Insight Local Government Lawyer Insight February 2018 23 consents do not meet the higher standards set out in the GDPR, organisations will need to seek new GDPR- compliant consent, identify a different lawful basis for processing or stop the processing. At the same time, consent is only one way to process in compliance with GDPR. The ICO at its 2017 conference advised that consent should be the last option to consider if valid reasons for processing exist. DPO requirement Under the GDPR, there is a requirement to appoint a Data Protection Officer (DPO) if the processing of data is carried out by a public authority or body. The DPO must be designated, in particular, on the basis of expert knowledge of data protection law and practices. Article 37 suggests a DPO can be an employee already within an organisation, but this will only be workable if the person has the time and resources to undertake the DPO role properly. The tasks a DPO will undertake include informing and advising controllers and processors, monitoring compliance, cooperating with a supervisory authority and being a contact point for any issues. For those local authorities who do not have a DPO, it is important to rectify this as part of preparing for GDPR. Processor liability A processor, as defined in the GDPR, means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. A controller should only use processors that guarantee compliance with the GDPR and this must be shown in a binding agreement in writing. Processors are only able to carry out the processing of personal data on the documented instructions of the controller and must make available to the controller, all information necessary to demonstrate compliance with the obligations. If a processor infringes any of their duties by determining the purposes and means of processing, the processor could become a controller in respect of that processing. The survey by the ICO showed that at the end of last year over 40% of councils do not explicitly impose security obligations on all of their processors. Ensuring relevant written agreements are in place will require an understanding of this obligation among key personnel, as well as updating policies and processes. Legitimate interests For processing to be lawful under the GDPR, organisations will need to identify and document the lawful basis for processing. Public bodies that currently rely upon the “legitimate interests” condition under the existing DPA (Schedule 2, paragraph 6) to process any personal data will need to revise this procedure. Under the GDPR, public authorities are unable to process an individual’s personal data for the purposes of legitimate interests pursued by the controller. This requires public authorities to search and identify a different lawful basis for processing personal data. Removing this ground for processing and tightening rules up on consent requires re-examination of why data are collected, used and retained. Organisations may consider conducting a data audit as part of their preparation for GDPR compliance to ensure that all data that are processed and the lawful basis for processing are identified and this is recorded in accordance with the accountability principle imposed by the GDPR. Data subject rights Under GDPR organisations have only one month in order to respond to subject access requests. The GDPR also introduces new data subject rights such as the right to erasure (known as the “right to be forgotten”), requests to stop processing, data portability and specific obligations in respect of children. Ensuring compliance with these obligations should prompt a review of the procedures and resources in place to handle such requests from May and in some cases this may require establishing a policy or procedure for the first time. Having a policy in place can have benefits in ensuring a uniform approach throughout the organisation, as well as compliance with the GDPR in terms of the accountability principle and respecting and fulfilling individual rights. Privacy impact assessments (PIAs) PIAs are currently recommended by the Information Commissioner’s Office (ICO) and will become compulsory under GDPR when a change in processing or new processing could affect data subjects. An effective PIA will allow organisations to identify issues and fix them at an early stage, reduce risk, costs and potential adverse publicity. Public bodies already accustomed to equality and other impact assessments will need to gear up to do PIAs as a routine exercise. Administrative fines and penalties Infringements of provisions such as the basic principle for processing and data subjects’ rights are subject to administrative fines up to £17,000,000, or 4% of total worldwide annual turnover. It seems likely the ICO will use the headroom over the current £500,000 maximum and also employ financial penalties against breaches of new obligations like mandatory self-reporting of data breaches where applicable and conducting PIAs. The ICO has also stressed that there will be no grace period given to organisations to comply. The ability of the ICO to impose higher penalties should not be ignored. The ICO has said that the GDPR should be approached from a wider perspective of respecting citizen’s rights. Indeed, the GDPR requires organisations to demonstrate compliance with GDPR (the accountability principle), as well as implementing it in all applicable processes which is a more co-regulatory approach. Conclusion The clock is now counting down until the GDPR comes in force. Organisations should already be well under way in preparing for data protection under GDPR and for any that aren’t, it is certainly time to start. Taking a thorough and planned approach to the process will give the best results both in achieving GDPR compliance and achieving improvements on the way. Dan Milnes is a partner and Head of Commercial and Nat Avdiu a Paralegal in the Contracts and Projects team at Forbes Solicitors. A Data Protection Officer (DPO) can be an employee already within an organisation, but this will only be workable if the person has the time and resources to undertake the DPO role properly. For those local authorities who do not have a DPO, it is important to rectify this as part of preparing for GDPR.