BIBA: General Data Protection Regulation 6 July 2017 Emma Bate Jade Kowalski Partner Senior Associate ebate@dacbeachcroft.com jkowalski@dacbeachcroft.com 020 7894 6740 020 7894 6744
Agenda Overview of the GDPR Industry approach to privacy notices & consent Actions to take now
Background What is the GDPR and why does it matter? GDPR replaces the UK Data Protection Act 1998 and national legislation across Europe on 25 May 2018 An attempt to harmonise data protection laws across Europe Applicable despite Brexit Greater obligations on organisations when processing personal data Provides individuals with more rights which are easier to enforce Changes the risk profile of data protection compliance
Overview of the GDPR New Principle of Data Handling Data Protection Accountability Obligations Principles Data Subject Legal Basis for Rights Processing Security & consent & privacy policies Breach Data Protection Enforcement Notification Officers
Overview of the GDPR New Principle of Data Handling Accountability Obligations Breach Enforcement Notification
Overview of the GDPR Data Subject Legal Basis for Rights Processing & consent & privacy policies
Key aspects of the GDPR New principle of accountability The data controller must be responsible for, and be able to demonstrate compliance with the other principles. Policies and procedures Governance Records of processing Data protection officers Data protection impact assessments Data protection by design and by default
Key aspects of the GDPR Data Protection Impact Assessments Required where processing is likely to result in a high risk to the rights and freedoms of data subjects Will be required in cases of: systematic and extensive evaluation of personal aspects based on automated processing, including profiling processing of special categories of data on a large scale systematic monitoring of a publicly accessible area on a large scale
Key aspects of the GDPR Data protection by design and by default Consider: the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks posed by the Processing What technical and organisational measures could be used? (e.g. pseudonymisation) Goal: only Personal Data which is necessary for each specific purpose of the processing are processed
Key aspects of the GDPR Data breach notification to the regulator Without undue delay and, where feasible, not later than 72 hours Exception: where the breach is “unlikely to result in a risk to the rights and freedoms” of data subjects Notification must contain: nature of the breach including, where possible, the categories of data and approximate number of Data Subjects; name and contact details of the data protection officer; likely consequences of the Personal Data breach; and measures taken or proposed to be taken by the Data Controller to address the breach.
Key aspects of the GDPR Data breach notification to the data subjects Without undue delay but only where the breach is likely to result in a high risk to the rights and freedoms of data subjects Notification is not required where: personal data is unintelligible (e.g. encrypted); the data controller has taken subsequent measures to ensure that the high risk to data subjects will not materialise; or individual notification would require disproportionate effort (but – public communication)
Key aspects of the GDPR International transfers Personal Data should not be transferred outside of the EEA unless “adequate data protection” is ensured: EU Model Clauses Transfer is under binding corporate rules Privacy Shield Two new approved transfer mechanisms: reliance on approved code of conduct approved privacy seal
Why does the GDPR change the landscape? Enforcement powers Powers granted to the ICO include the ability to: carry out audits; issue orders to suspend or cease processing; or order suspension of data flows to third countries. Member States can put in place criminal sanctions.
Why does the GDPR change the landscape? Fines Fines can be imposed for any infringement of the GDPR. When imposing a fine, the regulator must ensure it is “effective, proportionate and dissuasive ”. Factors to be taken into account include: The nature, gravity and duration of the infringement The intentional or negligent character of the infringement Any action taken to mitigate damage to data subjects Co-operation with the regulator Self-reporting Any other mitigating or aggravating factors
Why does the GDPR change the landscape? Examples Level of fine • Category A failure to maintain up to EUR 10,000,000 breaches written records or • failure to implement 2% of worldwide annual data protection by turnover of an undertaking design and default • Category B processing without a up to EUR 20,000,000 breaches relevant legal basis or • infringement of data 4% of worldwide annual subject rights turnover of an undertaking
Why does the GDPR change the landscape? Compensation A data subject has the right to compensation where he or she has suffered “material or non - material damage” as a result of an infringement. Not-for-profit organisations are able to pursue claims on behalf of individuals and classes.
GDPR Challenges Delivery of privacy notices Requirement to obtain explicit consent
Privacy Notices Controller must “ take appropriate measures” to provide the privacy notice Must be in a “concise , transparent, intelligible and easily accessible form, using clear and plain language” Two lists of information to be provided: when you are collecting the information from the individual when a third party passes on that information to you.
Privacy notices Identity of controller & any data protection officer Purposes & legal grounds Set out ‘legitimate interest’ if relevant Set out right to withdraw consent if relevant Categories of personal data Sources Recipients / categories of recipients Details of international transfers
Privacy notices Data retention periods, or the criteria used Existence of data subject rights to: access data, rectification, erasure, restriction, object Existence of automated decision making / profiling Right complain to the Information Commissioner
Privacy notices Legal grounds Special category data; e.g. health & criminal records data Personal data Special categories of data Consent Explicit Consent Performance of a contract Legal claims with the data subject Vital interests Vital interests (data subject not capable of giving consent) Legitimate interests In substantial public interest & set out in UK law
Privacy notices Legal grounds Special category data: e.g. health & criminal records data Personal data Special categories of data Consent Explicit Consent Performance of a contract Legal claims with the data subject Vital interests Vital interests (data subject not capable of giving consent) Legitimate interests In substantial public interest & set out in UK law
Consent • Clear, demonstrable, freely given & capable of withdrawal • Granular • Inform data subjects of right to withdraw consent at any time. It must be as easy to withdraw consent as to give it • Silence and pre-ticked boxes do not constitute consent. • Conditional consent – is possible but will be under high scrutiny • ICO draft guidance discouraged use of conditional consent
Industry Approach Template privacy notice Set out standard response for: Brokers Insurers Coverholders Reinsurance Brokers Reinsurers Retrocession Brokers Retrocessionaires
Industry Approach Who is to provide the notice? Format of the Notice: layered approach tables clicks and reveals Identity of data controller? Changes to insurance chain during the policy Obligation is to provide the notice within 30 days, unless the individual already has the information
Industry response • Lobbying DCMS – New legal ground for insurance sector processing special category data – Why this is needed: • Have to use a conditional consent • Withdrawal of consent is likely to terminate the policy • Challenge to obtain consent for an insurance chain
Industry response • Lobbying DCMS – Legal basis: it is in the substantial public interest, and is: • proportionate to the aim pursued • respects the essence of the right to data protection • provides suitable and specific measures to safeguard the fundamental rights and interests of the data subject
Recommend
More recommend