General Data Protection

Regulation

What do you need to

do to get prepared?

May 2016

Agenda• Scope and new concepts

• Data Processor Data controller relationship

• Children’s data

• Grounds for processing

• Transparency

• Rights for individuals

• Demonstrate data governance

• Transfers of personal data

• Brexit

Introduction

• The General Data Protection Regulations received

political approval

• The Regulation has set a 2 year implementation

period

• The Regulation will come into force in May 2018

Scope and new concepts

In brief…

• Scope: EU based data controllers and processors in the context of its activities

in the EU.

• Where no EU presence, the GDPR will still apply whenever an EU resident’s

personal data is processed in connection with goods/services offered to them or

the behaviour of individuals within the EU is “monitored”.

• The GDPR allows Member States to legislate in many areas.

• The data protection principles are revised but are broadly similar: fairness,

lawfulness and transparency; purpose limitation; data minimisation; data

quality; security, integrity and confidentiality.

• New concepts: Transparency and consent, Children and consent

• Expanded definitions of ‘personal data’ and ‘sensitive data’

• Pseudonymisation, Data breach notification

• Data protection by design and new accountability principle

• Enhanced rights – to be forgotten, data portability and to object

• Supervisory Authorities

Controller Processor Relationship

Controller retains overall accountability

for its processing activities, including the

decision to appoint and manage a

Processor

GDPR introduces direct obligations on,

and regulation of, Processors e.g

Processor will conduct PIA in its service

offering (which Controller will have to

check and monitor)

Controller and Processor may assign roles and

responsibilities (on a "best-placed" basis) in the

contract in relation to all the required matters,

subject always to the Controller's overall

accountability if they do not.

Unless respective responsibilities and liabilities

are clearly laid out in the written arrangement,

there can be joint and several liability for the

entire damage caused to any person who suffers

as result of unlawful processing or an action

incompatible with the GDPR.

If Processor goes outside the instructions of the

Controller, Processor becomes directly liable

under the GDPR to the Regulator and Data

Subjects (does not negate Controller's "control"

obligations over the Processor)

Controller Processor Relationship

Key constituent Controller obligations:

• due diligence and appointment: ensure

Processor is able to, and does, process

securely, ensure compliance with the GDPR

as a whole, and ensure the protection of

rights of the data subject

• monitoring/auditing: ensure Processor

complies with instructions and all measures

in place to satisfy the above

• written contract or other legal act binding

the parties must be put in place. The GDPR

sets out a list of 8 matters to be addressed

- but essentially, these cover all aspects of

the GDPR

Appointing Processors:

Key business impacts• Procurement processes: training of team; update of documentation, due diligence

practices, and results analysis

• Contracts: review and rewrite of all relevant contracts. Terms will be far more

specific. Standard phrases unlikely to be sufficient, including those that relate to

subcontracting or involving further Processors.

• Post-contract auditing processes will need to be built it

• Would be also prudent to seek appropriate indemnities and warranties from the

Processor about its processing and compliance and build in more reporting and MI

obligations on the Processor so that the Controller is given much more visibility and

transparency on a regular basis and not just at annual review or specific check-

points or audits or changes

• CRM issues as previously indicated

Additional Processor obligations

• Appointment of Data Protection Officers

• Data Protection Impact Assessments

• Data Security

• Breach Notification

Joint Controllers

Accountability of Joint Controllers

A Controller retains overall accountability, and liability, for its own processing activities. However, where there are Joint Controllers they:

must have an arrangement in place which determines who is effectively responsible for GDPR compliance

must give particular attention to how subjects can best exercise their rights

must make information about this arrangement available to subjects

Joint Controllers will have joint and several liability for all joint processing unless the arrangements are very clear on the point.

Each Controller is fully and independently responsible for complying with the DPA for its own processing activities, and for managing its data subjects. There is no specific legal obligation to enter into formal arrangements (although it is good practice and highly recommended to satisfy DPA Principles). Sharing of liability is an optional, commercial matter covered in any contract or data sharing agreement. There is no concept of joint and several liability under the DPA.

procurement:due diligence; relationship structures; contract negotiations & drafting

future-proof any current relationships which extend beyond GDPR implementation by addressing new compulsory requirements to the extent not already done.

group contracting policies/precedents

SAR process

customer relationship management: control of communications and standards; complaints handling; banking confidentiality (and FCA issues)

TCF initiatives

litigation policies

Children’s data

In brief…

• Under 16

• Children are “vulnerable individuals” and deserve “specific protection”

• Additional rules for online services provided to children under 16 – online, parental

prior consent required for use of an under 13 year old’s data.

• Member States are free to set their own rules for those aged 13 – 15. If not, parental

consent required for children under 16

What are the grounds for processing personal data?

• Similar to current rules, except for consent

• Restrictions and clarifications around the ability to rely on “legitimate interests”

• Consent subject to additional conditions

• Effective prohibition on “bundled” consents and offering of services contingent on

consent.

• Consent must be separable from other written agreements, clearly presented and as

easily revoked as given.

• Further restrictions may be imposed by codes of conduct.

In brief…

• Genetic data and biometric data

• Sensitive personal data

• New conditions regarding the processing of genetic, biometric or

health data

Transparency

In brief…

• Controllers must provide information notices to ensure transparency

of processing

• Specified information must be provided

• There is also a general transparency obligation

• Much of the additional information will not be difficult to supply –

although it may be hard for organisations to provide retention

periods

• There is an emphasis on clear, concise notices

Rights for individuals

In brief…

• Rights to object

• Subject access rights

• Data portability

• Right to erasure and right to restriction of

processing

Demonstrate data governance

In brief…

• Implement measures to reduce the breach risk

• Take governance seriously

• Privacy Impact Assessments, audits, policy reviews,

activity records and appointing a Data Protection

Officer

Transfers of Personal DataIn brief…

• Transfers outside the EEA continue to be regulated and

restricted

• Remains a significant issue

• Non-compliance proceedings can be brought against

controllers and/or processors

• Safe Harbor and Privacy Shield

Remedies and liabilities for breach

In brief…

• Higher of €20,000,000 or, in the case of

undertakings, 4% of global turnover

• Compensation claims

Impact of a Brexit

• UK would be outside EEA

• Would need to offer “adequate level of protection”

• Commission views UK as inadequate due to defective

implementation of 1995 Directive

• Commission’s infraction proceedings against UK are still

live

• If UK doesn’t meet 1995 Directive it will not meet GDPR

• UK would need to implement “essentially equivalent”

measures or non-UK businesses would need to rely on

derogations/exemptions

Thank you

Helena Wootton (Partner)

• Tel: 0115 976 6532

• Mobile: 07795400719

• Email: helena.wootton@brownejacobson.com