Unless you live on the planet Zog, you will be aware that the General Data Protection Regulation (GDPR) will come into force on 25th May 2018. Neither Brexit nor the recently announced General Election will have an impact on this date; GDPR is here to stay. There has been a flurry of activity from the Information Commissioner’s Office (ICO) and the Article 29 Working Party (A29WP) on the GDPR front of late.
Consent under GDPR is a thorny issue. Compare the old and the new definitions below:
Using opt out boxes and inaction as proof of individuals’ consent to processing will no longer be allowed (if indeed they ever were!). Last month the ICO launched its GDPR consent consultation. The deadline for responses has now passed but the document is still worth reading to understand how the landscape is changing.
GDPR introduces stricter provisions to protect individuals from a type of data processing known as “profiling”. This is defined in Article 4:
“Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
The GDPR gives individuals a right to know profiling is taking place and in some cases allows them to object to it or require human intervention.
The ICO’s discussion paper on this topic highlights the key areas it feels need further consideration. This includes subjects like marketing, the right to object and data minimisation. The deadline for feedback is 28th April 2017. The A29WP guidelines on profiling are due to be published later this year and any feedback the ICO receives will inform that work.
Article 20 of GDPR gives individuals the right to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller. This is known as the right to data portability.
In December 2016, the A29WP published draft guidance on this right and a useful FAQ. The final version was published on 5th April 2017. The key themes are the same but the latest version does clarify a few points and gives better examples. Here are the two documents compared.
Data Protection Officer
Section 4 of GDPR introduces a statutory position of Data Protection Officer (DPO) who will have a key role in ensuring compliance with GDPR. But who exactly will need a DPO and what is his/her role? The A29WP has now produced the final version of its DPO guidance, which was published for comments in December. Here are the two documents compared. Again the main themes of the documents are the same with some welcome clarifications in the final version.
Lead Supervisory Authority
Companies will be directly responsible for GDPR compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data. For those that have multiple processing operations in the EU or where a breach occurs in many countries there will be a need to identify a lead supervisory authority, which will be charged with investigating the breach. The A29WP has now finalised its guidance on this topic.
Data Protection Impact Assessments
Article 35 of GDPR introduces the concept of a Data Protection Impact Assessment (DPIA). In some cases Data Controllers will be required to do a DPIA in relation to one or more data processing operations. It will help them assess necessity and proportionality and to manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them).
Carrying out a DPIA is not mandatory for every processing operation. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). In certain situations a DPIA will be mandatory (see Article 35(3)).
The A29WP is requesting comments on the data protection impact assessment guidelines it recently published. The deadline is 23rd May 2017. Even if you don’t want to comment its still a useful document to read to understand what steps need to be taken to raise awareness of the DPIA processes and what training will be required for those undertaking this task.
Finally, the A29WP recently published its work programme for 2016 – 2018 accompanied by a supplementary statement explaining GDPR specific priorities. As from 2018 it will become the European Data Protection Board.