5 considerations for GDPR implementation
With the General Data Protection Regulation (GDPR) implementation deadline just around the corner, discussion around the various attributes of the new regulation and its key principles has gained increased momentum. As with any legal document, many of the articles and accompanying recitals are open to interpretation, depending on the individual scenario and organisations involved.
Taking a step away from the well-publicised dialogue on best practice and GDPR key principles, we are taking a closer look at some other areas of new and future regulations which may affect your organisation.
1. The scope of legitimate interest
GDPR Article 6(1)(f)
“1. Processing shall be lawful only if and to the extent that at least one of the following applies: (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
The Information Commissioner’s Office (ICO) itself has labelled processing under legitimate interests as being ‘the most flexible lawful basis for processing’ but warns its not carte blanche to process data. The key to the legitimate interest principle is balancing your business needs and the data subject’s rights. As with many other aspects of GDPR, a key requirement is documenting your processes and justification thoroughly, as this could be called upon by the ICO at any time regardless of your business size. A legitimate interest assessment (LIA) will enable you to demonstrate your compliance, in addition, your public facing privacy statement should also detail your processing of data under legitimate interests.
Examples of legitimate interest will vary depending on the situation however, it may come as a surprise that cold calling, marketing emails and unsolicited non-commercial messages can fall under the lawful processing category. Another important note is that consent is not considered the ultimate basis for lawful processing, rather all bases are equally valid and can be used as appropriate for the situation.
Other areas in which legitimate interest processing would be valid is fraud or crime detection, and cyber security, where additional monitoring and detection protocols are in place to protect individuals, infrastructures and systems from malicious activity.
Another common term used in GDPR supporting documentation is a data subject’s ‘reasonable expectations’ regarding how their data is used. For example, under legitimate interest, it is appropriate to perform additional data analysis to provide some personalised messaging or targeted product suggestions to consumers. As a consumer, it is also reasonable and potentially desirable to receive such communications, especially in existing customer/client relationships. In situations where a data subject has removed processing consent, it is also reasonable to expect some data to be retained on a suppression list to enable the controller to prevent further contact.
If the data controller has determined that there is a legitimate interest to process the personal data, and that the LIA is balanced, then the remaining GDPR principles provide additional safeguards to further protect data subjects. These include being able to easily opt-out of any further communication, limiting the storage of data and overall security of data.
GDPR isn’t designed to prevent you from running your organisation successfully, however it does place the data subject and their rights first. Further detail on this principle and what it actually means in practice are on the ICO website as well as Article 29 Data Protection Working Party which also recognises that legitimate interest is a broad term. The Data Protection Network is also another great resource for further clarification on the finer points of GDPR.
2. Data Protection Impact Analysis (DPIA)
GDPR Article 35 (1)
“Where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.’’
The term ‘high risk’ can have varying connotations, but under GDPR, it is defined as large-scale processing operations (regional/national level), or when new data processing technology is introduced, such as a new customer relationship management (CRM) tool. Today there are highly sophisticated CRM systems available which involve automated decision-making and profiling technologies. From a marketing and sales perspective, these advances in relationship management have allowed for highly targeted and efficient communications between a prospects, customers and organisations. They also can help organisations effectively and securely manage personal data. However, if used incorrectly, these systems can inhibit data subjects accessing their extended rights e.g. the right to be forgotten or to restrict processing.
It is the responsibility of the data controller to recognise the potential risk to data subject rights and determine measures to mitigate risk before any processing takes place. If the measures are not deemed adequate to mitigate risk, they can escalate to the ICO for further analysis and advice. This has implications for project scope and planning, however, in the world of ‘privacy by design’, it would be embedded into the project itself.
3. Registering with the ICO and fee payment
Under the Data Protection Act, every data controller processing personal information is required to register with the ICO with fees varying depending on size and turnover. The good news with GDPR is that this fee is no longer required. The bad news is that rather than being abolished, the fees have been relabelled as a ‘protection fee’ and are chargeable in a tiered payment structure under the Digital Economy Act (2017).
As per the original fee payment, the amount data controllers are required to pay depends on their company size and turnover, with some exemptions available. The Digital Economy Act focuses on the level of risk associated with the type of data processing completed, with top fees reaching £2,900 – a significant advance on the previous £500 maximum fee.
The ICO has created an online self-assessment to help data controllers navigate the new rules, however it is worth checking back regularly for any changes as parts of the new Act are still being reviewed. If you have already paid your registration fee, the new protection fee is only payable after your current registration expires.
It is important to remember any monetary penalties enforced by the ICO are transferred into the Treasury’s Consolidated Fund, rather than being kept to fund operations. As a result, the data protection fee is critical to fund the ICO’s fundamental work in protecting the rights of the public.
You can download the ICO data protection fee guide here.
Additional guidance is also available on the ICO website.
4. The Investigatory Powers Act and GDPR
Understanding the past, current and future security landscape is critical to efficiently protect our wider society. Intelligence gathering and analysis on an international, state and local scale are a critical part of these safeguards. However, finding the balance between citizen rights and surveillance is inevitably a contentious issue.
In 2016, the Investigatory Powers Act (IPA) became UK law, enabling UK security services a historic level of power with regards to surveillance, hacking and data collection. So much so that it was ‘unmatched by any other country in western Europe or even the US’ (Ewen MacAskill, The Guardian). The Act was met with significant resistance and human rights group Liberty, also known as the National Council for Civil Liberties, which launched a crowd funded legal challenge ‘to the extreme mass surveillance powers’ within the Act.
For those that are familiar with the key principles of GDPR, parts of the Investigatory Powers Act would appear in direct conflict – and the judges agreed.
The High Court recently ruled that parts of the Act are indeed unlawful, significantly, the retaining of citizen data without any defined limit or review by an independent body. This means that under the IPA no evidence of serious crime or malintent is required for the indiscriminate collection and storing of personal data.
With just six months to amend the Act to efficiently balance citizen privacy rights and the need for police and security agents to gather information, and more legal action planned from Liberty, this story will continue to develop.
The full judgment from Lord Justice Singh and Mr Justice Holgate is available to download as a PDF here.
5. New ePrivacy Regulation (ePR)
With all the justifiable noise around GDPR and its impending deadline, it’s easy to forget about other regulations which are getting a makeover in light of the changing way we utilise the internet and share our data. Much like the Data Protection Act of 1998, a lot has changed since 2003 when the Privacy and Electronic Communications Regulations (PECR) was launched.
The PECR governs all electronic communications including marketing calls, emails and texts, and website cookies to name a few. The ICO has been successful in leveraging big fines to organisations who have failed to adhere to the rules, including a record fine of £400,000 to a company responsible for 99.5 million nuisance calls.
Designed to complement GDPR, the new ePR was due to launch on the same day as GDPR (the 25th of May). However it has been delayed as a result of continued negotiations between the EU institutions. Although we have had a two-year transition period to get ready for GDPR, there are still a lot of questions around how the new compliance meshes with the ePR proposal.
The additional looming date of the UK’s official exit of the EU, scheduled for the 29th of March 2019 and the fact that the finer details of what the ePR will actually cover are yet to be confirmed, means that it’s another one to watch closely.
The full details of the new ePR proposal is available here.