly that – data that is personal as it relates to any identifiable person who can be directly or indirectly identified by reference to an identifier. This definition is wide, as even personal data that has been pseudonysed or anonymised can fall within the scope of GDPR; this will depend upon how possible it is to identify the particular individual despite the use of the pseudonym or anonymous title.
In summary, GDPR will apply to personal information (widely defined) and will govern the actions of the controllers and processors of that personal information (very widely defined).
GDPR places legal obligations on both controllers and processors, and general principles that run through GDPR must be applied. These general principles are
lawfulness, fairness and transparency.
Data has to be processed in accordance with EU and member state laws, and data controllers have to be transparent with customer information regarding what happens to their personal data. Handling personal information in a legitimate way, and ensuring there is a transparency as to how that personal data is handled, is at the heart of GDPR.
Data has to be collected for a specific, explicit and legitimate purpose. It cannot be used for anything beyond that specific, explicit legitimate purpose. What is legitimate is examined later in the article.
You should only request information that is required and relevant for the purpose for which the data is being collected. This is the de minimis rule so that the data controller should only request the minimum amount of information that is needed for the specific, explicit legitimate purpose.
Data has to be processed in a matter that minimises the risk to the confidentiality and integrity of the data
Data controllers must ensure that their data is accurate. If not, it should be rectified and reasonable steps should be taken to ensure that it is accurate. The data must be kept up to date, have regard to the purpose for which it is being processed. Where inaccuracies are discovered, data should be erased or rectified without delay.
Data should only be stored for a limited period and (except for archiving and scientific research purposes) it should not be stored beyond the life of the specific, explicit and legitimate purpose.
Integrity and confidentiality
Data has to be processed in a matter that minimises the risk to the confidentiality and integrity of the data. This should include protection against unlawful or unauthorised processing or accidental damage or loss.
The data controller must be seen to be accountable. This means that they must be in a position to prove that the general principles are being applied. The burden of proof is on the data controller to show this is the case.
Personal data that is categorised as special category personal data will require a higher hurdle in order to justify its processing is legitimate
In applying these principles, a good starting point will be to ask whether there is a legitimate purpose for processing personal information an organisation holds – you must identify a legitimate reason for doing so, otherwise the processing will not be lawful under GDPR. The legitimate reason that is relied upon must be documented.
There must then be a legitimate purpose (lawful basis) for processing personal data and these are as follows:
- That you have the consent of the data subject. This is dealt with in detail later, but it will be essential to document that consent has been given.
- That processing is necessary for the performance of a contract with a data subject or to take steps to enter into a contract. This then is the contractual purpose.
- That processing is required to comply with a legal obligation. This then is the legal obligation the data controller must meet, and that the processing is necessary to protect the vital interest of a data subject for another person.
- That the processing is necessary for the performance of a task in the exercise of official authority vested in the controller or something that is in the public interest.
- That the processing is necessary for the legitimate interest of the controller or a third party. This will include the commercial interests of the controller, as such interests are capable of being a legitimate interest. The test is whether the interest of the controller is overridden by the interests, rights or freedoms of the data subject. A balance needs to be performed to ensure that where legitimate business interests are pursued they are not overtaken by the interests, rights and freedoms of the data subject whose personal information is being used for the purpose. It is important to select the most appropriate lawful basis for processing; if for example, the legitimate purpose relied upon is the consent of the data subject, there will be problems if in due course the data subject withdraws their consent. With this in mind, it is advisable to choose and document, where possible, another legitimate interest, as that avoids a situation where the consent is withdrawn or cannot be demonstrated, and the controller is left holding information which has no lawful basis.
There are, however, special categories of data where explicit consent of the data subject will be required. Personal data that is categorised as special category personal data will require a higher hurdle in order to justify its processing is legitimate.
Special category personal data is any data that reveals racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic or biometric data for the purpose of identifying a person, data concerning health, or data concerning a person’s sex life or sexual orientation. Under GDPR, processing of data of this nature is prohibited – unless the data subject has given explicit consent to its processing for one or more specified purposes. There are limited exceptions to this. For example, where the processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent, or where the processing relates to personal data that has manifestly been made public by the data subject, and is thus in the public domain already. Exceptions, however, will be of limited application. There is a further exception for processing where it is necessary for the purposes of preventative or occupational medicine or management of health or social care systems and services pursuant to a contract with a heathcare professional. This exception will only apply to the healthcare and occupational medicine arena; ancillary uses such as health insurance will not fall within it, and explicit consent will be required.
To constitute explicit consent, there must be unambiguous consent to the use of the special category data. This must be an affirmative action by the data subject with demonstrable proof that explicit unambiguous consent to the use of the data was given. This means an act that has been freely given and is a clear indication of the client’s agreement to the processing of their personal data. Where there is a significant difference in power between the data subject and controller, such as between an employee and employer, it will likely be presumed that consent was not feely given. Silent or inactive consent, such as a pre-ticked box, would also not be considered as consent, although a box that has
Businesses that handle the personal information of Europeans’ will be snagged regardless of where they conduct their operations
been deliberately ticked would suffice as that would indicate active consent so long as there was proper information as to the use the data was to be put to.
The key here is to remember that the burden of proof is with you and that you need to show that the consent given was informed, intelligible and easily accessible. It should be expressed in clear and plain language and be distinguishable from other matters. A signed form that includes a number of other matters would fall foul of this, unless the consent to the use of the personal information could be clearly identified and understood. It should also be plain that any customer was informed before giving consent that they were able to withdraw it and that children have parental consent as otherwise their data cannot be lawfully processed.
In order to be transparent and comply with the GDPR, when a data controller collects the personal information form the data subject they have to give, at the time they collect the health data, the following information:
- The identity of the contact person or data controller.
- The purpose for which the data is being processed.
- The period for which the data will be stored (this can be an estimate at the outset).
- If it is intended to transfer the data to another country.
- If the business would wish to process the customer data for a secondary purpose in addition to the specific, explicit purposes that have been given.
- Furthermore, they must explain the data subject’s rights, namely:
- That they have the right to be kept informed and to access their own personal data, and these are fundamental rights.
- That they have a right to data portability so that they can transfer data from one data controller to another.
- That they have the right to object to the processing of their data.
- That they have the right to request rectification of their data if it is inaccurate or incomplete.
- That they have the right to deletion of their data, known as the right to be forgotten. This might apply where a data subject has withdrawn consent and no other lawful basis remains that can justify the storage or processing, or that the principles of limited storage and data minimisation support the request for deletion.
- That they have a right to restrict the processing of their data.
- That they also have rights in relation to any automated processing and profiling.
It is important to note these rights – the rights of the individual are at the very core of GDPR, and organisations should strive to ensure they can document their application. In practical terms, this means implementing internal policies that ensure all the key information is documented, ensuring a record of the legitimate lawful basis for processing, and where consent is relied upon, that it is properly recorded. In relation to special category data, the record will need to demonstrate explicit consent.
Businesses will be required to designate an independent and appropriately skilled Data Protection Officer (DPO) where the organisation is a public body or where the core activities involve regular and systematic monitoring of personal data on a large scale or the processing of special categories of data or large-scale processing of sensitive data. The likelihood is that unless your business crunches significant amounts of personal or sensitive information as its primary activity, then it will not be forced to designate a DPO; if the activity is secondary or ancillary, this requirement should not bite. That said, in light of the burdens of recording and accountability brought by GDPR, organisations should carefully consider appointing a DPO where funds allow as the role would otherwise eat into the time of other personnel.
organisations should carefully consider appointing a DPO where funds allow
GDPR is also a game-changer in the event of a data breach. There will be mandatory notification of a cybersecurity breach to the supervisory authority without undue delay and, in any event, in no less than 72 hours if there is a risk to individuals' rights and freedoms. This will nearly always apply unless encryption, or another defence mechanism, has kept the data absolutely intact and uncompromised. Where a report is late, then a reasoned justification for the delay must be given.
This all then goes back to the raison d’etre of the GDPR – the protection of the individual's data rights. In the UK, a risk in relation to their rights and freedoms must be notified to the Information Commissioners Office (ICO) and, if there is a high risk to the individual's rights or freedoms, then they too must be notified. There is then a dual test: a mere risk requires notification to the ICO, whereas a high risk requires additional notification to the individuals whose personal information has been affected. There are very limited exceptions to this, such as where encryption or other protection is in place, but in such a situation there would not be high risk. The other is where individual notifications would be disproportionate and a public information campaign or other method might better meet the need to inform.
Failures in relation to notification of breaches can be fined the greater of €10 million, or two per cent of worldwide annual turnover for the preceding financial year. Other breaches could be double that and the greater of €20 million or four per cent of worldwide annual turnover. Those sums are the maximums and we will need to watch how the ICO pitches the level of these fines after 25 May 2018. My guess is that there will be some hefty early punishments to put down a marker, and preparing properly should ensure business survival in this tough new compliance landscape. ■