General Data Protection Regulation – what should public authorities be doing now?

Dmitrije Sirovica, Browne Jacobson

As of 25 May 2018, the use of the majority of personal data in the UK will be governed by the General Data Protection Regulation (‘GDPR’). Many organisations, including public authorities, are already in the process of reviewing the personal data they hold with a view to ensuring compliance. For those who are not, now is the time to begin.

What is the GDPR?

The GDPR replaces the Data Protection Directive 1995, and when it comes into force will directly replace the Data Protection Act 1998 (‘the DPA’). It will be 20 years since the DPA came into force and much has changed in the way that personal data is processed, including the sheer scale of such data that is now gathered by organisations. The GDPR overhauls the existing legal position with a view to providing a comprehensive and coherent data protection regime which reflects the current societal and technological situation.

Public authorities should not see the GDPR as a threat but rather an opportunity. Much of what the GDPR does is to lay down as minimum legal requirements that which is already considered best practice. There is now an opportunity for all organisations processing personal data to conduct a detailed review of their compliance position and to mitigate against any risks going forwards. The GDPR brings this matter to the top of the agenda.

How will the GDPR work in practice?

The answer to this question is that data protection will operate in much the same way as it does now. Clients who we have already worked with on this matter have described GDPR as ‘data protection plus’, and we would not disagree with this. Many of the definitions that we see in the DPA remain, with some amends. Sensitive personal data is now referred to as ‘special categories of personal data’ but the concept remains. ‘Processing’ is still a very wide concept such that organisations should assume that they are processing personal data if doing almost anything with it.

In order to process personal data a number of data processing principles, found in Article 5 GDPR, must be complied with. This requirement is enhanced by the principle of ‘accountability’ which requires not only compliance with the principles but being able to demonstrate such compliance. The idea of privacy by design and by default has been introduced, imposing a legal obligation to integrate data protection into all operations of an organisation. Privacy impact assessments will be required in relation to certain high risk processing of personal data. The appointment of a Data Protection Officer will also be mandatory for public authorities.

A lawful basis for processing personal data will still be required, and such conditions for processing are found in Article 6 GDPR. One key point for public authorities to be aware of is that they will not be able to rely on the ‘legitimate interests’ condition for processing under GDPR. We expect that the majority of processing of personal data conducted by public authorities will fall within Article 6(1)(e), that “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” however careful consideration must be given to any processing, especially in more novel areas.

In respect of special categories of personal data an additional condition is also required, now to be found in Article 9 GDPR. Unfortunately in respect of these categories of personal data the position will not necessarily be so straightforward, and cross referencing may be required with the provisions of the Data Protection Bill which is currently going through Parliament.

The Data Protection Bill

The Data Protection Bill (‘the Bill’) was published in September 2017, and will come into force next year. A key part of what the Bill does is to address the areas where derogations from the GDPR are permitted. This includes providing additional requirements in respect of reliance upon certain conditions for processing special categories of personal data. For example, the requirement of a policy document where certain conditions for processing are relied upon. The Bill also sets out the various exemptions to the data protection principles and conditions for processing, and the rights of individuals. These are detailed provisions and must be applied very carefully, however the intention appears to be to reflect the current legal position, drawing this into a single comprehensive piece of legislation.

The Bill is not an easy read and requires almost constant reference back to the GDPR. Neither piece of legislation provides the full picture.

Rights of data subjects

The GDPR retains the existing rights of data subjects, with some amends, and also provides a number of enhanced rights. The changes include the requirement to comply with subject access requests within a month rather than 40 days, and to provide significant additional detail within fair processing notices. In relation to the majority of the rights, again a considered approach will be required. The rights are specific in their application and a number are not absolute. For example, individuals have the right to have their personal data erased, but only where one of the grounds set out in Article 17 GDPR applies. Even then, this right may be outweighed where other considerations apply such as where the processing is necessary to comply with a legal obligation in the public interest or exercise of official authority.

The changes to the rights of data subjects will require consideration by public authorities of their current policies and processes to ensure that compliance with all of these new rights will be possible and the authority will not fall foul of the legislation.

Data Protection Officers

All public authorities must appoint a Data Protection Officer (‘DPO’). This individual will be responsible for data protection compliance, monitoring the implementation and application of the GDPR, monitoring privacy impact assessments and breaches, and being a point of contact with the Information Commissioner’s Office.

This role can be allocated to an existing employee, but can otherwise be appointed externally. If appointed internally then the duties of that employee must be compatible with those of a DPO and not lead to conflict of interests.

Once appointed this individual must report to the highest level of management within the authority, and cannot be dismissed or penalised for performing this task.

Next steps

All public authorities should now review and follow the Information Commissioner’s Office guidance document, Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now, including taking the following steps:

  • fair processing notices will require a lot of mandatory information to be included going forwards, as set out in Articles 13 and 14 GDPR. The above exercise will help to ensure compliance with the rights of individuals, and the principle of accountability. For example all fair processing notices must state the condition for processing, and in order to provide that detail an exercise must be conducted to establish what that condition in fact is
  • based on the above any potential gaps in compliance should be identified, with a view to developing a risk based plan as to how to mitigate such risks and remedy any areas of concern ahead of 28 May 2018
  • policies and processes will need to be reviewed to ensure the authority can comply with the rights of data subjects
  • awareness and buy-in will be required throughout the organisation in order to ensure compliance both on implementation and beyond. Training is likely to be required at all levels. Training may also be required for internally appointed DPOs to evidence sufficient knowledge to properly fulfil their role. We would be happy to discuss the provision of training to your authority
  • a DPO must be appointed
  • contracts with processors must be reviewed. Article 28 GDPR now sets out a number of mandatory requirements that must be included in contracts with processors. This is likely to require re-negotiation of data protection provisions within existing contracts. Any new contracts should be negotiated on the basis of GDPR compliance.

Conclusion

Public authorities will undoubtedly have work to do ahead of 28 May 2018 in order to meet the enhanced requirements in respect of data protection from that date. However if a detailed and structured approach is taken, and a proper plan put in place as to how to meet the requirements by that time, then authorities should be in a good position going forwards.