Clarkslegal LLP - Solicitors in Reading and London

Data Protection

GDPR - Question of the week

9th April 2018

Right of Data Portability: Do organisations have to transfer all of a data subject’s personal data to another controller?

Data portability is a new right for data subjects under the GDPR, although its scope and application has been misstated by some.

The new right of data portability allows individuals to request a copy of their personal data in a commonly used machine readable device and either store the data themselves or transfer the data (either themselves or through the data controller) to another data controller. 

However, the right is somewhat limited. Significantly, it only applies to data:

  • About the data subject;
  • Provided to the data controller by the data subject in the first place;
  • Processed by automated means; and
  • Where the processing is based on consent or necessity to fulfil a contract;

It’s therefore not a right to have all personal data transferred.


2nd April 2018

How will Brexit affect the implementation of GDPR here in the UK?

As the UK will still be a part of the EU at the time of the GDPR’s implementation in May 2018, UK businesses will still need to be GDPR-compliant by this date. However, what happens after the UK leaves the EU is a matter which is dependent on whether it decides to join the European Economic Area or not- if it does, then GDPR will still need to apply, but if not, then the transferral of personal data from the EU into the UK will not be permissible without additional legal protections or safeguards in place. In short, either way will affect UK businesses collecting data which can potentially identify individuals from the EU as the GDPR is concerned with who the data is about, and not where the data is located.

26th March 2018

If an individual fails or objects to give consent to their data being processed, can companies/websites refuse their access?

One of the new principles introduced in the GDPR is the necessity to acquire unambiguous and unconditional consent for personal data to be processed from a data subject. However, if the individual does not give this consent, this still does not justify the ability to refuse access to the company or website unless the consent is integral to the service the company or website is providing.


19th March 2018

What is the "right to be forgotten"?

Also known as the “right to erasure”. This allows individuals to request for their personal data to be deleted or removed. However, this is not an absolute right, as they can only exercise this right in certain circumstances, including if:

  • the personal data is no longer required in relation to the original purpose of its collection;
  • the individual withdraws consent;
  • the personal data was unlawfully processed; or
  • the erasure is in order to comply with legal obligation(s).


12th March 2018

If a breach of the GDPR occurs, what are the data controller/processor’s obligations to notification?

  • All instances of breaches must be notified to the data controllers by the data processor without “undue delay after becoming aware” of said breach.
  • The data controller must then notify the supervisory authority (in the UK, this is the Information Commissioner’s Office) without “undue delay” and where possible, within 72 hours of becoming aware of the breach.
    • No notification is required if the breach is unlikely to result in a risk to the rights and freedoms of persons.
  • The data controller must also communicate personal data breaches to data subjects without “undue delay”. However, this is dependent on whether the need to mitigate an immediate risk of damage following the breach (requiring prompt communications) or whether the need to implement appropriate measures to prevent continuing or similar breaches (allowing a delay in communications) is more vital. The obligation to notify data subjects is exempt under the following circumstances:
    • if the breach is unlikely to result in a risk to the rights and freedoms of the data subject;
    • if appropriate technical and organisational measures were in place at the time of breach (eg. Encryption); or
    • if the notification would trigger disproportionate efforts.


5th March 2018

Do we need to report all data protection breaches to the supervisory authority (the ICO) under the GDPR?

No. While there is a mandatory reporting obligation of any data protection breaches within 72 hours to the ICO this only applies if it’s likely to result in a risk to peoples’ rights and freedoms. This is already best practice under the Data Protection Act. The threshold depends on the risk the breach poses to the individuals involved.   

Please note that there are some sectors who have mandatory reporting obligations under other legislation (such as health organisations) and the comments here are only in relation to the GDPR requirements.

 

26th February 2018 

Are businesses with less than 250 staff exempt from the GDPR?

This is a question that has arisen a few times lately and presumably derives from the fact that there is a limited exemption within the GDPR for SMEs regarding documentation requirements.

Article 30 sets out the requirements for documenting processing activities, however, it states that it does not apply for organisations employing less than 250 staff unless its processing activities:

  • are likely to result in a risk to the rights and freedoms of data subjects
  • are not occasional; or
  • involve the processing of special categories of data or criminal convictions

It is not entirely clear how much flexibility organisations have here and a Government Working Party is reviewing the scope of this exemption as we speak! 

Aside from this exemption, SMEs are expected to comply with the GDPR provisions as normal.  With this in mind SMEs may prefer to adhere to the documentation requirements in any event as a way of clearly evidencing their compliance.

 

19th February 2018

Do we need to appoint a data protection officer?

Not necessarily. The GDPR makes it mandatory to appoint a data protection officer (“DPO”) if you:

  • are a public authority (except for courts acting in their judicial capacity);
  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

 A group of companies falling into the above may appoint a single DPO. The DPO must report to the highest management level in your organisation (i.e. board level), operate independently and have adequate resources to be able to meet their obligations. The DPO can either be an existing employee (as long as it does not conflict with their professional duties) or an external appointment.

The DPO is responsible for monitoring compliance with the GDPR and other data protection laws, being a first point of contact with supervisory authorities (in the UK the ICO) and individuals whose data is processed (for example employees and customers) and informing and advising the organisation and its employees on their obligations under the GDPR (and other data protection laws).

Even if you are not required to appoint a DPO, you may find it useful to do so. In any event, you need to ensure that your organisation has sufficient staff and skills to meet your obligations under the GDPR.


12th February 2018

Does the GDPR apply only to EU nationals?

No.  The GDPR will apply to all data controllers and processors established in the EU. It also applies to some non-EU business insofar as they either offer goods or services to data subjects in the EU (irrespective of whether payment is received) or monitor data subjects' behaviour insofar as their behaviour takes place within the EU.  Therefore even if the individuals are not European, if the organisation is based in the EU and/or processes data in the EU, the GDPR will apply.

5th February 2018

Will the GDPR also apply if the data is pseudonymised, or anonymised?

Pseudonymised data is still considered personal data under the GDPR, and the additional information used to pseudonymise must be kept separate, and be subject to technical and organisational measures which ensure the original individual the data is attributable to cannot be identified. Anonymised data is the only exempted type of personal data within the GDPR’s scope.

29th January 2018

Will the GDPR apply after Brexit?

The Government has announced that it intends to remain bound by the provisions of the GDPR even after Brexit.  With this in mind, the Data Protection Bill is currently working its way through Parliament so that there will be national law reflecting the GDPR (and expanding on this). 


22nd January 2018

Is data protection an IT or HR issue?

Data protection and preparing for the GDPR in general is more than an issue for a single department. While HR may process a lot of personal data in their day to day activities and IT teams will be responsible for the security of data stored online, you will need input from across the business (including IT, HR and Legal) to ensure GDPR compliance.

We recommend that you allocate a team to be responsible for preparing for the GDPR from a wide range of sectors in your business. This committee can then allocate the required tasks to ensure all elements are covered.


15th January 2018

Can we rely on consent when the GDPR comes in?

Yes, although your existing consents may need to be updated. Under the GDPR consent will need to be a clear affirmative action. Pre-ticked boxes will not suffice and the consent forms need to make it clear what may happen to the individuals’ data. The consent needs to be set out in clear and plain language. If relying on consent, you must keep a record of the consent.

In addition, under the GDPR, it must be as easy for an individual to retract their consent as it is to give the consent. We recommend you set out in the consent notices how an individual can retract their consent.

In employment contracts, consent is unlikely to be a legitimate ground for processing, due to the imbalance of power between the parties.

Although consent will be harder to rely on under the GDPR there are various other grounds of lawful processing which you may want to consider, such as processing being required for an organisation’s “legitimate interests” or processing being necessary for an obligation under employment law. Again, such grounds for processing should be documented.

8th January  2018

Does the GDPR apply only to EU nationals?

No.  The GDPR will apply to all data controllers and processors established in the EU. It also applies to some non-EU business insofar as they either offer goods or services to data subjects in the EU (irrespective of whether payment is received) or monitor data subjects' behaviour insofar as their behaviour takes place within the EU.  Therefore even if the individuals are not European, if the organisation is based in the EU and/or processes data in the EU, the GDPR will apply.