The Information Commissioner has described it as a “game changer for everyone”. So it probably hasn’t escaped your notice that a new, European wide data protection law is on its way. The General Data Protection Regulation 2016 (“GDPR”) will automatically apply in all EU Member States (without the need for national implementing legislation) from 25th May 2018. From this date, the Data Protection Directive 1995 (“DPD”) will be repealed, as will Member State legislation passed to implement the DPD (in the UK this is the Data Protection Act 1998 (“DPA”)).
The UK will still be a member of the EU on this date and even following Brexit the indications from the Information Commissioner and the Government are that GDPR or a similar data protection regime will be here to stay.
The GDPR will introduce a number of significant changes to EU data protection law. It will affect most businesses and other organisations in the UK that process (e.g. collect, record, use or disclose) data relating to an identified or identifiable natural person (“personal data”), whether this is simply because they process personal data relating to their employees or because they process personal data as part of their core business activities.
In this article, we take a look at some of the key changes that are likely to affect businesses in the life sciences sector.
The definition of personal data will be expanded
Personal data will include pseudonymised personal data (e.g. data that has been encrypted to conceal the identity of the data subject) and online identifiers (e.g. IP addresses);
Consequently, more data will be subject to the rules set out in the GDPR. The definition of “sensitive personal data” will be expanded to include genetic data and biometric data;
Businesses that process genetic data and biometric data will need to comply with the extra protections that apply to the processing of sensitive personal data;
In particular, this change will mean that businesses that currently rely on consent to process this type of personal data, will need to “upgrade” that consent to explicit consent.
Even if a business isn’t processing sensitive personal data, obtaining valid consent to processing will be more difficult
This will only affect businesses which rely on consent as the legal basis for processing personal data;
Under the GDPR, as well as being informed, specific and freely given, consent will need to be unambiguous;
This means that positive action will be required by data subjects in order to demonstrate consent. Pre-ticked boxes, silence and inactivity will not constitute valid consent.
The GDPR also sets out detailed information on the other conditions that must be satisfied in order for consent to be valid. As a result of these changes, existing consents may no longer be valid and may need to be renewed. Alternatively, businesses may need to consider relying upon other legal grounds to legitimise their data processing activities.
Businesses that continue to process personal data on the basis of data subject consent will also need to be able to prove that valid consent was obtained (so evidence of consent will need to be retained), and individuals must be able to withdraw consent at any time.
There will be increased requirements for transparency
The data protection principles will include a new requirement for transparency;
This will mean that businesses will need to be completely upfront about their data processing activities when dealing with data subjects, particularly when obtaining consent to processing;
Businesses will also need to “beef up” their privacy notices to include additional information specified in the GDPR;
In addition, there will be an emphasis on information being, amongst other things, easy to understand, accessible and concise.
Businesses will no longer need to register details of their personal data processing with the Information Commissioner’s Office (“ICO”). However, they will need to keep detailed records and be able demonstrate actual compliance with the GDPR/data protection principles.
The GDPR sets out in detail what the records must include:
Compiling the necessary records is likely to mean that businesses will need to undertake a detailed review of their personal data processing activities;
There will be an exemption to the record keeping requirement for businesses employing less than 250 employees in certain circumstances;
In relation to the requirement that businesses are able to demonstrate compliance, the GDPR makes provision for the introduction of Codes of Conduct and Approved Certification.
There will be changes which will give greater freedom to organisations which carry out processing for archiving purposes in the public interest, scientific and historical research purposes and statistical purposes:
Businesses that process personal data for any of these purposes may be able to benefit from certain extended processing rights under the GDPR.
Data subjects will have better rights
In particular, data subjects will:
Be able to request more information and (generally) receive a copy of their data for free. Under the DPA, data subjects must pay £10 for a copy of their data the ability to request a fee is removed under the GDPR;
Have new and stronger rights to require businesses to erase their personal data;
Have new and stronger rights to object to and stop businesses processing their personal data.
Data subjects will also continue to have rights not to be the subject of decisions made solely on the basis of automated processing. This will include decisions made on the basis of profiling.
Businesses will need to ensure that they have both the technical ability and internal procedures in place to comply with these new rights.
The general security requirements are “padded out”. For example, businesses must take into account certain factors when assessing security, including the possibility of encryption.
Businesses will need to regularly review the appropriateness of their security measures;
New data processing systems will need to be designed, from the outset, to comply with all elements of the GDPR (“data protection by design”);
Also, by default, businesses will need to subject personal data to the highest security settings (“data protection by default”);
Businesses that are considering undertaking any “high risk” processing, may need to carry out a data privacy impact assessment (“PIA”) and liaise with the ICO before commencing such processing. Guidance will be issued by the ICO as to what kinds of processing will require a PIA.
Data protection officers (“DPOs”)
Businesses involved in certain types of personal data processing specified in the GDPR will need to appoint a DPO. This requirement will significantly increase baseline compliance costs for some businesses. The GDPR sets out detailed provisions relating to the appointment of DPOs and their tasks and responsibilities.
Data Breach Reporting
Data breaches will need to be reported to the ICO without undue delay and, in any event, within 72 hours. Data breaches will also need to be reported to data subjects in certain circumstances. There are currently no such mandatory reporting requirements under the DPA.
Businesses will need to ensure that their systems enable them to quickly detect data breaches and that they have a suitable internal response plan for dealing with data breaches in accordance with the requirements of the GDPR.
The fines will be much higher
Businesses will need to consider the procedural requirements and obligations imposed by the GDPR in the light of the substantial fines that can be imposed for non-compliance.
The GDPR provides for two tiers of fines. Under the higher tier, fines of up to €20,000,000 or 4% of global turnover, whichever is higher, can be imposed. Currently under the DPA, the maximum fine that can be imposed is £500,000.
Businesses should, in particular, review the legal basis on which they process personal data, as processing without a legitimate reason can incur the highest level of fines under the GDPR.
If you process data on behalf of other businesses (i.e. you are a “data processor”), specific statutory obligations and liabilities will apply to you.
Data processors are not currently subject to any statutory obligations or liabilities under the DPA. The obligations imposed on processors by the GDPR will include obligations to keep records, implement appropriate security measures, report data breaches to controllers and appoint DPOs. Processors will be subject to the same sanctions regime (including fines) as controllers. They may also be sued for compensation by data subjects if they breach their obligations under the GDPR or act outside the controller’s instructions
More controllers and processors, including controllers and processors established outside the EU, will be caught.
The GDPR will apply to:
The activities of controllers and processors established in the EU (whether or not the data processing takes place in the EU);
Controllers and processors established outside the EU where such controllers or processors (i) offer goods or services to EU data subjects; or (ii) monitor the online behaviour of EU data subjects;
Non EU controllers and processors will generally be required to designate a representative in the EU to act as their point of contact.
When to start?
It’s best to start preparing for the GDPR straightaway, as many of the changes will call for a major rethink as to how data protection compliance is achieved.
Ensuring compliance by design and default;
Implementing a new system of regular self-assessment coupled with record keeping; and
Ensuring compliance with the heightened obligations relating to consent and transparency.
The new rights bestowed on data subjects will also mean that businesses will need to review their existing processes and systems and consider what changes will be necessary to meet their increased obligations under the GDPR.
All of this will take time – and it is likely to be those businesses that leave their preparations to the last minute that will run into difficulties.
Where to start?
The most important thing you can do right now is to ensure that key personnel within your organisation (e.g. your HR team, your technical people, your marketing team) understand the changes that the GDPR will introduce, so that they can start evaluating exactly how the GDPR will affect your business. Once this has been done, we would recommend that you put a detailed compliance plan in place to ensure that you are ready for the new law by May 2018.
Further Information & Legal Advice
If you would like any further information about the GDPR and how it might affect your business please download our Geldards Guide or if you would like to discuss how Geldards can help with training on the GDPR, please do not hesitate to contact Geldards’ Information Law Team.