GDPR - Key points for local and central government

Julie Nixon and Melanie Schwindt discuss data protection regulation and offer key recommendations to ensure UK companies are prepared come May next year

The new European General Data Protection Regulation (GDPR) is due to take effect from 25 May 2018. The GDPR will provide individuals with more control over their personal data and will require organisations to process personal data responsibly and transparently. Given that local and central government work with significant volumes of personal data, some of which may be sensitive, GDPR compliance should be a key priority for them.

Here are some key concepts that the GDPR will implement which will have significance for local and central government.

Increased enforcement powers
Under the GDPR, data breaches could result in fines up to four per cent of annual global turnover or €20,000,000, whichever is greater. The ability of the Information Commissioner's Office (ICO) to impose larger fines under the GDPR has already been well documented by the media.

Governmental bodies should review how they process personal data. Data processing covers all interactions with personal data, from obtaining the personal data to using, sharing, securing, holding and ultimately deleting it. As such, data processing procedures should be monitored and reviewed with the aim of minimising the amount of personal data processed and retained. It is worth noting that under the GDPR, data processors - being organisations or individuals contracted to process personal information on behalf of another organisation, e.g. payroll - may also be liable for high fines.

Data protection officer
Where processing of personal data is carried out by a public authority or body (except for courts acting in their judicial capacity) the public authority must designate an individual within its organisation as a data protection officer (DPO).

What constitutes a public authority or body will be determined by national law. Where an organisation is not a public body but it carries out a public task, the EU advisory body on data protection and privacy recommends that the organisation appoints a DPO even though it is not required to do so.

Lawful processing of personal data
As with the current Data Protection Act, organisations will be required to identify the basis upon which they are lawfully processing personal data. The GDPR sets out six conditions for processing personal data including performance of a contract, complying with legal obligations and, specifically for public authorities, processing necessary in the public interest or in the exercise of official authority. Additionally, there are ten conditions for processing sensitive data such as health data.

Consent from the individual is also a valid condition for processing personal data. The GDPR makes it clear that consent can only be relied upon if it is freely given, specific, informed and supported by a clear indication of agreement from the individual whose consent is requested. This is a higher standard than under the current legislation. For example, it will mean that consent would not be valid if acquired for one purpose – email marketing for instance and then used for an entirely different purpose such as selling data to a third party.

Public authorities, in a position of power, are likely to find it more difficult to get valid consent as consent will not be freely given if there is an imbalance in the relationship between the individual and the organisation. In effect, consent to processing should be the ‘last resort’ where there is no other lawful basis for the proposed data processing activities.

Reporting security breaches
A data security breach is any breach of security leading to the accidental or unlawful destruction, alteration or unauthorised disclosure of personal data, whether by a third party or by a person within an organisation. Security breaches can range from external hacking attacks to accidentally addressing an email to the wrong person.

The GDPR requires that all organisations will have to report breaches that are likely to harm individuals to national authorities within 72 hours where feasible. In the UK the ICO is the relevant national authority. If the breach has the potential to result in high risk to the affected individuals, organisations must inform these individuals ‘without undue delay’. Governmental bodies should develop a data breach response plan enabling them to respond quickly in the event of a data breach. This can include a policy of recording all security breaches and completing an assessment of potential risks to the affected individuals in each case.

The GDPR does not set an approved code of conduct or approved certification mechanism that must be complied with regarding security but instead states that organisations must ‘ensure a level of security appropriate to the risk’.

Right to access personal data
Individuals have the right to access their own personal data held by any organisation. This is known as a ‘subject access request’. The rules for dealing with subject access requests will change under the GDPR. The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.

Organisations will have just a month to comply from the date of receipt of the request. Where requests are complex or numerous organisations will be able to extend the period of compliance by a further two months. If this is the case the individual must be informed within one month of the receipt of the request and an explanation given as to why the extension is necessary. The organisation must provide a copy of the personal data free of charge and in an accessible electronic format.

There will be different grounds for refusing to comply with a subject access request. Additionally manifestly unfounded or excessive requests can be charged for or refused. The GDPR allows organisations to request that the individual clarifies what specific information the subject access request relates to where large quantities of personal data are relevant, which will be useful for governmental bodies.

Right to be forgotten
In May 2014, the European Court of Justice ruled that search engines such as Google were data processors and that citizens had the right to ask that content referring to them be ‘forgotten’. As such this is one of the new rights granted to individuals under the GDPR which has generated attention. Under the GDPR an individual will have the right to ask an organisation to erase their personal data without undue delay in situations where the individual withdraws consent or no other legal ground for processing applies.

Governmental bodies will need to have clear processes in place to enable them to respond to such ‘right to be forgotten’ requests within a month (extensions may be permitted where the request is complex). It is currently unclear whether organisations may retain limited data to ensure that an individual who has asked to be forgotten is not accidentally contacted again. Guidance on this subject is awaited from the ICO and the EU advisory body.

Privacy by design
‘Privacy by design’ appears as a central concept within the GDPR. It effectively means data protection considerations must be taken into account from the outset of designing a new process, product or service, rather than treating it as an afterthought.

All organisations will be required to perform privacy impact assessments (PIAs) where new projects may result in the processing of personal data that could result in a high risk to data subjects. So a PIA should be considered whenever appropriate such as when a new IT system for storing personal data or a new surveillance system is being put in place. Not all projects will be deemed to pose a risk to the privacy of data subjects. Governmental bodies should first ascertain the need for a PIA when undertaking a new project.

While at first glance the GDPR may seem to impose more burdens on organisations, if an organisation is already compliant with the provisions of the Data Protection Act 1998 (DPA), it should not be onerous to attain compliance under the GDPR. For example, privacy by design and data minimisation are concepts regarded as good practice under the DPA.

Julie Nixon and Melanie Schwindt advise on data protection matters at Scottish law firm Morton Fraser.