HM Insights

Data protection law celebrates 1st birthday – but has the GDPR lived up to the hype?

On 25 May 2018, data protection law across the EU was overhauled and for a brief moment in time the GDPR became a hot topic – surpassing even Beyoncé as a search term on Google.

The introduction of the General Data Protection Regulation (EU) 2016/679 (to give the GDPR its Sunday name) saw the UK introduce the Data Protection Act 2018 (the DPA 2018) on the same day, replacing the Data Protection Act 1998 (the DPA 1998).

However, despite the hype, many individuals and organisations would argue that the GDPR has not had as big an impact as they thought … yet.

This article provides a brief overview of some of the key developments since the introduction of the new legislation a year ago.

GDPR-one-year-on.jpg

Increased fines

One of the main scaremongering issues that arose in the run up to the introduction of the GDPR was the increase in the amount of fines that supervisory authorities for data protection (the ICO in the UK) can levy on organisations. The previous £500,000 cap was increased to 4% of annual worldwide turnover or €20 million (whichever is greater) for the most serious breaches of the GDPR.

However, the ICO is still dealing with complaints under the Data Protection Act 1998 and so we have not yet seen a fine in the UK under the GDPR (the first GDPR enforcement notice was issued in July 2018).

One of the most talked about decisions under the GDPR comes from the French data regulator, CNIL, which fined Google €50m for a breach as a result of two complaints, one that was submitted on 25 May 2018. The complaints related to Google failing to have a valid lawful basis under the GDPR for processing user data for ad personalisation.

CNIL held that Google had not obtained clear consent to process personal data and users were not able to fully understand the extent of the processing operations that Google carried out. Further, the option to personalise ads was pre-ticked, which is prohibited for consent under the GDPR.

Whilst many organisations may be unlikely to face a fine of €50m under the GDPR, this decision does highlight that data protection supervisory authorities, such as the ICO, do take the failure to apply an appropriate lawful basis seriously.

Brexit

The DPA 2018 will continue to apply after the UK leaves the EU and there are provisions within the Withdrawal Agreement that mean the GDPR will continue to apply in the UK until the end of the Brexit transition period. If the UK leaves the EU without a deal, the GDPR will be incorporated into UK law as the 'UK GDPR'.

Accordingly, the GDPR is here to stay regardless of the UK's future position within the EU. However, there are implications for organisations which transfer personal data both with other EEA countries and outside of the EEA that will depend on whether the UK leaves the EU with or without a deal.

Transparency

Transparency is arguably one of the most important principles and obligations under the GDPR. This means that individuals must understand how their personal data is used by organisations. Having an up-to-date and correct privacy notice should be a priority for organisations to ensure that they do not fall foul of the GDPR's requirements – this is one of the most effective ways of demonstrating compliance with the principle of transparency.

Organisations should have prepared new privacy notices prior to 25 May 2018, however, it is important for organisations to ensure that such notices are kept under constant review so that they always provide an accurate picture to individuals of how their personal data is used.

Lawful processing

The GDPR requires organisations to ensure that they identify a lawful basis to process personal data before such processing takes place. Once a lawful basis has been identified from the bases set out under the GDPR, organisations must apply the lawful basis and only use the personal data as necessary for that lawful basis.

Organisations also need to remember that where they are processing special categories of personal data, they must identify both a lawful basis and special condition for the processing.

Consent

Under the GDPR, there are limited circumstances in which consent is an appropriate lawful basis and usually another lawful basis will apply. For example, consent is likely to be inappropriate where: it is a precondition to access services; the organisation is in a position of power over the individual (such as an employer and employee); or the organisation would still process the personal data under another lawful basis if consent is refused or withdrawn.

If consent is required, organisations need to make consent requests prominent, concise and separate from other terms and conditions, as well as easy to understand. Consent must also be freely given, which means that individuals should have a genuine choice over whether or not they give consent. If a consent request includes a pre-ticked box, this will fall foul of the GDPR's requirements as consent requires a positive action to opt in.

Legitimate interests

The "legitimate interests" lawful basis applies where it is necessary to process personal data to pursue the controller's or a third party's legitimate interests. However, it only applies where such interests are not overridden by the individual's interests – for example, where no harm will result to the individual's rights and freedoms.

To use legitimate interests as a lawful basis to process personal data, a three stage assessment must be undertaken to ensure that this is appropriate. This is called a legitimate interests assessment, which a light touch risk assessment based on the specific circumstances and context of the particular processing and requires the following:

  • identify a legitimate interest – what is the purpose for processing the personal data and why it is important to the controller or third party;
  • assess whether the processing is necessary for that purpose – is the processing a targeted and proportionate way of achieve the purpose or can the controller or third party achieve the same result without processing the personal data; and
  • balance the legitimate interests against the individual's interests – would individuals expect the controller to use their personal data in this way or would it cause them unjustifiable harm or nuisance?

Data sharing

When organisations share personal data with a "processor", a contract must be entered into that reflects the relevant provisions under the GDPR. Organisations always need to check that the processors they engage have an appropriate contract in place and take steps to monitor the processor's compliance with that contract.

When organisations share personal data with another "controller" there is no need for a data processing contract but there are other obligations that organisations need to consider.

Whilst the ICO produced a data sharing code of practice under the DPA 1998, this has not yet been updated to reflect the DPA 2018 or the GDPR. Accordingly, there is currently little guidance on how organisations should approach limited or incidental data sharing under the GDPR but such sharing must be lawful, which includes being referenced within privacy notices.

If organisations are going to share personal data on a recurring basis, it is recommended that a data sharing agreement is entered into and privacy notices should also detail such data sharing. If organisations are "joint controllers" of personal data, the position is slightly different. The GDPR defines "joint controllers" as two or more controllers that "jointly determine the purposes and means of processing".

Joint controllers do not expressly need a contract under the GDPR but an "arrangement" to determine their respective responsibilities for complying with the terms of the GDPR, in particular regarding data subjects exercising their rights and the provision of privacy notices.

Data security

Security of personal data is a key principle under the GDPR and the ICO has seen a large increase in the number of reported personal data breaches following the introduction of the express obligation to report certain personal data breaches under the GDPR.

The GDPR prescribes a timeframe of 72 hours from becoming aware of an actual personal data breach to report it to the ICO, only where it is likely to result in a risk to the rights and freedoms of individuals.

As well as reporting a personal data breach to the ICO, organisations may also need to tell affected individuals about the personal data breach where there is a high risk to their rights and freedoms, without delay.

Get in touch

If your organisation requires advice on how to deal with any GDPR issues it faces, please get in touch with a member of our team.