Emma Bate Jade Kowalski Partner Senior Associate - - PowerPoint PPT Presentation

BIBA: General Data Protection Regulation

6 July 2017 Emma Bate Partner ebate@dacbeachcroft.com 020 7894 6740 Jade Kowalski Senior Associate jkowalski@dacbeachcroft.com 020 7894 6744

Agenda

Overview of the GDPR Industry approach to privacy notices & consent Actions to take now

What is the GDPR and why does it matter? Background

GDPR replaces the UK Data Protection Act 1998 and national legislation across Europe on 25 May 2018 An attempt to harmonise data protection laws across Europe Applicable despite Brexit Greater obligations on organisations when processing personal data Provides individuals with more rights which are easier to enforce Changes the risk profile of data protection compliance

Breach Notification Data Protection Officers Data Subject Rights & privacy policies Data Protection Principles Legal Basis for Processing & consent Security New Principle of Accountability Enforcement Data Handling Obligations

Overview of the GDPR

Breach Notification New Principle of Accountability Enforcement Data Handling Obligations

Overview of the GDPR

Data Subject Rights & privacy policies Legal Basis for Processing & consent

Overview of the GDPR

The data controller must be responsible for, and be able to demonstrate compliance with the other principles.

• Policies and procedures
• Governance
• Records of processing
• Data protection officers
• Data protection impact assessments
• Data protection by design and by default

Key aspects of the GDPR New principle of accountability

Data Protection Impact Assessments

Required where processing is likely to result in a high risk to the rights and freedoms of data subjects Will be required in cases of:

• systematic and extensive evaluation of personal aspects based on

automated processing, including profiling

• processing of special categories of data on a large scale
• systematic monitoring of a publicly accessible area on a large scale

Key aspects of the GDPR

Data protection by design and by default

• Consider: the state of the art, the cost of implementation and the

nature, scope, context and purposes of processing as well as the risks posed by the Processing

• What technical and organisational measures could be used? (e.g.

pseudonymisation)

• Goal: only Personal Data which is necessary for each specific

purpose of the processing are processed

Key aspects of the GDPR

Data breach notification to the regulator

Without undue delay and, where feasible, not later than 72 hours Exception: where the breach is “unlikely to result in a risk to the rights and freedoms” of data subjects

Key aspects of the GDPR

Notification must contain:

• nature of the breach including, where possible, the categories of data

and approximate number of Data Subjects;

• name and contact details of the data protection officer;
• likely consequences of the Personal Data breach; and
• measures taken or proposed to be taken by the Data Controller to

address the breach.

Data breach notification to the data subjects

Without undue delay but only where the breach is likely to result in a high risk to the rights and freedoms of data subjects

Key aspects of the GDPR

Notification is not required where:

• personal data is unintelligible (e.g. encrypted);
• the data controller has taken subsequent measures to ensure that

the high risk to data subjects will not materialise; or

• individual notification would require disproportionate effort (but

– public communication)

Personal Data should not be transferred outside of the EEA unless “adequate data protection” is ensured:

• EU Model Clauses
• Transfer is under binding corporate rules
• Privacy Shield

Two new approved transfer mechanisms:

• reliance on approved code of conduct
• approved privacy seal

Key aspects of the GDPR International transfers

Why does the GDPR change the landscape? Enforcement powers

Powers granted to the ICO include the ability to:

• carry out audits;
• issue orders to suspend or cease processing; or
• order suspension of data flows to third countries.

Member States can put in place criminal sanctions.

Why does the GDPR change the landscape? Fines

• Fines can be imposed for any infringement of the GDPR.
• When imposing a fine, the regulator must ensure it is “effective,

proportionate and dissuasive”. Factors to be taken into account include: The nature, gravity and duration of the infringement The intentional or negligent character of the infringement Any action taken to mitigate damage to data subjects Co-operation with the regulator Self-reporting Any other mitigating or aggravating factors

Why does the GDPR change the landscape?

Examples Level of fine Category A breaches

• failure to maintain

written records

• failure to implement

data protection by design and default up to EUR 10,000,000

• r

2% of worldwide annual turnover of an undertaking Category B breaches

• processing without a

relevant legal basis

• infringement of data

subject rights up to EUR 20,000,000

• r

4% of worldwide annual turnover of an undertaking

Why does the GDPR change the landscape? Compensation

A data subject has the right to compensation where he or she has suffered “material or non-material damage” as a result of an infringement. Not-for-profit organisations are able to pursue claims on behalf of individuals and classes.

GDPR Challenges

Delivery of privacy notices Requirement to obtain explicit consent

Privacy Notices

• Controller must “take appropriate measures” to provide the

privacy notice

• Must be in a “concise, transparent, intelligible and easily

accessible form, using clear and plain language”

• Two lists of information to be provided:
• when you are collecting the information from the individual
• when a third party passes on that information to you.

• Identity of controller & any data protection officer
• Purposes & legal grounds
• Set out ‘legitimate interest’ if relevant
• Set out right to withdraw consent if relevant
• Categories of personal data
• Sources
• Recipients / categories of recipients
• Details of international transfers

Privacy notices

• Data retention periods, or the criteria used
• Existence of data subject rights to:
• access data,
• rectification,
• erasure,
• restriction,
• bject
• Existence of automated decision making / profiling
• Right complain to the Information Commissioner

Privacy notices

Legal grounds

• Special category data; e.g. health & criminal records

data Privacy notices

Personal data

Special categories of data

Consent

Explicit Consent

Performance of a contract

with the data subject Legal claims

Vital interests

Vital interests (data subject not capable of giving consent)

Legitimate interests

In substantial public interest & set out in UK law

Legal grounds

• Special category data: e.g. health & criminal records

data Privacy notices

Personal data

Special categories of data

Consent

Explicit Consent

Performance of a contract

with the data subject Legal claims

Vital interests

Vital interests (data subject not capable of giving consent)

Legitimate interests

In substantial public interest & set out in UK law

• Clear, demonstrable, freely given & capable of withdrawal
• Granular
• Inform data subjects of right to withdraw consent at any
• time. It must be as easy to withdraw consent as to give it
• Silence and pre-ticked boxes do not constitute consent.
• Conditional consent – is possible but will be under high

scrutiny

• ICO draft guidance discouraged use of conditional consent

Consent

• Template privacy notice
• Set out standard response for:
• Brokers
• Insurers
• Coverholders
• Reinsurance Brokers
• Reinsurers
• Retrocession Brokers
• Retrocessionaires

Industry Approach

• Who is to provide the notice?
• Format of the Notice:
• layered approach
• tables
• clicks and reveals
• Identity of data controller?
• Changes to insurance chain during the policy
• Obligation is to provide the notice within 30 days, unless

the individual already has the information

Industry Approach

• Lobbying DCMS

– New legal ground for insurance sector processing special category data – Why this is needed:

• Have to use a conditional consent
• Withdrawal of consent is likely to terminate the policy
• Challenge to obtain consent for an insurance chain

Industry response

• Lobbying DCMS

– Legal basis: it is in the substantial public interest, and is:

• proportionate to the aim pursued
• respects the essence of the right to data protection
• provides suitable and specific measures to safeguard the

fundamental rights and interests of the data subject

Industry response

(1) the processing is necessary for the arranging, underwriting, and administration of insurance and reinsurance policies and insurance and reinsurance policy claims, and provided the data controller complies with section (2) (2) The data controller shall implement suitable and specific measures to safeguard the data subject’s rights and freedoms in respect of such processing, being at least providing an explanation of the special categories of data and that it is processed for the purpose set out in Section 1, with the information required under Articles 13 and 14.

Industry proposed legislation

• Lobbying DCMS

– Maintain criminal records data as a ‘special category

• f data’

– Maintain existing legal ground which allows anti- fraud checks – Maintain (limited) existing legal grounds for insurance – Request legal authorisation for profiling by insurance sector where it is covered by ‘profiling’ Industry response

(1) Paragraph 1 of Article 22 shall not apply if the decision is based on profiling to the extent such profiling is necessary for the arranging, underwriting, and administration of insurance and reinsurance policies and insurance and reinsurance policy claims, and subject to Section (2). (2) Where an underwriting or claims decision is based solely

• n automated processing the data controller shall implement

suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to

• btain human intervention on the part of the controller, to

express his or her point of view and to contest the decision.

Industry proposed legislation

• Lobbying ICO

– Requested guidance on obtaining conditional consents – Requested using insurance as a specific example Industry response

• Finalise privacy notice
• Meet with DCMS to discuss our proposals
• Draft consents (if needed)

Next steps

ICO 12 Steps

• 1. Awareness
• Make sure decision makers and key people

aware of GDPR

• Board buy-in

ICO 12 Steps

• 2. Information You Hold
• Document the data you hold and who you

share it with

• Build Processing Record

ICO 12 Steps

• 3. Communicating Privacy Information
• Review and update privacy notices
• ICO Privacy Notices Code of Practice
• Industry privacy notice

ICO 12 Steps

• 4. Individual Rights
• Similar to current rights with significant

enhancements

• Consider whether you need an automated or

manual process to deal with requests

• One key question is who will be dealing with

requests

ICO 12 Steps

• 5. Subject access requests
• Update current procedures
• No charge
• 30 days to comply (rather than 40)
• You can refuse or charge for requests that are

manifestly unfounded or excessive

ICO 12 Steps

• 6. Lawful basis for processing personal data
• Identify lawful basis or bases
• Use Industry table
• If you rely on consent, the data subject has a

stronger right to have data deleted

ICO 12 Steps

• 7. Consent
• Industry plans to provide template consent

wording – not drafted yet

• Review any existing consents and update

them

ICO 12 Steps

• 8. Children
• Can be covered by consents given by parents
• r guardians
• May give their own consent if old enough (in

GDPR 16)

• Need to give their own consent at 18

ICO 12 Steps

• 9. Data breaches
• Review or create a data breach policy &

procedure - & practice it!

• Procedure must effectively detect, report &

investigate a personal data breach

ICO 12 Steps

• 10. Data Protection by Design and Data

Protection Impact Assessments

• Update or create a DPIA template & use it!
• DPIA will also bring in DP by Design
• WP 29 Guidance

ICO 12 Steps

• 11. Data Protection Officers
• Needed if

– Regular & systematic monitoring of individuals on a large scale – Large scale processing of special category data

• WP29 Guidance

ICO 12 Steps

• 12. International
• Consider if you are doing any cross-border

processing

• If you are consider who is your lead

supervisory authorities

• WP29 Guidance