Business Services Organisation

Human Resources and Corporate Services

THE GENERAL DATA PROTECTION REGULATIONS (GDPR) OVERVIEW

  1. Introduction

The EU Parliament adopted GDPR on April 14th 2016, coming into force on May 24th 2016, with a 2 year transition period for EU member states. In effect, this means that the existing Data Protection Act (1998) (DPA) will be repealed on May 25th 2018 and BSO will are required to be compliant with GDPR by this date.

This paper is presented to advise BSO of:

  • The key elements of GDPR, including differences with DPA
  • A self-assessment of BSO’s compliance with GDPR
  • A suggested action plan to address gaps in compliance
  1. Key elements of GDPR

GDPR retains the Data Protection Principles, as set out in the Data Protection Act; however, they have been condensed into six as opposed to eight principles (see Appendix 1).

Much of the GDPR is similar to that of the Data Protection Act (1998), but applies the term ‘personal data’ in a much broader sense. All data that can be deemed to identify someone is classed as personal data under GDPR – this will include everything from genetic and economic information to IP addresses and so forth.

GDPR also places a strong emphasis on ‘privacy by design’. ‘Privacy by design’ has been the recommended approach from the ICO for many years and as such is not a new concept; however, GDPR makes this approach mandatory to ensure that the following requirements are in place:

  • Personal information is processed lawfully (Section 2.1)
  • Individuals are adequately informed about what personal information is being used (Section 2.2)
  • Privacy Impact Assessments are carried out where appropriate (Section 2.3)
  • The appointment of a Data Protection Officer (Section 2.4)
  • Personal data breaches are reported to the Information Commissioner (ICO) within a statutory timeframe (Section 2.5)
  • An internal record of the personal data held is maintained by the organisation (Section 2.6)
  • Increased accountability of ‘Data Processors’ (Section 2.7)

GDPR also changes the statutory timeframe for providing a response to requests for personal information. Under DPA this is currently 40 calendar days. GDPR shortens this timeframe to one calendar month.

Fines for non-compliance are also significantly higher within GDPR. This is outlined within Section 2.8.

2.1Lawful processing of personal data

GDPR places more emphasis on consent, putting data subjects more in control with what and how their data is used. Requirements around obtaining ‘consent’ are clearer and more demanding. GDPR places a responsibility on data controllers to evidence and demonstrate that consent is explicit and freely given.

New rights have been introduced, which permits data subjects in certain circumstances:

  • the ‘right to be forgotten’
  • ‘data portability’ (i.e., the transfer of personal data between data controllers)

It is worth noting here that GDPR is not purely consent driven. Consent is not a requirement provided there is one, or more, other lawful basis for processing. These are defined within Article 6(1) of GDPR:

  • to perform in terms of a contract
  • to comply with a legal obligation
  • to protect a data subject’s vital interests
  • if it is in the public interest
  • if it is in the controller’s legitimate interests

It is BSO’s responsibility to ensure that personal information is processed in line with one or more of these conditions.

2.2Privacy notices

To ensure that consent is “freely given, specific, informed and unambiguous indication of the individual’s wishes”under GDPR, the new legislation requires organisations to publish more detailed and easily accessible fair processing (‘privacy’) notices to advise the data subject at the moment of collection of:

  • Precisely why the information is required
  • The period for which the data will be stored
  • Their rights

2.3Privacy Impact Assessments (PIAs)

Under Article 35 of GDPR, PIAs are now mandatory for organisations with technologies and processes that are likely to result in a high risk to the rights of data subjects. It is important that PIAs are conducted on new systems and/or processes before processing of personal data has started.

It should be considered good practice toincorporate PIAs as part of the standard process within the planning, development, test and deployment of new systems, processes (whether developed in-house or outsourced).Draft template Appendix 2[1]

2.4Statutory appointment of a Data Protection Officer (DPO)

The minimum responsibilities of the DPO are defined in Article 39 of GDPR:

  • To inform and advise the organisation and its employees about their obligations to comply with GDPR
  • To monitor compliance with GDPR
  • To be the first point of contact for the ICO and for data subjects

2.5Data Breach Reporting

Data controllers must notify data breaches to the ICO within 72 hours of awareness. Failure to notify the ICO may result in significant fines.

In some cases, the data controller must also notify the affected data subjects without undue delay.

2.6Information Asset Register (IAR)

An IAR is a catalogue of the information processed by an organisation. With GDPR in mind, there is a need to know what personal information is held, how it is processed (as well as the legal basis), who it is shared with and any associated risks, in order to assign a classification and appropriate technical and organisation protection.

2.7Accountability of Data Processors

Under DPA, only the data controller is held liable for compliance. Regardless of the existence of any data processing agreement between data controller and data processor, controllers remain legally responsible for any breaches caused by the actions of their data processors and the ICOhas no direct enforcement powers against processors.

GDPR places direct statutory obligations on data processors. These obligations mean that data processors may be subject to enforcement, fines and compensation claims by data subjects for breach of GDPR. These obligations include ensuring that processors must:

  • only process on behalf of a controller where a written contract is in place
  • not engage a sub-processor without prior written authorisation of the controller
  • only process personal data in accordance with the instructions of the controller
  • maintain records of data processing activities and make these available to the ICO on request
  • take appropriate security measures and inform controllers of any data breaches
  • in specified circumstances, designate a data protection officer
  • comply with restrictions regarding cross-border transfers

The GDPR also makes data controllers and processors jointly and severally liable for any fines imposed for breaches of the regulation.

There is a need to finalise a HSC wide protocol to cover the responsibilities of BSO and other HSC organisations in regard to who is the Data Controller and who is the processors or whether in some cases there is Joint Controller status.

2.8Sanctions

Under DPA, the maximum fine that can be levied is £500,000. Fines under GDPR are significantly greater and are designed to be effective, proportionate, and dissuasive to organisations that breach GDPR.

Fines are divided into 2 tiers:

Tier 1: This is the ‘lower’ level of fine, up to €10 million or 2% of an organisation’s global annual turnover, will be considered for infringements relating to:

  • Integrating data protection ‘by design and by default’
  • Records of processing activities
  • Cooperation with the ICO
  • Security of processing data
  • Notification of a personal data breach
  • Communication of a personal data breach to the data subject
  • Data Protection Impact Assessment
  • Designation, position or tasks of the Data Protection Officer

The higher level of fine, up to €20 million or 4% of an organisation’s global annual turnover, will be considered for infringements relating to:

  • The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data
  • Rights of the data subject
  • Transfer of personal data to a recipient in a third country or an international organisation
  1. Self-Assessment

Corporate Services have conducted a self-assessment based on the toolkit provided via the ICO. While this tentative assessment has noted a number of areas of good practice, a rating of ‘RED: not implemented or planned’ for GDPR has been applied, with a number of suggested actions required. In summary, these actions are:

  • Deliver a general awareness and training campaign across BSO to educate staff on the changes to current legislation
  • Review existing PIAs and implement a plan to introduce a standardised approach to PIAs across BSO
  • Conduct an audit of data processing activities to document personal information held and map data flows
  • Identify lawful basis for processing each type of personal data processed
  • Produce a standardised privacy notice to be updated for each business area within BSO
  • Review systems currently used to record consent and implement appropriate mechanisms to ensure a demonstrable and effective audit trail
  • Ensure procedures for amending / deleting information based on the rights of individuals under GDPR
  • Update the relevant policies / procedures to demonstrate how BSO will handle requests within the new statutory timeframe and outline how any request refusals will be managed
  • Review the current arrangements for reporting personal data breaches, to ensure appropriate mechanisms are in place for reporting to the ICO and, where appropriate, the individual
  • Review existing contracts between BSO and other parties to ensure that responsibilities as data controller / data processor are clearly defined

A suggested outline action plan is set out below.

  1. Action Plan

In addition to the below suggested action plan, Corporate Services will continue to monitor and analyse existing and emerging guidance, best practice from the ICO, Government, Regulatory Bodies and other HSC Organisations.

4.1Awareness / Training Campaign

BSO already has in place a rolling bi-annual information governance training programme, which is mandatory for all staff to attend.

This training programme should be amended to include:

  • An awareness of the enhanced rights of individuals
  • The requirement to document all information flows
  • The requirement to notify data breaches
  • The requirement to process requests for personal information within the new statutory timeframe of one calendar month

Any new developments (such as policy revision) that arise from GDPR should be made available to all staff via a range of corporate communication including email and desk alerts.

4.2Privacy Impact Assessments

A standardised procedure for conducting PIAs should be developed. This paper recommends that a PIA should become part of ‘normal business practice’ for all new systems and processes within BSO.

An initial assessment should be conducted to determine the type of information being processed, and any associated risk. For systems and/or processed deemed to be high risk, a more detailed PIA should be conducted to document the risk and actions taken to mitigate against it.

This procedure should be based on the ICO’s ‘Conducting privacy impact assessments code of practice’.

4.3Audit of data processing activities

BSO maintains a number of information surveys via the ‘Information Governance Management Group’ (IGMG):

  • Information Asset Register
  • Information Flows
  • Records Inventory
  • Bi-Annual Assurance

This is a pivotal process for BSO to provide assurance of how information is managed both internally and externally.

It is, however, acknowledged that the Information Asset Register should be amended to include a set of mandatory questions on the legal basis for processing personal information.

It is also recommended that IGMG continues to ensure that all of the above surveys are kept up to date as a ‘rolling’ exercise.

4.4Lawful basis for processing

In line with Section 4.3, the existing Information Asset Register should be updated to include legal basis for processing.

This paper also recommends that the process for recording information assets and information flows is formalised into a documented procedure for approval and implementation by IGMG.

4.5Privacy Notices

BSO has a number of privacy notices across its business functions. This paper recommends that a standardised template for privacy notices is developed to be used across BSO. The template will include the information considered to be requisite for compliance with GDPR, namely:

  • the identity and the contact details of the data controller
  • the contact details of the data protection officer, where applicable
  • the purposes and legal basis of the processing
  • the recipients or categories of recipients of the personal data
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability
  • the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
  • the right to lodge a complaint with the ICO
  • the existence of automated decision-making andmeaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing

4.6Ensure mechanisms to record consent are in place

BSO must ensure that, where consent has been given, that this is recorded in such a way that provides robust assurance of that consent.

4.7Procedures for amending / deleting information

Where there is a requirement to amend / delete information, this paper recommends that departmental-specific procedures for conducting such actions are documented and relevant staff provided with adequate training. An audit trail of changes / deletions made should be built into any systems.

4.8Update policies / procedures to demonstrate how BSO will handle requests

This paper recommends that the existing data protection policy and associated procedure for processing information requests is updated to reflect the new statutory timeframe for compliance. Relevant timeframes for acknowledging requests, providing information to Corporate Services and escalation of requests (where appropriate) should be built into this procedure.

It is also proposed that we move to the new timescales for responses on October 2017 to enable a settling in period prior to the legislation being implemented.

4.9Review the current arrangements for reporting personal data breaches

This paper recommends that the existing procedure for reporting data breaches should be updated to include the new statutory timeframe for compliance.

A dedicated email address has been established to capture all breaches of information governance arrangements. This should be written into a revised procedure along with an awareness campaign to all staff.

It is also proposed that as an organisation we move to the revised timelines in October 2017.

4.10Review existing contracts between BSO and other parties

In line with Section 2.7, this paper recommends that existing data access agreements between BSO and any third party is reviewed to ensure compliance with GDPR. This is particularly relevant for any contracts / access agreements that are anticipated to extend beyond May 25th 2018 when compliance with GDPR becomes mandatory.

For any agreements that are found to be non-compliant with GDPR, it will be necessary to review such agreements.

Any new agreements should be documented in accordance with the requirements of GDPR and at a very minimum should stipulate clear responsibilities between data controller and data processor.

This paper also recommends the consideration of mechanisms to resolve disputes regarding respective liabilities to settle compensation claims, given the new provision allowing for joint liability for data protection breaches.

A summary table of actions is set out below.

Heading / Action / Timescale
Training / Incorporate GDPR requirements into existing training. / September 17
Training / Awareness campaign for any new developments. / September 17 – April 18
Privacy Impact Assessments / Develop a standardised (2 tier) procedure to assess all new systems / processes. / October 17
Right to be forgotten / Assessment by Directorate and system of the ability of systems to comply with the right to be forgotten. / October 2017
Audit processing activities / Update information surveys to include mandatory questions on legal basis for processing. / Ongoing and quarterly
Audit processing activities / Ensure surveys are up to date. / November 17
Lawful basis for processing / Document the process of creating / updating information assets and flows into the organsiation. / November 2017
Privacy Notices / Create a standardised template for rollout across BSO. / December 2017
Recording Consent / Ensure that mechanisms are in place to record how consent has been sought and obtained. / December 2017
Amending / deleting information / Ensure that local (departmental) procedures for amending information are written and made available to relevant staff. / January 2017
Policies / Procedures / Ensure policies and associated procedures are updated to include legal obligations under GDPR. / January 2018
Policies / Procedures / Amend the existing breach reporting procedure to reflect mandatory timescales and assess business impact. / October 2017
Contracts / Existing contracts / data access agreements should be reviewed by the relevant directorate to ensure compliance with GDPR. / January 2018
Provide clarity of relationship between Data Controllers and processors. / Finalise protocol of relationships between HSC and BSO. / September 2017

Appendix 1

Principles relating to processing of personal data

Personal data shall be:

  • processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Appendix 2