The General Data Protection Regulation: How will it impact local authorities?

Emma Godding, Bevan Brittan

Over the next two years, the issue of data protection is likely to ascend the ever growing list of priorities for all local authorities in the UK. The General Data Protection Regulation will come into force on 25 May 2018 and it will have a direct effect in all member states of the EU so there will be no need for domestic legislators to take steps to incorporate the regulation.

It appears very unlikely that the UK will have formally left the EU by 25 May 2018 and therefore the regulation will have a direct effect in the UK for at least a short period of time.

The General Data Protection Regulation is the most significant overhaul of data protection laws in the EU for 21 years. Not only will it inflict more stringent obligations on data controllers and data processors alike, it will also increase the maximum financial penalty which the Information Commissioner’s Office can impose from £500,000 to at least €20 million.

Following the outcome of the EU referendum, the long-term application of the General Data Protection Regulation in the UK is unknown. While the regulation will no longer automatically apply once the UK has left the EU, it may be directly applicable in the UK for a number of months, if not years, depending on how protracted the leaving negotiations become.

In the meantime, it would be prudent for public authorities to consider the potential impact of the regulation and any steps they should take now to ensure compliance.

Background

The Data Protection Act 1998 has remained largely unchanged since the start of the millennium.

Vast amounts of data can now be collected, transferred, analysed and used with relative ease. Consequently, there is a growing argument that, in order to maximise the hidden potential of all of that data, the legislative burden imposed on those who control or process data should be lightened. However, the EU has remained steadfast in its approach to data protection: an individual’s right to control their own personal data must be preserved. The General Data Protection Regulation seeks to establish the EU as the global leader for the protection of individuals’ personal data. The regulation will bring in some significant changes. The key changes that will impact on local authorities will be explored below.

What does it cover?

The definition of personal data has been expanded to reflect the importance of the online element of our lives. In particular, online identifiers, device identifiers, cookie IDs and IP addresses are now all expressly included in the definition of personal data.

The scope of sensitive personal data has been expanded to keep up with advances in medical technology. Genetic data and biometric data, where processed to uniquely identify a person, now expressly fall within the definition of sensitive personal data.

Informing and consent

The central aim of the regulation is to ensure that individuals are able to control their own personal data. To help achieve this aim data controllers, such as local authorities, must inform individuals how they will process the individual’s data before the processing takes place. This is not a new obligation but the quantity of information that needs to be provided has increased. The additional information includes:

  • the legal basis for processing the data
  • the period for which the data shall be retained
  • that the individual has a right to complain to the Information Commissioner’s Office
  • whether there is a statutory or contractual requirement to provide the data
  • the consequence of not providing the data.

The legal basis for processing personal data will often be the possession of an individual’s consent. This is unlikely to change under the regulation but the hurdles that organisations will need to clear to obtain that consent will be raised. For example, the regulation makes it clear that consent must be a positive indication of the individual’s agreement to process their personal data; consent cannot be inferred from silence, pre-ticked boxes or inactivity.

In order to obtain valid consent, the consent must be:

  • freely given
  • specific
  • informed
  • unambiguous.

The individual must also have the right to withdraw consent at any time. If any of these elements is missing, the consent is likely to be invalid.

If an authority is processing data for various different purposes, it will need to get separate consent for each purpose. The regulation creates a presumption that bundling consents will render the consent invalid.

The regulation will also place a greater onus on local authorities to be able to demonstrate that consent was given. Therefore, authorities will need to ensure that there is an adequate audit trail for the provision of consent.

For the first time, this regulation provides separate requirements for obtaining consent from children. Where children are younger than 13 years old, parental consent for processing their data must be obtained prior to the processing. Member states can set their own rules for the consent requirements for 13 to 15 years. We do not yet know how the UK will handle the consent for children aged between 13 and 15.

Right to be forgotten

The right to be forgotten allows individuals to require their data to be erased if the processing does not satisfy the requirements of the General Data Protection Regulation or the individual withdraws consent. Where an authority receives such a request, it will need to notify anyone with whom it has shared the personal data unless it would be impossible to do so or require disproportionate effort.

Subject access

All local authorities will be familiar with the subject access provisions of the Data Protection Act. The rights of individuals to request the information which an authority holds about them will continue under the General Data Protection Regulation but with a few alterations.

First, the time limit to respond to a subject access request will be reduced from 40 days, as it is under the current regime, to one month. This is a significant decrease so it would be worthwhile reviewing your process for handling such requests to see where time can be saved.

Data controllers will also have to provide requestors with supplemental information which includes:

  • the purpose of the processing
  • the categories of data processed
  • the recipients of the data
  • the envisaged retention period
  • the individual’s rights of rectification and erasure
  • the source of the data
  • any regulated automated decision taking.

The regulation also introduces the concept of portability. Subject to various conditions, the most notable being that the data is processed by automated means, individuals are entitled to request that their data is provided in a commonly used electronic form to enable them to port the data to another provider.

Data breaches

The aspects of the General Data Protection Regulation that have perhaps caused most concern are the provisions relating to enforcement.

First, controllers are under a duty to notify the Information Commissioner’s Office when there has been a data breach where an individual is likely to suffer some form of damage. If a data breach is not reported and the individual is likely to suffer damage, the Information Commissioner’s Office has the power to issue a local authority with a fine of up to €10 million or, if higher, two per cent of the authority’s annual turnover.

For other breaches of the regulation, the upper limit of the fine will be doubled, that is €20 million or four per cent of the annual turnover.

Active compliance

The General Data Protection Regulation will require local authorities to actively comply with all of its obligations. For example, authorities will need to implement:

  • data protection by design, that is to have a thought-out approach to data protection
  • staff training programmes
  • preparation of privacy impact assessments
  • an audit of personal data held.

What to do now

The Information Commissioner’s Office has already begun to publish guidance on the steps that data controllers will need to consider in order to ensure compliance with the regulation. With less than two years left to implement the necessary changes, local authorities should be raising awareness about the additional obligations and risks internally. They should also be reviewing the personal data that they hold, establishing with whom the data is shared and reviewing all data sharing agreements and privacy notices.

The General Data Protection Regulation is a timely piece of legislation which ensures that the right for individuals to control their personal data is protected irrespective of future technological advances. Complying with it will be difficult for many data controllers but the more that is done to establish the personal data which you hold and to update policies and procedures in good time before May 2018, the easier that transition will be.

While we do not yet know what data protection legislation the UK will adopt when it leaves the EU, there is a very real possibility that the new legislation, whether an amended version of the Data Protection Act or otherwise, will feature many of the key requirements contained in the General Data Protection Regulation.

Events

Click here for more events