Regulatory Bulletin: General Data Protection Regulation

By admin | FinTech | 0 Comments

General Data Protection Regulation

WHAT is it?

The General Data Protection Regulation (GDPR) represents a major overhaul of data protection law, consolidating and replacing the UK’s Data Protection Act (DPA 1998) and EU data privacy laws.

The GDPR will introduce wide-ranging changes to how personal data is collected, handled and processed. It wi ll widen the definition of ‘personal data’ and grant people additional rights over how their data is used. Firms will be expected to have GDPR-compliant policies and procedures in place prior to the implementation date;

Despite the UK’s impending exit from the EU, the Government has confirmed that the GDPR will become part of UK law.

WHEN does it come into force?

The GDPR comes into effect in the UK from the 25th of May 2018.

WHAT are the key focus areas?

 Widening of ‘Personal Data’ definition

Definition under DPA Definition under GDPR
Data which relates to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Sensitive personal data under GDPR will now be under ‘special categories of personal data’. GDPR suggests:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited – unless one of the Article 9 clauses applies”.

The categories are generally the same, however special categories of personal data now also include biometric data and genetic data (See Article 9   for the full list of special categories).

Principles regarding personal data

Under Article 5 of GDPR, personal data shall be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals;
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Accurate and, where necessary, kept up to date;
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes)
  • Processed in a manner that ensures appropriate security of the personal data
  • Although financial institutions are already obliged to take keep all data organised and effectively manage risks related under DPA, there is a new accountability requirement under GDPR, which suggests that data controllers will need to be able to actively demonstrate what activities have been carried out in order to comply with GDPR principles, on request.

Article 5(2) requires that:

  • “The controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
  • This means that firms are expected to have appropriate data management and governance tools. This may include a revised data protection policy, appropriate privacy notices, and obtaining specific consent from customers when required under the Act.
  • Privacy by design and by default data controllers need to implement data protection and privacy tools at the stage of designing or selecting tools which process personal data.

Lawful processing

  • There should be a legal basis for data to be kept and processed.
  • Since Data Subjects require protection of personal data
  • Under DPA, lawful basis was called ‘conditions for processing’.
  • Under GDPR, it is important for this basis to be identified and documented.

Under GDPR the data controllers must ensure that whilst relying on legitimate basis for processing data, unless this basis is in conflict or overriding the interest of the data subject.

  • Data controllers also cannot rely on Individual’s consent if ‘clear imbalance’ exists between parties.

Data processors and Data controllers  

Data processors and Data controllers have more responsibilities under GDPR.

Data controllers are natural or legal persons, a public authority or agency who determines how and what the data will be used for. Data processors, on the other hand are anyone who carry out the processing of data on behalf of the controllers.

Both Data processors and controllers are involved in the processing and storing of personal data, hence both processors and controllers are liable for any damage to data and breach of regulation. Data processors must make data controllers aware of any breaches.

Consent

  • The standard of consent is more exacting under the GDPR, compared to the existing regulation.
  • Under GDPR: “must be a freely given, specific, informed and unambiguous indication of the individual’s wishes”.
  • It has to be verifiable, which means pre-ticked boxes, for example, are unlikely to be considered as explicit consent given.
  • Individuals have a right to withdraw consent.

Individual’s rights under GDPR include:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

Please click here for more thorough explanation of what these rights mean.

Data Protection Impact Assessment and Data Protection Officer

  • Process aimed at identifying and reducing privacy risks
  • Firms must carry out Data Protection Impact Assessments (DPIAs) when (1) using new technologies and (2) processing of data can lead to high risk to the rights of individuals. (Find out more on when you need to conduct DPIA and what information it should include here)
  • Where the DPIA indicates ‘high risk’ data processing, firms should consult the supervisory authorities (Information Commissioner’s Office in the UK)
  • Under GDPR, it is recommended that firms use ‘privacy by design’ approach  (Find out how this works here)
  • Data controllers are ultimately accountable for the implementation of DPIA

Public authorities, firms, which undertake large scale systematic monitoring of individuals, firms which process large scale special categories data (or data related to criminal convictions) must appoint a Data Protection Officer (DPO)

  • DPO should be competent and have relevant experience, as he/she will be the first point of contact regarding data protection
  • DPO must be involved, properly and in a timely manner, in all issues which related to protection of personal data. 

Cross-border data sharing

As is currently the case, firms will be must not transfer personal data outside the EEA to a third country that does not have adequate data protection measures in place, unless certain conditions are met.

After Brexit has taken place, GDPR’s “long arm jurisdiction” will apply to UK firms the same way it applies to US firms. This regulation applies to firms, which provide EU consumers with goods and services, however do not have a physical presence there.

Businesses, which operate in more than one EU member state, will need to determine their lead National Data Protection Authority, as under GDPR’s “one-stop shop” they are allowed to deal with just one.

Processing employee data

Under GDPR, firms in all EU member states may have specific rules in place for the processing of employee-related-data; in other words, the Regulation will allow ‘gold-plating’ on a national level. Additionally, national laws may apply after GDPR implementation.

Record keeping

Data processors and controllers must keep accurate record of the activities related to processing of data, as follows:

  • Name and details of the organisation
  • Basis for processing the data
  • Full description of personal data
  • Recipients of personal data
  • Information about any transfers of personal data to third countries, including any relevant details of data protection arrangements in place and documents.
  • Retention schedules
  • Information about security measures and tools within the organisation

As mentioned in the Article 5(2), this information should be available on request from regulatory authorities.

As, under GDPR, data processors are obliged to report any data breaches to data controllers, any security incidents or breaches, which can lead to destruction and high risk to the individuals, should be reported to ICO  with 72 hours. (ICO main contact number is: 0303 123 1113, or to report online follow this link)

In the event of data breach leading to high risk to the individuals, especially data subjects, they should also be notified without undue delay.

Firms must have a data breach register.

Under the GDPR various sanctions can be imposed for breach of requirements – including fines of up to 2% (4%) of annual worldwide turnover or EUR 10,000,000 (EUR 20,000,000), whichever is highest, in respect of internal data keeping violations (violations related to breaches of data protection principles, consent and data subject’s rights).

 WHAT do firms need to do to comply?

  1. Firms need to review and map out all personal data they hold
  2. It is highly recommended to set up a working group, dedicated to ensuring that the firm is in compliance with GDPR
  3. The team can carry out a data inventory process and ensure that there is an accurate record of data and any breaches
  4. After data inventory is carried it will be visible what procedures need to be put in place in order to be in compliance with GDPR
  5. Firms need to review procedures related to obtaining consent and make sure it is clear
  6. Staff need to be made aware of their responsibilities (data controllers and data processors)
  7. Staff need to be made aware of penalties for breach of GDPR
  8. Any privacy notices given to data subjects which need to be amended should be amended
  9. ICO recommends firms that conduct big data processing to consider ways in which they can satisfy this standard.

What can we do to help?

FinTech Compliance can assist your business with all aspects of GDPR implementation, ensuring you are fully ready and compliant well before the legislation comes into force. In particular, we can:

  • Conduct a bespoke scoping exercise in order to determine your firm’s obligations
  • Assist with reviewing personal data currently on file in light of the new requirements
  • Assist with the drafting and implementation of GDPR-compliant data protection policies and procedures
  • Draft and implement appropriate privacy notices and consent forms
  • Work with you to conduct a Data Protection Impact Assessment
  • Advise generally on the scope and interpretation of the new legislation

If you’d like to speak to us about any of the above, get in touch with us by calling +44 207 100 4058, or write to us using our website’s Contact Us page.