The GDPR and the Data Protection Act 2018 Robin Hopkins Robin - - PowerPoint PPT Presentation

The new data protection regime: The GDPR and the Data Protection Act 2018

Robin Hopkins

4 October 2017 Robin Hopkins

GDPR: an introduction

• The problem:
• Processing of personal data ramps up with technology
• 1990s legislation (Directive 95/46/EC and the DPA 1998)

creaking under 21st-century strains

• The solution:
• The General Data Protection Regulation: draft text leaked in

December 2011

• Agreed text published 2015
• GDPR 2016/679 passed by EU Parliament May 2016
• Adoption date: 25 May 2018

Is it a big deal?

• Not a clean slate – broad architecture stays in place:
• Data controllers must comply with prescribed principles in

respect of all processing of personal data

• Individual have rights of subject access, erasure, rectification,

compensation, etc.

• But there are major new challenges:
• Headline grabbers: consent & transparency more onerous; data

breach notifications and potential penalties more painful; data controller accountability sharpened

• Also some important practical changes for local authorities –

see later

How will GDPR be implemented?

• Directly effective:
• Regulation rather than directive; aims at harmonisation
• But quite a lot is left to member states, e.g. exemptions
• So implementing legislation of some sort is needed
• What will happen in the UK?
• Data Protection Bill put before Parliament 14 Sept 2017
• This will evolve into the Data Protection Act 2018
• Implements and extends the GDPR, and fills in the gaps
• So from 2018 onwards, our DP landscape will comprise

both the GDPR and the DPA 2018

GDPR: the fundamentals

• The building blocks are familiar:
• ‘Personal data’, ‘special categories’ (i.e. sensitive personal data),

‘data controller’, ‘processing’ largely intact

• ‘Data protection principles’ – Article 5 GDPR:
• Lawfulness, fairness & transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity & confidentiality
• Accountability: must be able to demonstrate compliance

What becomes of Schedule 2 DPA?

• Article 6 GDPR for ‘ordinary’ personal data:
• Consent for specific purposes of processing
• Performance of a contract with the data subject
• Compliance with a legal obligation
• Protection of vital interests
• Necessary for performance of public interest tasks
• Legitimate interests (like the old condition 6(1) from Schedule 2

DPA)

• Note the latter cannot be relied upon by public authorities “in the

performance of their tasks”

• What is a public authority? As per FOIA (cl. 6 DP Bill)
• What are public tasks? Look to statute (cl. 7 DP Bill)

And Schedule 3 DPA?

• Article 9 GDPR for ‘special category’ personal data:
• Explicit consent
• Employment, social security
• Vital interests; medical purposes
• Political/religious/philosophical organisations & trade unions
• “Manifestly made public” by data subject
• Legal claims
• Substantial public interest – to be particularised
• Public health; archiving, science, statistics, research
• Those are implemented in Schedule 1 of the DP Bill
• Likewise for criminal conviction data

Consent: how has it changed?

• Article 4(11) GDPR:
• any freely given, specific, informed and unambiguous

indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data

• ICO has issued draft consent guidance (March 2017):
• Don’t use pre-ticked boxes/opt-outs/consent by default
• Be ‘specific & granular’ but also ‘clear & concise’
• Explicit consent not much different
• If you can’t offer genuine choice, don’t rely on consent
• Consent may be difficult for employers & public authorities

Other duties on data controllers (1)?

• DP by design & default: measures to ensure DPP-compliance

(eg pseudonymisation) & only processing to extent necessary (A25)

• Joint data controllers: have clear & transparent

arrangements for designating duties (A26)

• Selecting & using data processors: use reliable processors,

have detailed contracts, control sub-processing (A28-29)

• Keep records of processing (A30)
• DP Impact Assessments & ICO consultation: where high

risks to individual rights (A35-36)

Other duties on controllers (2)?

• DP Officers (A35):
• Duties (A39) & rights (A38) defined
• Mandatory breach reporting (A33):
• Must report a breach to ICO “unless the personal data breach is

unlikely to result in a risk to rights/freedoms”

• Do it within 72 hours, or justify the delay
• If breach “likely to result in a high risk to the rights and

freedoms of natural persons”, notify data subjects “without undue delay”

• Unless: encrypted/unintelligible; initial high risk contained;

disproportionate effort

Data processors have DP duties too

• Keep written records (A30)
• Co-operate with supervisory authority (A31)
• Security duties & processing only in accordance with the

instructions of the data controller (A32)

• Notify data breach to data controller (A33)
• May be required to appoint DPO (A37)

GDPR and data subjects’ rights (1)

• Transparency will be hugely important under GDPR:
• Overarching duty in A12
• Subject access rights much wider (A15)
• But see A12(5) exemption/ability to charge where requests

unfounded, excessive, repetitive

• Very NB ICO’s Code of Practice Privacy Notices, Transparency

& Control (October 2016)

• Rectification of inaccurate & incomplete data: including

by adding supplementary statements (A16)

• Right to be forgotten (A17)

GDPR and data subjects’ rights (2)

• Right to restrict & object to processing & profiling:
• Restrict eg where accuracy dispute & objection pending (A18)
• Object unless data controller can justify (A21)
• Right not to be subject to a decision based solely on automated

processing (including profiling) which produces legal or other significant effects on him/her (A22)

• Data portability (A20):
• Provide to data subject or transmit to another data controller

Exceptions/restrictions: A23 GDPR

• National security, defence, public security
• Crime
• National economic concerns
• Protection of judicial independence and judicial proceedings
• Prevention, investigation, detection and prosecution of breaches
• f ethics for regulated professions
• Related monitoring, inspection or regulatory functions
• Protection of the data subject or the rights and freedoms of
• thers
• Eforcement of civil law claims

Exceptions: Schedules 2-4 DP Bill

• Largely familiar territory:
• Crime and taxation
• Immigration
• Legal proceedings
• Regulatory or investigatory functions
• Legal professional privilege
• Management forecasts; negotiations
• Confidential references
• Health, education, social work (largely as per existing statutory

instruments)

• Child abuse data
• Statutory disclosure obligations

Novel practical points

• You will need an ‘appropriate policy document’ if you

process special category or criminal conviction data:

• Schedule 1, Part 4: document must explain how you comply

with Article 5 GDPR + your retention/erasure practices + your Article 6 processing condition

• Subject access requests and ‘mixed personal data’
• Currently an assessment of reasonableness under ss. 7(4)-(6) of

the DPA 1998

• This is retained, but note presumption of reasonableness for

health, social work and educational workers (Schedule 2, Pt 3)

What happens if things go wrong?

• Stringent enforcement provisions (Ch VIII):
• Effective judicial remedy, including compensation from

controller/processor (A79 & 82)

• Regulatory fines: up to £18m (A83; DP Bill cl. 150)
• Increasing trend towards large-scale private

compensation claims:

• See Morrisons case (going to trial October 2017)
• An increasingly savvy market for claimant work
• Entrepeneurial innovations, e.g. claim-bots