Coleman Hudson, Chair, GDPR Sub Committee, IBA Compliance Committee talks to
John Mangan, Enterprise Account Manager, Ward Solutions, Information Security Services
Where should I start today in order to be GDPR ready?
Firstly, you need to acquaint yourself with what GDPR is, what its implications are to your organisation and what the risks are to you of being non-compliant. As legal documents go the GDPR is accessible and readable and if you are charged with ensuring compliance with GDPR in your organisation there is really no way around reading it. GDPR is applicable at some level to pretty much all organisations, so once you understand how it is applicable to you, you need to start completing a personal data inventory identifying all personal data held by your organisation and the basis on which it is held. This inventory is important to maintain as a live inventory into the future as it will form the basis of what you do in terms of your operation and obligations under GDPR in the future, e.g. dealing with subject access request, rights to erasure as well as audit or demonstrating compliance etc.
After that we recommend that organisation perform a gap analysis – to determine where you are with respect to your processing of personal data versus where you need to be GDPR compliant.
This gap analysis should identify a prioritised work programme of activity and remediation necessary to gain and maintain GDPR compliance.
Does my business need to appoint a Data Protection Officer (DPO)? Under GDPR all organisations are not required to appoint a DPO. All public authorities and bodies (regardless of what data they process) will be required to appoint a DPO. Other organisations that – as a core activity – monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale will also be required to appoint a DPO. The Article 29 Working Party issued guidelines on DPOs on 13 December 2016 which will be helpful in assisting organisations in determining whether they need to appoint a DPO . The guidelines consider the meaning of “core activity”, “systematically” and “large scale” terms which are not defined in the GDPR but which it will be essential for organisations to understand in order to analyse whether they have a mandatory obligation to appoint a DPO. Unfortunately, notwithstanding the Article 29 guidelines it is not an exact science. The guidelines recommend that unless it is obvious that an organisation is not required to designate a DPO, that controllers and processors document the internal analysis carried out to determine whether or not a DPO is to be appointed, in order to be able to demonstrate that the relevant factors have been taken into account properly. I would agree that this is essential. If an organisation takes a view to voluntarily appoint a DPO then the organisation will be required to comply with the GDPR as it relates to DPOs.
What is the difference between a regulation and a directive? Both are types of legislation that emanate from Europe. Whereas the Oireachtas need to pass legislation to bring a directive into law in Ireland a Regulation is directly effective which means that the Oireachtas does not have to take any action to bring the regulation into Irish law. This means that GDPR will be effective in Ireland on 25 May 2017 without any further action of the government.
What is meant by ‘explicit’ or ‘unambiguous’ consent and when do I need this consent?
Under GDPR consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” This is the main test for consent under GDPR and the GDPR gives considerable detail around the information that must be given to a data subject in order to ensure that consent is freely given, specific and informed. However, there are circumstances where the text of the Regulation requires arguably a higher level of consent – explicit consent. This is required where special categories of personal data are being processed and also where personal data is being transferred outside the EEA. The meaning of consent, let alone the difference between explicit consent and unambiguous consent could in itself take up hours of discussion. We can say that GDPR does appear to signal the end of the pre-ticked box consent to the processing of personal data as outlined in Recital 32 of the GDPR – it satisfying neither the explicit nor the unambiguous test. Ticking a box would clearly indicate unambiguous and explicit consent provided sufficient information is given to make it informed and specific. However, Recital 32 does in addition allow consent by “another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of her or her personal data.” This is where the difference between unambiguous and explicit may lie. Such a statement or conduct may satisfy the unambiguous but not the explicit consent. To give an example, if a person enters a competition online giving their contact details and the box to provide that information clearly states that the information may be used to contact them in relation to products and services of that organisation, arguably that is conduct which would indicate unambiguous acceptance of the proposed processing. It is not however explicit consent. Don’t forget all data subjects must be given clear information as to how they can withdraw their consent.
What are the key things I should consider when handling personal data? The first thing to bear in mind is that the GDPR aside, Article 8 of the EU Charter on Fundamental Rights specifically recognises the right of EU citizens to the protection of personal data. Therefore, all organisations need to respect that right. When you are handling a person’s personal data you need to consider what right you have to be processing the personal data. Did you receive consent from the data subject to process the personal data in the manner that it is being processed? Is there another ground as specified under the current legislation/ GDPR once implemented that allows you to process the personal data i.e. on foot of a contractual obligation to the data subject? In addition, you need to ensure that personal data is kept accurate and up to date, that the personal data you request is adequate, relevant and not excessive. To give an example if somebody is opening a savings account is there a reason that a financial institution requires their salary? Personal data should be retained for no longer than necessary – there is no holding on to personal data just in case it might be useful to have for the future.
“GDPR is applicable at some level to pretty much all organisations, so once you understand how it is applicable to you, you need to start completing a personal data inventory identifying all personal data held by your organisation and the basis on which it is held”
Personal data must only be processed/held in a manner that is secure. In addition, an organisation needs to ensure that it can comply with the personal rights of individuals under the current acts and the new rights that a data subject will have under GDPR such as data access requests, right to rectification. Failing to adhere to these basic principles of data protection law is going to have greater consequences on the implementation of GDPR due to the substantial fines that can be levied against organisations that fail to do so – up to €20 million or 4% of worldwide turnover whichever is the greatest. Helen Dixon, the Data Protection Commissioner has made it clear that she will be fining where an organisation fails to comply with GDPR.
What is privacy by design? Privacy by design means that an organisation must implement appropriate technical and organisational safeguards where personal data is being processed that ensures that data protection principles are adhered to and personal data is protected.
Do I need a privacy notice? A privacy notice or statement must be published on the website of an organisation and it sets out how the organisation applies data protection principles to data processed on its website. It is a legal requirement both under the current data protection acts and SI 336/2011.
What changes have been made regarding subject access requests? Currently organisations have 40 days in which to respond to a subject access request. This time limit will reduce to one month once GDPR is effective. Organisations will no longer be permitted to charge for processing a subject access request unless the organisation can demonstrate that the cost will be excessive. There are some grounds for refusing to access requests (where a request is proven to be manifestly unfounded or excessive) but these are very limited and organisations will need to be very careful to ensure that where they are relying on these grounds as a refusal to process an access request that their position is solid. There is now also additional information which will need to be provided when responding to an access request such as data retention periods and the right to have inaccurate data corrected. The 2016 Annual Report of the Irish Data Protection Commissioner shows that by far the greatest number of complaints received by the DPC relate to subject access requests making up 56% of the total complaints received by the DPC last year. It is therefore imperative that organisations implement the necessary changes around subject access requests and ensure that all policies and procedures in this regard are updated and staff trained accordingly in advance of the introduction of GDPR.
What is the article 29 Data protection working party and is it relevant to my business? The Article 29 Working Party was set up under Article 29 of Directive 95/46/EC, which Directive the law in Europe on data protection currently derives. It is made up primarily by representatives from the data protection supervisory authorities of all EU member states. The Article 29 Working Party issue guidelines in respect of data protection law such as that which I have mentioned already in relation to DPOs. They are very accessible and certainly those that have issued already in relation to the GDPR have given a good insight into how we would expect to see the DPC interpret the GDPR.
For old manual files, will the GDPR require that these are all scanned etc. to be able to be transmitted in portable format? There is currently nothing in the GDPR or the Article 29 Working Party Guidelines on Data Portability to suggest this.
There is a difference between ‘personal’ and ‘sensitive personal data’?
Personal data is any data which alone or together with other data held by the organisation can identify a living individual.
Sensitive personal data is a subset of personal data.
Sensitive personal data is defined in the Data Protection Acts as any personal data as to:
- the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject,
- whether the data subject is a member of a trade union
- the physical or mental health or condition or sexual life of the data subject,
- the commission or alleged commission of any offence by the data subject, or
- any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.
Under GDPR sensitive personal data is now referred to as special categories of personal data but the meaning remains largely unchanged.
As you would expect there are additional conditions that need to be met in relation to the processing of sensitive personal data/special categories of personal data.
Are there circumstances when the GDPR does not apply? GDPR will apply to the processing by an organisation of any personal data. As mentioned above personal data is any data which alone or together with other data held by the organisation can identify a living individual. As most organisations will process personal data on behalf of their employees, there are very few organisations therefore to which the GDPR will not apply. Also just to point out that GDPR applies to organisations established in the EU regardless of whether processing takes place in the EU. It also applies to organisations not in the EU but which process personal data of data subjects in the EU.
What is a data register and what should it contain? Article 30 of the GDPR requires all controllers and their representatives to maintain a record of data processing activities for which it is responsible. The record must contain the following information:
- The name and contact details of the controller and, where applicable the joint controller, the controller’s representative and the DPO;
- The purposes of the processing;
- A description of the categories of data subject and the categories of personal data;
- The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and where relevant the documentation showing suitable safeguards for the protection of the personal data;
- Where possible, the envisaged time limits for erasure of different categories of data; and
- Where possible a description of the technical and organisational security measures in place to protect the data.