The New EU Data Governance Act

On 17th May 2022, The Council of the European Union adopted the Data Governance Act (DGA) or Regulation on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (2020/0340 (COD) to give its full title. The Act aims to boost data sharing in the EU allowing companies to have access to more data to develop new products and services. 

The DGA will achieve its aims through measures designed to increase trust in relation to data sharing, creating new rules on the neutrality of data marketplaces and facilitating the reuse of public sector data. The European Commission says in its Questions and Answers document

The economic and societal potential of data use is enormous: it can enable new products and services based on novel technologies, make production more efficient, and provide tools for combatting societal challenges“.

Application

The DGA will increase the amount of data available for re-use within the EU by allowing public sector data to be used for purposes different than the ones for which it was originally collected. The Act will also create sector-specific data spaces to enable the sharing of data within a specific sector e.g. transport, health, energy or agriculture.

Data is defined as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording” that is held by public sector bodies and which is not subject to the Open Data Directive but is subject to the rights of others. Examples include data generated by GPS and healthcare data, which if put to productive use, could contribute to improving the quality of services. The Commission estimates that the Act could increase the economic value of data by up to €11 billion by 2028.

Each EU Member State will be required to establish a supervisory authority to act as a single information point providing assistance to governments. They will also be required to establish a register of available public sector data. The European Data Innovation Board (see later) will have oversight responsibilities and maintain a central register of available DGA Data. 

On first reading the DGA seems similar to The Re-use of Public Sector Information Regulations 2015 which implemented Directive 2013/37/EU. The aim of the latter was to remove obstacles that stood in the way of re-using public sector information. However the DGA goes much further. 

Data Intermediary Services 

The European Commission believes that, in order to encourage individuals to allow their data to be shared, they should trust the process by which such data is handled. To this end, the DGA creates data sharing service providers known as “data intermediaries”, which will handle the sharing of data by individuals, public bodies and private companies. The idea is to provide an alternative to the existing major tech platforms.

To uphold trust in data intermediaries, the DGA puts in place several protective measures. Firstly, intermediaries will have to notify public authorities of their intention to provide data-sharing services. Secondly, they will have to commit to the protection of sensitive and confidential data. Finally, the DGA imposes strict requirements to ensure the intermediaries’ neutrality. These providers will have to distinguish their data sharing services from other commercial operations and are prohibited from using the shared data for any other purposes. 

Data Altruism

The DGA encourages data altruism. This where data subjects (or holders of non-personal data) consent to their data being used for the benefit of society e.g. scientific research purposes or improving public services. Organisations who participate in these activities will be entered into a register held by the relevant Member State’s supervisory authority. In order to share data for these purposes, a data altruism consent form will be used to obtain data subjects’ consent.

The DGA will also create a European Data Innovation Board. Its missions would be to oversee the data sharing service providers (the data intermediaries) and provide advice on best practices for data sharing.

The UK

Brexit means that the DGA will not apply in the UK, although it clearly may affect UK businesses doing business in the EU. It remains to be seen whether the UK will take similar approach although it notable that UK proposals for amending GDPR include “amending the law to facilitate innovative re-use of data for different purposes and by different data controllers.”

The DGA will shortly be published in the Official Journal of the European Union and enter into force 20 days after publication. The new rules will apply 15 months thereafter. To further encourage data sharing, on 23 February 2022 the European Commission proposed a Data Act that is currently being worked on.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in September.

Act Now Announces New EU GDPR Practitioner Certificate 

Act Now is pleased to announce the launch of its new EU GDPR Practitioner Certificate course.

This new course is specially designed for Data Protection Officers and privacy practitioners, based in the EU and internationally, whose role involves advising on the EU GDPR and associated privacy legislation. The content of the course has been developed after analysing all the knowledge, practical skills and competencies required for the EU DPO to successfully navigate the European data protection landscape. 

This course builds on Act Now’s very popular UK GDPR Practitioner certificate course which has been attended by hundreds of DPOs throughout the UK and abroad since its launch in 2017.  Our teaching style is based on practical and engaging workshops covering theory alongside hands-on application using case studies that equip delegates with knowledge and skills that can be used immediately. Personal tutor support throughout the course will ensure the best opportunity for success. Delegates will also receive a comprehensive set of course materials, including our very popular EU GDPR Handbook (RRP £34.99), as well as access to our online Resource Lab, which includes over 20 hours of videos on key aspects of the syllabus.

The EU GDPR Practitioner Certificate course takes place over four days (one day per week) and involves workshops, case studies and exercises. This is followed by a written assessment. Delegates are then required to complete a practical project (in their own time) to achieve the certificate. Whether delivered online or in the classroom, delegates will receive all the fantastic features of the course specifically tailored for each learning environment. 

The EU GDPR Practitioner Certificate course builds on Act Now’s track record for delivering innovative and high quality practical training for information governance professionals:

The course director for the EU GDPR Practitioner Certificate, Ibrahim Hasan, says:

“We have looked at every aspect of this course to ensure it equips EU Data Protection Officers with the knowledge and skills they need to implement the EU GDPR in a practical way. Because of its emphasis on practical skills, and the success of our UK GDPR Practitioner certificate course, we are confident that this course will become the qualification of choice for current and future EU Data Protection Officers.”

New US-EU Data Transfer Announcement: Time to celebrate?

On 25th March 2022, the European Commission and the United States announced that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework. The final agreement will replace the Privacy Shield Framework as a mechanism for lawfully transferring personal data from the EEA to the US in compliance with Article 44 of the GDPR. As for UK/US data transfers and compliance with the UK GDPR is concerned, it is expected that the UK Government will strike a similar deal once the EU/US one is finalised.

The need for a “Privacy Shield 2.0” arose two years ago, following the judgment of the European Court of Justice (ECJ) in “Schrems II” which stated that organisations that transfer personal data to the US can no longer rely on the Privacy Shield Framework as a legal transfer tool. They must consider using the Article 49 derogations or standard contractual clauses (SCCs). If using the latter, whether for transfers to the USA or other countries, the ECJ placed the onus on the data exporters to make a complex assessment  about the recipient country’s data protection legislation (a Transfer Impact Assessment or TIA), and to put in place “additional measures” to those included in the SCCs. The problem with the US is that it has stringent surveillance laws which give law enforcement agencies access to personal data without adequate safeguards (according to the ECJ in Schrems).

Despite the Schrems II judgment, many organisations have continued to transfer personal data to the US hoping that regulators will wait for a new deal before enforcing Article 44.  Whilst the UK Information Commissioner’s Office (ICO) seems to still have a “wait and see” approach, others have started to enforce. In February 2022, the French Data Protection Regulator, CNIL, ruled that use of Google Analytics was a breach of GDPR due to the data being transferred to the US without appropriate safeguards. This followed a similar decision by Austrian Data Protection Authority in January. 

Personal data transfers are also a live issue for most UK Data Controllers including public authorities. Whether using an online meeting app, cloud storage solution or a simple text messaging service, which one does not involve a transfer of personal data to the US? At present use of such services usually involves a complicated TRA and execution of standard contractual clauses. In the UK, a new international data transfer agreement (IDTA) came into force on 21st March 2022 but it still requires a TRA as well as supplementary measures where privacy risks are identified. 

Has the Trans-Atlantic Data Privacy Framework saved DPOs hours of work? But before you break open the bubbly, it is important to understand that this is just an agreement in principle. The parties will now need to draft legal documents to reflect the agreed principles. This will take at least a few months and will then have to be reviewed by the European Data Protection Board (EDPB) adding more time. And of course there is the strong possibility of a legal challenge especially if the ECJ’s concerns about US surveillance laws are not addressed. Max Schrems said in a statement:

We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move. It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.” 

“The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.

“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”

What should organisations do in the meantime? Our view is, if you have any choice in the matter, stick to personal data transfers to adequate countries i.e. those which have been deemed adequate by the UK/EU under Article 45. This will save a lot of time and head scratching conducting TRAs and executing SCCs. Where a US/non-adequate country transfer is unavoidable, a suitable transfer mechanisms has to be used as per Article 45. Of course for genuine one-off transfers the provisions of Article 49 derogations are worth considering. 

Only 2 places left on our Advanced Certificate in GDPR Practice course starting in April. We have also just announced three new GDPR workshops for experienced practitioners.

International Transfers under the UK GDPR: What next?

In August, the Information Commissioner’s Office (ICO) launched a public consultation on its much anticipated draft guidance for international transfers of personal data and associated transfer tools. The aim of the consultation is to explore how to address the realities of the UK’s post Brexit data protection regime.

Chapter 5 of the UK GDPR mirrors the international transfer arrangements of the EU GDPR. There is a general prohibition on organisations transferring personal data to a country outside the UK, unless they ensure that data subjects’ rights are protected. This means that, if there is no adequacy decision in respect of the receiving country, one of the safeguards set out in Article 46 of the UK GDPR must be built into the arrangement. These include standard contractual clauses (SCCs) and binding corporate rules. The former need to be included in a contract between the parties (data exporter and importer) and impose certain data protection obligations on both.

The Current Transfer Regime

Until recently, many UK organisations were using the EU’s approved SCCs with a few ICO suggested amendments to fit the UK context. This was despite the fact that they needed updating in the light of the binding judgment of the European Court of Justice(ECJ) in a case commonly known as “Schrems II”. 

In this case the ECJ concluded that organisations that transfer personal data to the USA can no longer rely on the Privacy Shield Framework. They must now consider using the Article 49 derogations or SCCs. If using the latter, whether for transfers to the USA or other countries, the ECJ placed the onus on the data exporters to make a complex assessment about the recipient country’s data protection legislation, and to put in place “additional measures” to those included in the SCCs. 

In the light of the above, the new EU SCCs were published in June. The European Data Protection Board has also published its guidance on the aforementioned required assessment entitled “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”.

The Proposed UK Transfer Regime

Following Brexit, the UK is no longer part of the EU. Consequently, the UK has to develop its own international data transfer regime, including SCCs. The ICO is consulting on new guidance as well as a series of proposed international data transfer materials including:

A Transfer Risk Assessment (TRA) – Equivalent to the European Transfer Impact Assessment, this is designed to assist organisations to conduct risk assessments of their international personal data transfers, following the requirements set out in Schrems. The TRA is not mandatory, as organisations are also free to use their own methods to assess risk but does indicate the ICO’s expectations.

An International Data Transfer Agreement – Equivalent to the European SCCs, this a contract that organisations can use when transferring data to countries not covered by adequacy decisions.

The Addendum – This is designed to be used alongside the European Commission SCCs, to allow them to be used to safeguard a transfer under the UK GDPR, instead of the IDTA. It makes limited amendments to the EU SCCs to make them work in a UK context. 

The deadline for responses to the consultation is 5.00pm on Thursday 7th October 2021. The ICO will then review the responses before issuing  the finalised materials (on a date yet to be announced).  Whatever the result of the consultation, organisations need to consider now which of their international data transfers will be affected and what resources will be required to implement the new regime. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop and international transfers webinar.

Our next online GDPR Practitioner Certificate course start in October. We also have a classroom course starting in November in Manchester. 

The Brexit Trade Deal: Implications for Data Protection and International Transfers

cytonn-photography-n95VMLxqM2I-unsplash

December 2020 Update: This post was originally titled “Brexit, Trade Deals and GDPR: What happens next?’ and published in September 2020. It was updated on 26th December 2020.


So finally the UK has completed a trade deal with the EU which, subject to formal approval by both sides, will come into force on 1st January 2021. The full agreement has now been published and answers a question troubling data protection officers and lawyers alike.

Internation Transfers

On 1st January 2021, the UK was due to become a third country for the purposes of international data transfers under the EU GDPR. This meant that the lawful transfer of personal data from the EU into the UK without additional safeguards (standard contractual clauses etc) being required would only have been possible if the UK achieved adequacy status and joined a list of 12 countries. This was proving increasingly unlikely before the deadline and would have caused major headaches for international businesses.

The problem has been solved albeit temporarily. Page 406 and 407 of the UK-EU Trade and Cooperation Agreement contains provisions entitled, “Interim provision for transmission of personal data to the United Kingdom.” This allows the current transitional arrangement to continue i.e. personal data can continue to flow from the EU (plus Norway, Liechtenstein and Iceland) to the UK for four months, extendable to six months, as long as the UK makes no major changes to its data protection laws (see UK GDPR below). This gives time for the EU Commission to consider making an adequacy decision in respect of the UK, which could cut short the above period. Will the UK achieve adequacy during these 4-6 months? Whilst there is much for the EU to consider in such a short time, I suspect that pragmatism and economic factors will swing the decision in the UK’s favour.

The UK GDPR

Despite the last minute trade deal, on 1st January 2021 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will still come fully into force. These regulations will amend GDPR and retitle it as “UK GDPR”. The amendments are essentially a tidying up exercise. The UK GDPR also deals with post Brexit international data transfers from the UK. More here.

These and other GDPR developments will be discussed in detail in our online GDPR update workshop. 

Whilst staff are still working from home, what better time to train them on GDPR and keeping data safe. Our  GDPR  Essentials  e  learning course can help you do this in less than 45 minutes. 

The Schrems II Judgement

activity board game connection desk
Photo by CQF-Avocat on Pexels.com

On 16th July 2020 the Court of Justice of the European Union (CJEU) delivered the landmark judgment in Case C‑311/18 Data Protection Commissioner v Facebook Ireland Ltd., and Maximillian Schrems, also known as “Schrems II”. This case will have a seismic impact on the transfer of personal data outside the European Economic Area (EEA) under GDPR.

It would be quite easy to dismiss the importance of this case. For starters, it involves a social media Data Controller. Secondly it was decided under the  ‘old’ 1995 Data Protection Directive rather than the General Data Protection Regulation (GDPR) 2016. Thirdly it is a ruling of the CJEU, that may be thought to have no relevance post 31 December when the Brexit Transition Period ends and the UK GDPR comes into force.

Firstly some basic observations:

  1. The case is not just about Facebook. It concerns international transfers of personal data between organisations in the EEA and third countries, particularly the USA. Many public authorities do this too. For example, universities may share personal data of staff and students who teach or study abroad. Some NHS Trusts, using clinical devices sourced from the US, may transfer diagnostic and monitoring data back to the States.
  2. Although the litigation started when the 1995 Data Protection Directive was in force, the CJEU makes it clear that the questions it had to consider must be answered in the light of the GDPR rather than the Directive.
  3. The end of the Brexit Transition Period, on 31st December 2020, does nothing to invalidate the decision of the CJEU in this case. The UK GDPR contains the same provisions about international transfers as GDPR.

The International Transfer Regime

To understand the judgment, it is worth recalling how the GDPR regulates the transfers of personal data from organisations within the EEA to those outside it. GDPR Article 44 lays down the general principles. Essentially, international transfers can only take place if they comply with the provisions of Articles 45-48 of GDPR. For the purpose of this blog the important provisions are Articles 45, 46 and 49.

Under GDPR Article 45, the European Commission can make a decision that a third country affords an adequate level of protection for personal data. To date 13 countries are the subject of an adequacy decision. The USA is on the list provided the company or organisation to whom personal data is transferred has signed up to the Privacy Shield Framework. The Commission adopted the EU-US Privacy Shield Decision following the CJEU’s decision in “Schrems 1” (Case-362/14) which ruled that its predecessor, the “Safe Harbour Decision” (2000/520/EEC) was invalid.

In the absence of an adequacy decision, a Data Controller (and Data Processor) can only  make an international transfer if they have in place “appropriate safeguards”. These include the use of standard contractual clauses which have been adopted by the European Commission. The Commission issued the Standard Contract Clauses (SCC) Decision in 2010 which was amended in 2016.

Where a Data Controller is transferring personal data to a third country that is not covered by an adequacy decision and appropriate safeguards are not in place, then it may still be able to make the transfer, if the transfer is covered by one of the “derogations” listed in Article 49. These include (but are not limited to) where the data subject has explicitly consented to the transfer; the transfer is necessary for important reasons of public interest; or where the transfer is necessary for the performance of a contract between the data subject and the controller.  For example, a local authority organising a visit to its twin city in China, may rely on the consent of the councillors and officers before transferring their personal details to the Chinese organisers.

Where none of the derogations apply then a transfer may only take place where it is not repetitive, concerns only a limited number of data subjects and is necessary for purposes of compelling legitimate interests of the Data Controller, which are not overridden by the interests or rights of the data subject. In addition to these hurdles the Data Controller must assess all the circumstances of the transfer and put suitable data protection safeguards in place. The European Data Protection Board (EDPB) has issued guidelines about the Article 49 derogations.

The Judgement

Max Schrems, an Austrian national, is a well-known campaigner against Facebook and its data processing activities.  In 2013 he complained to the Irish Data Protection Commissioner requesting her to prohibit Facebook Ireland (a subsidiary of Facebook Inc, in the USA) from transferring his personal data to the USA. That complaint resulted in the Irish High Court referring the case to the CJEU, which ruled in “Shrems 1” that the EU-US Safe Harbour arrangement was invalid.

In 2015 Mr Schrems reformulated his complaint to the Irish Commissioner claiming that under US law, Facebook Inc was required to make the personal data (that had been transferred to it from Facebook Ireland) available to certain US law enforcement bodies and that this personal data was used in the context of various monitoring programmes in a way that violated his privacy.  He also argued that US law did not provide EU citizens with legal remedies and so the transfers was not lawful under GDPR. Facebook Ireland argued that the transfer complied with the SCC Decision (i.e. they had standard EU clauses in place) and that was sufficient to make the transfers lawful. At the time, the EU-US Privacy Shield had not been adopted.

The Irish Commissioner agreed with Mr Schrems but she asked the High Court to refer various questions to the CJEU for a “preliminary ruling” on the validity of the SCC Decision. Although the case was primarily about the SCC Decision, the Court considered it had the right to consider the validity of the Privacy Shield Framework too.

The judgment is an extremely important one for both private and public sector organisations despite the fact that reading it is a bit like wading through treacle! Here are the key points:

  1. The CJEU declared that the EU-US Privacy Shield Decision (Decision 2016/1250) was invalid in its entirety and so the Privacy Shield Framework for transferring data to the US could not be used. The Court held that any communication of personal data with a third party (such as the relevant security organisations in the US) was an interference with fundamental privacy rights which was neither lawful nor proportionate. The relevant US legislation did not provide any limits on the powers of US authorities to process the personal data for surveillance purposes. It also decided that the availability of a Privacy Shield Ombudsperson was not sufficient to guarantee that data subjects in the EU had a right to an effective legal remedy as required by GDPR.
  2. The Court confirmed that the use of standard contractual clauses for international transfers was still lawful. Organisations can continue to incorporate these into the contractual arrangements with third country recipients. However,  the point about standard contract clauses is that they are inherently contractual in nature and therefore only bind the parties to the contract. They cannot bind the public authorities, including law enforcement agencies, in third countries. The clauses may require, depending on the situation in the country concerned, the adoption of further supplementary measures to ensure compliance with the level of protection required by the GDPR.
  3. The Court was clear that the responsibility in paragraph 2 above lies with Data Controllers in the EU and the recipient of the personal data to satisfy themselves, on a case by case basis, that the legislation of the third country enables the recipient to comply with the standard data protection clauses before transferring personal data to that third country. If they are not able to guarantee the necessary protection, they or the competent supervisory authority (in the UK the Information Commissioner’s Office) must suspend or end the transfer of personal data.
  4. If a country, like the USA, has legislation in place that obliges recipients to share personal data with public authorities, then Data Controllers must assess, on a case by case basis, whether that mandatory requirement doesn’t go beyond what is necessary in a democratic society to safeguard national security, defence and public security.

What next?

Organisations, including those in the public sector, that transfer personal data to the US can no longer rely on the Privacy Shield Framework. They must now consider using the Article 49 derogations  or the standard contractual clauses. If using the latter, whether for transfers to the US or other countries, the onus is on the Data Controllers to make a complex assessment about the recipient country’s data protection legislation, and to put in place “additional measures” to those included in the clauses.  At time of writing it is not clear how to make this assessment and what additional measures will be needed. The European Data Protection Board (EDPB) has announced it will be looking into this.

The ICO has posted a general statement to the effect that organisations that are currently using the Privacy Shield should continue to do so until further notice. It seems likely that they will  grant a grace period during which organisations  can implement alternative transfer mechanisms.

In our next webinar, The Schrems 2 Judgement: Implications for the Public Sector, we will cut through the legal jargon to explain the decision and its implications specifically for the public sector.

 

The Data Protection Bill: It’s not what you think it is!

canstockphoto16666262

Yesterday the DCMS published the long awaited Data Protection Bill 2017. Accompanying the 203 pages of the Bill there are 112 pages of explanatory notes, a 4-page factsheet and a 5-page impact assessment. With detailed cross referencing to the provisions of the General Data Protection Regulation (GDPR), this Bill is a gift to purveyors of highlighters and sticky notes!

The Bill has many aims (see below). It does not though, contrary to popular belief, incorporate the GDPR into UK law. GDPR is a Regulation and so directly applicable when it comes into force on 25th May 2018. It does not need to be “signed into British law” whilst we remain members of the EU. Post Brexit the GDPR will still be the law because of the provisions of the European Union (Withdrawal) Bill (previously the Great Repeal Bill.) Paragraph 6 of the explanatory notes confirms this:

“While the UK remains a member of the EU, all the rights and obligations of EU membership remain in force. When the UK leaves the EU, the GDPR will be incorporated into the UK’s domestic law under the European Union (Withdrawal) Bill, currently before Parliament.”

So why do we need a Data Protection Bill? Section 1 explains:

To fill in some of the gaps in GDPR – what are known as “derogations”; where Members states are allowed to make their own rules. The Bill mirrors the Government’s Statement of Intent which was published a few weeks ago. Amongst many other things, we are now clearer on the minimum age at which a child can consent to certain types of data processing, the definition of a public authority/public body, new offences, rules on automated decision making and exemptions (including for research and freedom of expression in the media.)

To make provision for a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Article 2(2)) including the processing of unstructured, manual data held by an FOI public authority.

To implement Directive (EU) 2016/680 (the Law Enforcement Directive) on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. Unlike the GDPR, the Law Enforcement Directive is not directly applicable EU law; accordingly Part 3 of the Bill, amongst other things, transposes the provisions of the Directive into UK law.

To make provision for the processing of personal data by the Intelligence Services

To make provisions about the role of the Information Commissioner

To make provisions for the enforcement of data protection legislation

The second reading of the Bill will be on 10th October. Its passage through Parliament can be tracked here.

Want to know more? Attend our Data Protection Bill workshop.

Let Act Now help with your GDPR preparations. Our full day workshops and GDPR Practitioner Certificate courses are filling up fast.

We also offer a GDPR health check service.

GDPR and the Data Protection Bill: Myths and Misunderstandings

Man Reading Book and Sitting on Bookshelf in Library

On Monday, the Government published a Statement of Intent about the forthcoming Data Protection Bill. The idea behind the Bill is to fill in some of the gaps in the General Data Protection Regulation (GDPR), which will come into force on 25th May 2018. The full text of the Bill is likely to be published in September.

The Bill follows a consultation exercise run by the DCMS earlier this year calling for views on implementation of the “derogations” under GDPR. These are areas where EU member states are left to produce their own laws to fit their circumstances while keeping within the GDPR framework. Notable derogations, amongst others, include the minimum age at which a child can consent to data processing, when data about criminal convictions and offences can be processed and exemptions (including for freedom of expression in the media.)

That’s the real background to Monday’s statement. But this did not stop the media from peddling myths and misunderstandings. Upon reading the headlines, a layman or woman would get the impression that:

The Bill gives people new rights (No it does not, the GDPR does.)

The Bill is designed to sign European privacy rules into British law

(GDPR is a Regulation and so directly applicable. It does not need to be “signed into British law” whilst we remain members of the EU. Post Brexit it will still be applicable because of the provisions of the Great Repeal Bill (More here.))

The BBC even reported that “the new law was drafted by Digital Minister, Matt Hancock.” Yesterday the story was changed to state that it was “drafted under Digital Minister, Matt Hancock.” (I have asked them about this.)

Then again the media is not entirely at fault. The Government’s statement is drafted (or spun) in such a way as to give the impression that GDPR is all their idea rather than the EU’s. Mr. Hancock, in his foreword, even suggests that the Bill is part of the Government’s grand Brexit plan (if there is a plan!):

“Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU.”

All this myth peddling has led to some official myth bashing too. (See the ICO’s latest blog post.)

So what have we actually learnt about the Government’s GDPR intentions? Much of the statement explains the provisions of the GDPR or states the obvious. For example that the Data Protection Act 1998 (DPA) will be repealed. As if there was any choice!

The DCMS has today published (HT Bainsey1969 and the Open Rights Group) a list of derogation in the Bill and there proposed stance (Read here). The following stand out:

  • Children and Consent – The UK will legislate to allow a child aged 13 years or older to consent to their personal data being processed (rather than 16 which is GDPR’s default position).
  • Exemptions – The GDPR allows the UK to introduce exemptions from the transparency obligations and individuals’ rights. The Government will make the same exemptions available under GDPR as currently under the Data Protection Act (see S.29-35 and schedule 7 of the DPA).
  • New Offences – The Bill will create a number of new criminal offences:

Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, and knowingly handling or processing such data

Altering records with intent to prevent disclosure following a Subject Access Request (just like under S.77 of FOI)

Retaining data against the wishes of the Data Controller, even where the data was originally obtained lawfully (this would constitute a widening of the current offences provided for in s. 55 DPA)

  • Journalism – There will be a journalistic exemption in GDPR similar to S.32 of the DPA (balancing data protection rights with journalistic freedoms). The Information Commissioner’s Office (ICO) will have wider powers to take enforcement action in media cases.
  • Automated Decisions – There will be an exemption from the general rules in GDPR about automated decision making and profiling where such processing is in the legitimate interests of the Data Controller.
  • Research – There will be exemptions to the general rules in GDPR about Data Subjects’ rights. Research organisations and archiving services will not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Research organisations will not have to comply with Data Subjects’ rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure.

Data Controllers should not wait for the Data Protection Bill to be published before starting their GDPR preparations. There is so much to do now:

  1. Raise awareness about GDPR at all levels. (Check out our full day workshop and our GDPR poster).
  2. Consider whether you need a Data Protection Officer and if so who is going to do the job.
  3. Review compliance with the existing law as well as the six new DP Principles.
  4. Review how you address records management and information risk in your organisation.
  5. Revise your privacy polices in the light of the GDPR’s more prescriptive transparency requirements.
  6. Review your information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  7. Write polices and procedures to deal with new and revised Data Subject rights including Data Portability and Subject Access.
  8. Consider when you will need to do a Data Protection Impact Assessment

STOP PRESS – the Bill has now been published.  Attend our Data Protection Bill workshop.

Let Act Now help with your GDPR preparations. Our full day workshops and GDPR Practitioner Certificate (GDPR.Cert) courses are filling up fast. We also offer a GDPR health check service.

Data Protection Impact Assessments under GDPR

CJgbrkzUwAAJSZA

The General Data Protection Regulation (GDPR) will come into force in about 10 months. There is plenty to learn and do before then including:

  1. Raising awareness about GDPR at all levels
  2. Reviewing how you address records management and information risk in your organisation.
  3. Reviewing compliance with the existing law as well as the six new DP Principles.
  4. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements.
  5. Reviewing information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  6. Writing polices and procedures to deal with new and revised Data Subject rights such as Data Portability and Subject Access.
  7. Considering whether you need a Data Protection Officer and if so who is going to do the job.
    As well as:
  8. Considering when you will need to do a Data Protection Impact Assessment (DPIA).

Article 35 of GDPR introduces this concept. DPIAs (also known as Privacy Impact Assessments) are a tool which can help Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal information. A well-managed DPIA will allow Data Controllers to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.

DPIAs are important tools for accountability, as they help Data Controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance (see Article 24)4.)

When is a DPIA needed?

Carrying out a DPIA is not mandatory for every processing operation. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).

Such processing, according to Article 35(3)), includes (but is not limited to):

  • systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
  • large scale processing of special categories of data or personal data relating to criminal convictions or offences.
  • large scale, systematic monitoring of public areas (CCTV).

So what other cases will involve “high risk” processing that may require a DPIA? In May, the Article 29 Working Party published its data protection impact assessment guidelines for comments. We are still waiting for the final version but I don’t think its is going to change much. It sets out the criteria for assessing whether processing is high risk. This includes processing involving:

  1. Evaluation or scoring, including profiling and predicting especially from aspects concerning the Data Subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements
  2. Automated decision-making with legal or similar significant effects
  3. Systematic monitoring of individuals
  4. Sensitive data
  5. Personal Data on a large scale
  6. Datasets that have been matched or combined
  7. Data concerning vulnerable Data Subjects
  8. Innovative use or application of technological or organisational solutions
  9. Data transfers across borders outside the European Union
  10. Data that Prevents Data Subjects from exercising a right or using a service or a contract

What information should the DPIA contain?

The GDPR sets out the minimum features of a DPIA (Article 35(7), and Recitals 84 and 90):

  • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the Data Controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purpose.
  • An assessment of the risks to individuals.
  • The measures in place to address risk, including security, and to demonstrate that the Data Controller is complying with GDPR.

A DPIA can address more than one project.

The ICO’s Code of Practice on Privacy Impact Assessments will assist as well as the Irish Data Protection Commissioner’s Guidance.

When should a DPIA be conducted?

DPIA’s should be conducted prior to the processing operation commencing. DPIAs are an integral part of taking a Privacy by Design approach which is emphasised in Article 25. The DPIA should be treated as a continual process, not a one-time exercise. Data Controllers should start it early and update it throughout the lifecycle of the project.

The GDPR comes into force on 25th May 2018, and DPIAs are legally mandatory only for processing operations that are initiated after this date. Nevertheless, the Article 29 Working Party strongly recommends carrying out DPIAs for all high-risk operations prior to this date.

Who should conduct the DPIA?

A DPIA may be conducted by the Data Controller’s own staff or an external consultant. Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’s advice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their representatives.

If the DPIA suggests that any identified risks cannot be managed and the residual risk remains high, the Data Controller must consult with the Information Commissioner before moving forward with the project. Regardless of whether or not consultation with the ICO is required, the Data Controller’s obligations of retaining a record of the DPIA and updating the DPIA in due course remain.

Even if ICO consultation is not required, the DPIA may be reviewed by the ICO at a later date in the event of an audit or investigation arising from the Data Controller’s use of personal data.

What are the risks of non-compliance?

Failure to carry out a DPIA when the processing is subject to a DPIA (Article 35(1) and (3)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or failing to consult the ICO where required (Article 36(3)(e)), can each result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

More about Data Protection Impact Assesments in our forthcoming webinar.

Let Act Now help with your GDPR preparations. Our full day workshops and GDPR Practitioner Certificate (GDPR.Cert) courses are filling up fast. We also offer a GDPR health check service in which we can come carry out an audit and help you prepare and fill any weaknesses.

 

Image credits: https://privacy.org.nz/blog/toolkit-helps-assess-your-privacy-impact/

 

GDPR is here to stay but what happens next?

It’s official. The General Data Protection Regulation (GDPR) is here to stay; well beyond April 2019 when the UK is likely to finally leave the European Union.

On 24th October 2016, the Secretary of State Karen Bradley MP used her appearance before the Culture, Media and Sports Select Committee to say:

“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

Writing on her blog the Information Commissioner (Elizabeth Denham) welcomed this announcement. However it is technically incorrect for her to say:

“The government has now confirmed that the UK will be implementing the General Data Protection Regulation (GDPR).”keep-calm-and-prepare-for-the-gdpr

As I have explained in a previous blog post, the Government has no choice but to implement GDPR as the UK will still be a member of the EU on 25th May 2018 when it comes into force.

This announcement does though put an end to months of uncertainty as Data Controllers waited to see what the Government would do after the UK leaves the EU. Although last month’s announcement of the Great Repeal Bill meant that yesterday’s announcement was not a big surprise.

GDPR will replace the Data Protection Act 1998 (DPA) and represents the biggest change to data protection law for 20 years. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, now is the time to start planning (if you have not already started!).

The ICO’s overview of GDPR is a good place to start. It has also published 12 steps to take towards compliance. We would emphasise:

  1. Raising awareness of GDPR at all levels within the organisation (See our GDPR poster).
  2. Reviewing compliance with the existing law as well as the six new DP Principles.
  3. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements. The ICO’s new privacy notices code is a very useful document for this.
  4. Considering who is going to fulfill the mandatory role of Data Protection Officer. What skills do they have and what training will they need? Our Data Protection Practitioner Certificate, with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.
  5. Reviewing information security polices and procedures in the light of the GDPR’s security obligations particularly breach notification.

Look out also for amendments to Section 40 of the Freedom of Information Act 2000, Section 38 of the Freedom of Information (Scotland) Act 2002, Regulation 13 of the Environmental Information Regulations 2004 and Regulation 11 of the Environmental Information (Scotland) Regulations 2004. All contain exemptions from disclosure of personal data by reference to the DPA.

The ICO will be publishing a revised timeline setting out what areas of guidance it will be prioritising over the next six months. Elisabeth Denham ends her blog with these wise words:

“I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018.”

Act Now has a series of blog posts as well as a dedicated GDPR section on its website with detailed guidance on different aspects of the Regulation.

We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised workshops as well as to carry out GDPR health checks and audits. 

GDPR Practitioner Certificate (GDPR.Cert) – A 4 day certificated course aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

%d bloggers like this: