The General Data Protection Regulation (GDPR) aims to modernise data protection, but many businesses may be concerned over the amount of work that appears to be required in order to be GDPR-ready
Being prepared for the GDPR, and the new laws in Jersey and Guernsey (which are due to come into force in May 2018), is vital. However, there is also time to ensure the work is completed in a measured and informed way.
Our dedicated team is available to steer you through the process. We will be doing so in three ways:
- Updates: sending out regular factsheets to track the progress of the GDPR and the new laws and to highlight some of the key areas businesses should be looking at. If you would like us to extend these updates to any of your colleagues, please ask them to send an email request to Laura Preston;
- Training: We are aiming to host a seminar on the GDPR in the Autumn, by which time the new laws should be out for consultation so we will be able to speak about the new provisions in more detail. Watch this space for our seminar date. We can also provide bespoke training to your business so that the new measures can be discussed with your business needs in mind;
- Advice: Ultimately, the impact of the GDPR is likely to vary greatly from business to business, depending on the nature of your work and the jurisdictions you operate in. Our team is available to provide tailored advice to assist your business in ensuring your policies, procedures and third party contracts are ready to meet the requirements of the GDPR.
Bookmark this page and read our updates for further news, or contact one of our GDPR specialists.
Our team can:
- Provide GDPR legal advice.
- Assist in the review of current policies and procedures to help identify gaps or areas where common problems may arise and where work is likely to be needed as a result of the GDPR.
- Provide tailored in-house training specific to the aspects of the GDPR that are most relevant to your business.
- Review and draft relevant contracts and policy documents.
- Review and draft privacy notices
Guide to GDPR
Read our series of practical guides to getting ready for the GDPR. We will regularly publish new issues that will help you systematically prepare.
Issue 1. Are you compliant with the current law?
The first step to becoming GDPR compliant is to ensure that your business meets the requirements set out in current law. Our team can advise you on all your current data protection obligations and help you to review whether or not you meet these. You should consider three critical actions at this stage:
1. Conduct a data protection audit and map out where there are gaps:
- review all your data protection policies and ensure that you are complying with them; and
- prepare a spreadsheet of all the personal data you hold, noting all the relevant information to identify any gaps in your data-processing activities.
2. Set out a clear action plan detailing how you will bridge those gaps: identify the key people and stakeholders (both internal and external) needed to help you achieve compliance.
3. Put a timetable together so that you can monitor your actions and progress.
Issue 2. Consent
Consent remains one of the legal bases that may be relied on to process the personal data of data subjects. There are, however, some key changes to be aware of under the GDPR.
The GDPR confirms the need for "a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing".
This means that organisations will not be able to rely on silence or pre-ticked boxes to constitute consent, and will bear the burden of proving that consent has been validly obtained. Appropriate records to provide evidence of such consent will also be absolutely essential.
The GDPR confirms that consent will not be the appropriate legal basis where there is inequality between data subject and controller or where the individual has no real free choice in giving consent. In addition, as it will be easier for data subjects to withdraw their consent, where organisations currently rely on such consent to process the personal data, they will be well advised to consider whether there is a more appropriate legal basis in the circumstances.
- Consider whether or not the consent you have in place complies with the GDPR. If not, you will need to seek consent again/rely on a different legal basis.
- Review how consent is sought and recorded and ensure that you have records of consent and that they are easily accessible.
- Ensure that your consent clauses within documents, such as employment contracts, are reviewed.
- Consider whether you process the personal data of children, and if so you will need to obtain parental consent to continue to do so.
Issue 3. Subject Access Requirements (SARs)
Under the GDPR, data subjects will have extended rights in respect of the personal data you hold about them and in the main, subject access requests will have to be complied with within one month of the request, subject to a two month extension where for example the request is particularly complex.
In these situations, it will be up to the controller to inform the data subjects of any such extension and the reasons for it within one month of the request.
Such requests will also have to be complied with free of charge unless they are manifestly unfounded, excessive or repetitive in which case you may charge a reasonable fee or refuse to act on the request altogether.
Remember that the burden of proving that the requests are manifestly unfounded, excessive or repetitive will rest on you. The curtailment of the right to charge a fee will not make a huge difference in practice (the current fee of £10 rarely covers the actual costs involved in complying with such requests), however, as the current time limit for responding to subject access requests is 40 days in Jersey, and 60 days in Guernsey, the reduced time period for compliance may well be harder to adapt to.
- Ensure that you have processes in place to deal with subject access requests.
- Delegate responsibility for dealing with such requests.
- Draft appropriate policies and provide appropriate training so that staff know what to do in the case of such requests.
- Consider conducting a cost/benefit analysis for providing data subjects' online access to their information.
Issue 4. Data Breaches
While it is currently regarded as best practice to report personal data breaches to the Data Protection/Information Commissioner (the Commissioner), there is no legal requirement to do so under Guernsey/Jersey law. This is, however, all set to change, with the introduction of the GDPR.
The definition of a personal data breach is wide and will include the accidental or unlawful destruction, alteration and loss of personal data.
Organisations will be required to notify the Commissioner of a personal data breach without undue delay and in any case within 72 hours of having become aware of a breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. The relevant individuals may also need to be informed of the breach but only where the potential risk to their rights and freedoms is high.
To enable the Commissioner to check that organisations are complying with their notification duties, personal data breaches will need to be documented, noting down the facts of the incident, its effects and any remedial action taken.
1. Ensure that you have processes in place to deal with personal data breaches.
2. Delegate responsibility for dealing with personal data breaches.
3. Provide staff with training so that they understand how to detect personal data breaches, who to report them to and when to do it (ASAP!).
4. Ensure that you keep appropriate records of any data breaches.
Issue 5. Fines etc.
One of, if not the most, controversial aspects of the GDPR for the Channel Islands is the introduction of fines for infringements. The Commissioner does not currently have the power to issue fines. However, the GDPR introduces a two-tiered system of fines with a maximum penalty of the higher of €20 million or 4% of the total worldwide annual turnover for the most serious breaches.
In addition, individuals who suffer damage as a result of processing in breach of the GDPR may be entitled to compensation. Whilst compensation is a potential recourse under the current legislation, this may be sought only from the data controller. The GDPR makes clear that both the data controller and data processor will be held liable for the entire damage caused and are only exempt from liability if they can show that they are not in any way responsible for the damage. Further, should judicial proceedings be initiated, the GDPR clarifies that compensation may be apportioned in accordance with local law.
Member States must also lay down other "effective, proportionate and dissuasive" penalties for infringements not caught by the administrative fines detailed above and we expect that Guernsey and Jersey will follow suit.
1. Undertake an audit to assess where the biggest data protection risks lie and take steps to protect the relevant data and mitigate those risks
2. Ensure that you have policies and training in place to avoid breaches as far as possible.
3. Ensure that you have appropriate contracts with data processors to ensure compliance with the GDPR.
Issue 6. Data Protection Officers (DPOs)
Unlike our current data protection law, the GDPR explicitly requires both controllers and processors to appoint a DPO in three cases:
(a) Where the processing is carried out by a public authority;
(b) Where there is large scale, regular and systematic monitoring of data subjects; and
(c) Where there is large scale processing of special categories of personal data or data relating to criminal convictions.
Member States may provide further cases in which a DPO is required and Guernsey/Jersey may do the same.
DPOs may be current members of staff and groups of companies may appoint a single DPO as long as he/she is easily accessible from each establishment.
The DPO must also have expert knowledge of data protection law and be able to fulfil the tasks required of him/her, including monitoring compliance with the GDPR and cooperating with the relevant supervisory authority.
DPOs shall be independent in the performance of their tasks and must report to the highest management level. They must also not be dismissed or penalised for performing their roles.
1. Consider where a DPO is necessary for your organisation or whether you simply need a GDPR point of contact.
2. Consider whether you have current employees who have the skills or can be trained to take on the DPO role.
3. Ensure that you set up appropriate reporting lines.
Issue 7. Data Processors
The GDPR defines a "processor" as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, and the "controller" as the person, authority, agency etc which determines the purposes and means of processing such data. Unlike our current law, the GDPR will apply to both processors and controllers meaning that processors may be liable for breaches of the GDPR. To ensure compliance with the GDPR, controllers will only be able to use processors which provide sufficient guarantees to comply with the GDPR.
Controllers will still be required to appoint processors on the basis of a contract, however, there are significant new provisions which will need to be included. The contract will need to, among other things, state that the processor shall only process personal data on the documented instructions of the controller; include appropriate confidentiality provisions; state that the processor shall delete or return all the personal data to the controller at the end of the provision of services (as decided by the controller); and make available to the controller all necessary information to demonstrate compliance with the GDPR.
Where a processor becomes aware of a personal data breach, they will also need to notify the controller without undue delay (and remember from issue 4 that controllers only have 72 hours to notify the Commissioner from when they become aware of a breach). Adequate procedures will thus be essential to ensure they are able to do this.
1. Update contracts between processors and controllers to ensure that they contain the new requirements of the GDPR;
2. Ensure that processors are able to comply with the requirements of the GDPR;
3. Ensure there are adequate procedures in place for processors to detect and inform controllers of data breaches as soon as possible.
Draft Data Protection (Bailiwick of Guernsey) Law, 2017 released
The eagerly-awaited draft Data Protection (Bailiwick of Guernsey) Law, 2017 (the Draft) has now been released. The law once finalised will be a watershed moment for data protection across the Bailiwick, and will repeal and replace the existing Data Protection (Bailiwick of Guernsey) Law, 2001.
Headline points include:
• Fines of up to £300,000 or up to 10% of global annual turnover or global gross income for the three preceding financial years (whichever is higher) to a limit of £10 million, against processors and controllers of personal data who breach the data protection principles. These principles require the data to be processed:
• lawfully, fairly and transparently;
• in accordance with specified, explicit and legitimate purposes;
• only to the minimum extent necessary;
• accurately, securely and accountably; and
• stored only so long as necessary.
• Fines of up to £5 million for failing to comply with other data protection requirements covering, for example, anonymisation and the giving of consent on behalf of children accessing social media.
A separate law enforcement ordinance will be prepared to implement equivalent EU provisions. This is one to watch as an indicator of the States' approach to enforcement, particularly in the early stages of the law's implementation.
The Draft is of course subject to change as it makes its way through the States' legislative processes. However, the significant penalties are likely to remain, to ensure equivalence with the EU's General Data Protection Regulation. Given the likely effective date of May 2018, organisations should use the Draft as a working document and stay close to any changes in the finalised version.
Further work is being undertaken on the draft Jersey legislation. The legislation is expected to be lodged on 5 December 2017 with the matter being debated before the States in mid-January.
Issue 8. Data protection by design and default
A key reform under GDPR is 'Data protection by design and default'. This is an expectation that proper protection of data is built into information-handling infrastructure from the outset and on an ongoing basis. For large organisations, protection of data ideally will be treated as a work-stream in managed projects, alongside (for example) Legal, Remuneration, Communications, etc. For the management of individual cases, or for smaller/less well-resourced organisations, it will mean remaining alive to data protection issues throughout an initiative.
An interesting element of this part of the Regulation is the requirement that by default, processing of data should only happen where 'necessary'. Other than consent (which must be able to be withdrawn without detriment) all of the lawful bases for processing data require that the processing be 'necessary' to be legitimate. Incidental or accidental and unnecessary 'hoarding' of data is therefore to be avoided.
This has two notable consequences:
- Alongside a requirement for clarity and care as to why and how data are processed, disposal of data no longer needed will be a key expectation
- Consent is unlikely to be the 'cure-all' under GDPR that it has sometimes been seen as under existing data protection law.
1. Consider what projects or initiatives are in your organisation's pipeline. Is protection of data being built into any project plan? How will you demonstrate this if challenged?
2. Consider who is responsible for data control and processing. Confirm the steps that they are taking to ensure data protection by design/default. Are they putting this issue before the organisation's project leaders?
3. Consider how you will handle ongoing protection of data, including disposal. What governance mechanisms do you have in place? Will you institute (for example) an annual 'spring clean' of data no longer needed? Who is responsible for this and to whom are they accountable? How will you document this?