General Data Protection Regulations
By now you will have now all heard about the new regulations that come in to force next May that replace the Data Protection Act 1998, even if you don’t understand the impact it has on your business. Elizabeth Denham, The Information Commissioner is concerned with the misinformation about the GDPR that she and her team have created a series of articles - GDPR Myths - in which she stated:
And I’m worried that the misinformation is in danger of being considered truth.
The ICO have also set-up a helpline for small businesses - 0303 123 1113 [option 4] - to help prepare for the incoming regulations and having spoken to them on a number of occasions, they are extremely busy providing advice to businesses concerned about GDPR.
We’ve written this article in the first instance to help our clients understand the changes in the regulations, but we’re sure businesses similar to ours (software development / web development) would benefit from the research we’ve undertaken, as part of our preparations for next May.
The GDPR replaces the Data Protection Act and updates the regulations so that they are relevant to today’s environment (social media platforms, increased threat of cyber-crime, etc) and so in many ways is a good thing, but it does introduce some new elements to the legislation. We’re not solicitors or lawyers, so our observations are provided as a reflection of our own understanding; if you have concerns, you should seek your own legal advice. You can view the regulations at EU General Data Protection Regulation (EU-GDPR) and we’ll refer to this throughout this article.
Where to start?
I’m not going to simply repeat information available on the ICO’s website, but if you want a starting point is the Registration self-assessment that will take you five minutes and help determine if you need to register your business; from there have a look at Preparing for the GDPR (12 steps).
GDPR provides and reinforces a number of principles and specific note should be taken into account for Article 7 (Conditions for consent) and Article 8 (Conditions applicable to child's consent in relation to information society services).
The new regulations state that the data controller must “able to demonstrate that the data subject has consented to processing of his or her personal data” and consent must be an opt-in option. That means no more terms and conditions and newsletter subscriptions automatically ticked, although one would hope you’ve all stopped that a while ago!
Consent must be clearly sought and granular in its presentation, so therefore you can no longer simple include one or more clauses in your terms and conditions.
Children are defined as under 16 years of age and requires consent from person who has parental responsibility, although member states can introduce local laws that reduce this down to the age of 13, so if you provide services used through the European Union or further afield you will need to ensure you are aware of specific local laws.
Much has been made of new rights individuals have, including the right to erasure (the right to be forgotten) and certainly businesses will need to have a thorough understanding of when and where individuals can request this and what can or cannot be retained. As a business you are allowed to retain personal details, when there is a valid reason for doing so; for instance, if you have sold goods to an individual and might need to contact them in order to recall a product.
The right to portability, whilst not new – in concept at least – suggests businesses will have to provide “a structured, commonly used and machine-readable format” that as yet we are unable to substantiate. This will be critical for Client Relationship Management (CRM) systems and effect anyone using person data for newsletters and other marketing activities.
Data controllers and data processors
This is an important element of the new legislation and one area that we have spent a significant amount of time trying to get to grips with!
Firstly let’s understand the two terms:
- Data controller “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
- Data processor “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
So, for all our clients they’ll fall within the definition of data controller and data processor, but there are situations where we could fall within the definition of the data processor; for example - where we were to provide a service that handles personal data to deliver a marketing campaign. This example is perhaps over simplistic and the regulations are ambiguous when determining who the data processor is.
What is important is that the data controller is held liable for data protection compliance, not the processor. Any data processing must be covered by a written contract and carried out in line with the data controller’s instructions and subject to appropriate security measures. Whilst some data controllers may try and pass on responsibility for data processing via a data processing agreement (or contract), they remain legally responsible for any breaches. The ICO have no direct enforcement powers against data processors.
The new legislation represents a significant change and will dramatically increase the risk for website designers, developers, data centres and cloud based solution providers. It is therefore even more critical for both client and provider to negotiate data processing agreements as increased costs of compliance are reflected in the costs and the data controller’s instructions are clear to ensure increased risks are allocated fairly between both parties.
Data protection by design
Whilst Ayrmer Software has been developing systems that protect the underlying data and functionality for several years now, the new legislation is designed to ensure all systems are designed by default to protect data. This is a positive step, but could have a massive impact on new systems, as well as on going costs for supporting legacy systems.
Penetration testing will almost certainly become a de facto requirement for any system holding or processing personal data and increased costs of monitoring system will inevitably increase cost of ownership.
Data controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
Data protection impact assessment
Data Protection Impact Assessment (DPIAs) becomes mandatory in certain circumstances:
- where a new technology is being deployed;
- where a profiling operation is likely to significantly affect individuals; or
- where there is processing on a large scale of the special categories of data.
This will obviously impact our clients when implementing new solutions that hold personal (covered under the new regulations) and we’ll be issuing new / updated terms and conditions to cover this aspect, as well as data protection by design to ensure we have agreement between both parties.
Notification of a personal data breach to the supervisory authority
An area that has had much talk within the media is the notification of a personal data breach. Data controllers and processors must notify the ICO within 72 hours, after having become aware of any such breach. There have been a number of big profile data breaches that would have potentially fallen foul of this new legislation, perhaps most notably Talk-Talk and Equifax (to name but two).
We’ve reviewed our internal policies and procedures and will be issuing all of our clients revised terms and conditions, but clients will need to implement their own measures and we have concerns that for many of our smaller clients this will represent an onerous task that they will not prioritise in time for the new regulations. The danger is that clients don’t engage with us and don’t negotiate new data processing agreements. Whilst we’ll provide clients with updated terms and conditions, without the active participation agreements will potentially be unfair.
For website designers and developers – especially freelancers – the danger of not understanding the increased responsibilities (especially where they provide a service that falls with data processing) could be potentially damaging.
EU General Data Protection Regulation (EU-GDPR)
Getting ready for the GDPR
Privacy notices, transparency and control
Preparing for the General Data Protection Regulation
Data protection reform
GDPR: Data Controller v Data Processor