GDPR countdown: what the public sector needs to know
The deadline for compliance with the General Data Protection Regulation is fast-approaching. Dan Milnes and Nat Avdiu outline the key steps that local authorities need to take before May 2018
As the Data Protection Act (DPA) expanded the effect of the 1984 version, on 25 May 2018 the General Data Protection Regulation (GDPR) will make significant changes which the enabling UK legislation might moderate but will not reverse.
Applying the DPA, the Information Commissioner’s Office (ICO) in the last year alone has taken enforcement action in respect of a number of local authorities. This has included fines for failing to keep personal data secure, being vulnerable to cyber attacks resulting in unlawful disclosure, inadvertently publishing personal data and leaving sensitive personal data in furniture given to a charity. Similarly, the ICO has required undertakings from some local authorities in relation to failures to provide data protection training to staff resulting in data breaches.
The current state of play in relation to achieving GDPR compliance is also evident in the ICO’s survey of local government. The results show that whilst local authorities have established good practice in many areas, there are also key deficiencies against obligations contained in the GDPR.
Some of the deficiencies identified from 173 responses include:
● 26% do not have a Data Protection Officer (DPO);
● More than 30% do not undertake Privacy Impact Assessments (PIA);
● More than 50% do not follow certain standards such as the Payment Card Industry Data Security Standard;
● Some councils do not have key policies in place such as PIA (56.1%), Data Sharing (37%) and Subject Access (27.7%);
● More than 15% do not have mandatory data protection training for employees who process personal data and 29.6% do not have mandatory refresher training;
● For 53.5% completion of training is not a precondition for accessing a council’s network or systems
Whilst local authorities may well be on their journey to prepare for GDPR, for those that have not begun, they now have only a limited time in which to ensure that their data processing activities are GDPR compliant. This article lists some of the topics which we are discussing with clients in the public sector in light of the GDPR, current state of compliance in the public sector and enforcement action by the ICO.
Consent
The 1998 Act allows for two grades of consent for normal or sensitive personal data to be processed.
Under GDPR consent must always be given by a statement or clear affirmative action clearly distinguishable from other matters. This means organisations cannot simply embed the requirement of consent within their terms or application form, especially when the consent is for something different to the reason for making the contract or application. Also the use of pre-ticked opt-in boxes is no longer permitted.
Records of consent obtained by an organisation need to be retained. This is a requirement under Article 7 of the GDPR, and may be requested by a supervisory authority. Individuals also have the right to withdraw their consent at any time. The GDPR states that ‘it must be as easy to withdraw as it was to give consent’, which will require changes in many websites and other processes.
It is important to check that processes for gaining consent and keeping records are GDPR compliant. If existing DPA consents do not meet the higher standards set out in the GDPR, organisations will need to seek new GDPR-compliant consent, identify a different lawful basis for processing or stop the processing. At the same time, consent is only one way to process in compliance with GDPR. The ICO at its 2017 conference advised that consent should be the last option to consider if valid reasons for processing exist.
DPO requirement
Under the GDPR, there is a requirement to appoint a Data Protection Officer (DPO) if the processing of data is carried out by a public authority or body.
The DPO must be designated, in particular, on the basis of expert knowledge of data protection law and practices.
Article 37 suggests a DPO can be an employee already within an organisation, but this will only be workable if the person has the time and resources to undertake the DPO role properly.
The tasks a DPO will undertake include informing and advising controllers and processors, monitoring compliance, cooperating with a supervisory authority and being a contact point for any issues. For those local authorities who do not have a DPO, it is important to rectify this as part of preparing for GDPR.
Processor liability
A processor, as defined in the GDPR, means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. A controller should only use processors that guarantee compliance with the GDPR and this must be shown in a binding agreement in writing.
Processors are only able to carry out the processing of personal data on the documented instructions of the controller and must make available to the controller, all information necessary to demonstrate compliance with the obligations. If a processor infringes any of their duties by determining the purposes and means of processing, the processor could become a controller in respect of that processing.
The survey by the ICO showed that at the end of last year over 40% of councils do not explicitly impose security obligations on all of their processors.
Ensuring relevant written agreements are in place will require an understanding of this obligation among key personnel, as well as updating policies and processes.
Legitimate interests
For processing to be lawful under the GDPR, organisations will need to identify and document the lawful basis for processing. Public bodies that currently rely upon the “legitimate interests” condition under the existing DPA (Schedule 2, paragraph 6) to process any personal data will need to revise this procedure.
Under the GDPR, public authorities are unable to process an individual’s personal data for the purposes of legitimate interests pursued by the controller.
This requires public authorities to search and identify a different lawful basis for processing personal data. Removing this ground for processing and tightening rules up on consent requires re-examination of why data are collected, used and retained.
Organisations may consider conducting a data audit as part of their preparation for GDPR compliance to ensure that all data that are processed and the lawful basis for processing are identified and this is recorded in accordance with the accountability principle imposed by the GDPR.
Data subject rights
Under GDPR organisations have only one month in order to respond to subject access requests. The GDPR also introduces new data subject rights such as the right to erasure (known as the “right to be forgotten”), requests to stop processing, data portability and specific obligations in respect of children. Ensuring compliance with these obligations should prompt a review of the procedures and resources in place to handle such requests from
May and in some cases this may require establishing a policy or procedure for the first time. Having a policy in place can have benefits in ensuring a uniform approach throughout the organisation, as well as compliance with the GDPR in terms of the accountability principle and respecting and fulfilling individual rights.
Privacy impact assessments (PIAs)
PIAs are currently recommended by the Information Commissioner’s Office (ICO) and will become compulsory under GDPR when a change in processing or new processing could affect data subjects.
An effective PIA will allow organisations to identify issues and fix them at an early stage, reduce risk, costs and potential adverse publicity. Public bodies already accustomed to equality and other impact assessments will need to gear up to do PIAs as a routine exercise.
Administrative fines and penalties
Infringements of provisions such as the basic principle for processing and data subjects’ rights are subject to administrative fines up to £17,000,000, or 4% of total worldwide annual turnover. It seems likely the ICO will use the headroom over the current £500,000 maximum and also employ financial penalties against breaches of new obligations like mandatory self-reporting of data breaches where applicable and conducting PIAs.
The ICO has also stressed that there will be no grace period given to organisations to comply. The ability of the ICO to impose higher penalties should not be ignored. The ICO has said that the GDPR should be approached from a wider perspective of respecting citizen’s rights. Indeed, the GDPR requires organisations to demonstrate compliance with GDPR (the accountability principle), as well as implementing it in all applicable processes which is a more co-regulatory approach.
Conclusion
The clock is now counting down until the GDPR comes in force. Organisations should already be well under way in preparing for data protection under GDPR and for any that aren’t, it is certainly time to start. Taking a thorough and planned approach to the process will give the best results both in achieving GDPR compliance and achieving improvements on the way.
Dan Milnes is a partner and Head of Commercial and Nat Avdiu a Paralegal in the Contracts and Projects team at Forbes Solicitors.
www.forbessolicitors.co.uk
This article was first published in the February edition of Local Government Lawyer Insight, which can be accessed at http://www.localgovernmentlawyer.co.uk/insight Insight is published four times a year and is circulated free-of-charge to all Local Government Lawyer newsletter subscribers (click here to subscribe) in electronic format. A single hard copy is also circulated to all local authority legal departments in England and Wales. Additional printed copies are available for just £49.95 for four issues. Multiple copies are also available at £149.95 for five or £249.95 for 10. Payment can be made by purchase order/invoice or by credit/debit card. To order, please call 0207 239 4917 or email This email address is being protected from spambots. You need JavaScript enabled to view it.. |
