General Data Protection Regulation –

what the future holdsZach Thornton, External Affairs Manager, DMA

@DMA_UK #dma

EU Data Protection reform –

where are we?• Dec 2015 Political agreement reached on text

• Apr 2016 Justice and Home Ministers sign off

• Apr 2016 European Parliament signs off

• 25 May 2016 Regulation becomes law

• Oct/Nov 2016 UK issues Art 50 notice to EU

• 25 May 2018 Regulation comes into force

• Oct/Nov 2018 UK ceases to be EU Member State

What kind of UK- EU trade deal?

Will Brexit change anything ?

• No

• Any free trade arrangement with EU will require equivalent data protection

legislation

• Data protection now a global issue so any free trade agreement with other

countries will require equivalent data protection legislation

ICO Referendum result response• Data Protection Act 1998 remains UK law irrespective of the vote to leave the

EU

• UK will want to have access to EU Single Market in goods and services

therefore at minimum would need to have equivalent data protection laws to

EU in order for Brussels to grant UK at minimum Adequacy Status under

GDPR

• Organisations operating across UK, EU and other countries international

consistency around data protection laws and individual rights is crucial. Need

to comply with GDPR

• Organisations operating in UK only – possibility of GDPR lite version only

• ICO will lobbying UK government for reform of UK data protection law

• DMA stance same as ICO

• UK DMA will work with FEDMA at European level

Information Commissioner and

Minister’s views• Limit business costs while respecting individual’s data protection rights

• Implementation of text will be complex and demanding

• Support organisations to make changes

• Powerful driver to good practice in treating consumers well

• Building long term business rather than quick buck

• ICO will deal with rogues and use fining powers proportionately and

appropriately

• ICO and Article 29 Working Party (senior representatives from other EU

Member States) will issue Guidance Notes – ICO published draft timetable

• New ICO Elizabeth Denham from Canada familiar with GDPR plus ICO will

have GDPR change management unit

Albrecht Statement

• "The general data protection regulation makes a high, uniform level of data

protection throughout the EU a reality. This is a great success for the

European Parliament and a fierce European 'yes' to strong consumer rights

and competition in the digital age. Citizens will be able to decide for

themselves which personal information they want to share".

•

"The regulation will also create clarity for businesses by establishing a single

law across the EU. The new law creates confidence, legal certainty and fairer

competition"

Headline proposed changes

• Expanded definitions: “personal data” and “data subject”

• Changes to information requirements

• Right to be forgotten

• Greater emphasis on accountability

• Notification of data security breaches

• More onerous sanctions for breach

• Data processors directly covered

Consent

Consent: Current

Position (1995

Directive)

Consent: GDPR Position

- Freely given, specific,

informed indication of the

data subject’s wishes

- Explicit consent required

for sensitive personal

data only

-Freely given, specific, informed

and unambiguous indication of

data subject’s wishes

-Given either by a statement or a

clear affirmative action

- Data controller / data subject

relationship to be taken into

account

- Burden of proof on controller to

demonstrate consent

Consent (Recital 32)• Practical difference between “explicit "and “unambiguous” consent

• Written, including electronic or oral statement

• Includes

• Ticking a box when visiting an internet website

• Choosing technical settings

• By any other statement or conduct which clearly indicates acceptance

• Does Not include

• Silence

• Pre- ticked boxes

• Inactivity

Effect of change

• Existing rules for post and telephone remain the same for first and third party

marketing

• Email and SMS marketing - rules in Privacy and Electronic Communications

Directive remain the same for first party and third party marketing

• NB Changes to information requirements you have to provide individuals

• Remember that if you are outsourcing processing to a bureau, that bureau is

not a third party

• Hopefully brands will be able to grandfather existing marketing permissions

obtained in compliance with existing law to new GDPR without having to go

through a re-permissioning exercise.

• Ned to comply with other GDPR provisions, for example information

requirements

Legitimate interests of data

controller (Recital 47)

• Alternative legal basis for processing personal data

• Direct marketing recognised as a legitimate interest in text of Regulation

• Cannot use it where fundamental rights and freedoms of individuals override

rights of organisations

• Need for balancing test

• Provision of unsubscribe/.opt-out normally satisfies test

• Cannot use it for processing personal data about children

Information requirements in privacy

policies (Article 13 and 14)

• Name and contact details of data controller

• Used for direct marketing purposes

• Third parties to which information passed on

• Transfers to countries outside Europe

• Length of time for which information kept for

• Data subject’s rights

• Information about profiling

Introduction of new rules on

consent/legitimate interests

• Review whether going to use consent or legitimate interests as basis for

direct marketing activities

• Do people understand what they are agreeing to? – nation of liars

• Need for clear and transparent information about what direct marketing

customers and registered prospects will receive

• How will you demonstrate proof of consent

• Legitimate interest route – opt out /unsubscribe must be clear and easy to

use

• Preference centre – by brand/ channel?

IP addresses and cookies

• Definition of personal data extended so could cover some IP addresses and cookies as “online identifiers” (Article 4 (1)

• But IP addresses identify a device not an individual + some IPs are general

• Huge implications for digital marketers

• Web analytics & profiling made much more difficult, if not impossible

• Interaction with new cookie rules problematic

IP addresses and cookies

• Think about how you will deal with extension to Include location data, IP

addresses, cookies, online identifiers

• Pseudonymous/anonymous data – will you be able to take advantage of

exceptions?

• Justice and Home Affairs Ministers – pseudonymous data is a subset of

personal data

• Amend wording on privacy policies/data collection notices to take account of

new rules on profiling.

Profiling (Articles 21 and 22)

• Right to unsubscribe/opt-out from decision based on profiling, which produces

legal effects concerning the individual or similarly significantly affects the

individual.

The right to unsubscribe/opt-out does not apply if the decision

• a) is necessary for entering into or the performance of a contract between the

individual and the data controller – an example of this would be credit-scoring if

an individual applied for a new credit card or an increase in their credit limit

• b) is based on the individual’s explicit consent

• c) is authorised under EU or Member State Law – unlikely to apply to direct

marketing

Profiling (Articles 21 and 22)

• In the case of a) or c) individual the right to ask the organisation

• for a human to intervene in the profiling,

• the right for the individual to express their point of view and the right to contest

decision

• Profiling for direct marketing purposes – right to object at any time under general

right to object principle

• Need to explain in data collection notice/privacy policy

• whether or not the organisation uses automated decision making and profiling

• meaningful information about how the automated decision making/profiling works

• how the automated decision making/profiling will affect the individual.

Data Breach Notification (Articles

33 and 34)

• Any data security breach to be notified to ICO within /72 hours/undue delay

• Report to cover:

• nature of breach

• number of data subjects

• categories of data

• proposed mitigation

• Not always obvious if there has been a breach or how extensive it is

• No need to notify if breach is unlikely to result in risk for rights and freedoms of individuals

• Notification to affected individuals only if breach likely to result in high risk to rights and freedoms of individuals

Data security breach notification

• Introduce breach notification detection procedures

• Think about how you will notify data protection authorities and affected

individuals within timescale is agreed

• Develop/review your data breach response plan

• Guidance needed on high risk

Subject Access Requests (SARs)

• Data subjects to be able to request full information on data held on them free of any charge

• Currently can levy a £10 fee – doesn’t cover cost but deters time-wasters, frivolous or vexatious requests

• Costs organisations £50 million p.a. now to meet SARs

• If request made in electronic form can provide response electronically unless individual requests hard copy (Article 15.3)

• Particular problem for financial services with mis-selling issues and claims management firms

The right to erasure (“right to be

forgotten”) (Article 17)

• Google Spain case

• Prepare to respond to requests

• Deletion/ suppression

• Other legal requirements to keep information e.g. accounting, tax, money-laundering

• Right to erasure only has to be passed on to third parties if technology allows and cost not prohibitive.

Access Rights and Right to Erasure

• New Regulation may lead to increased public awareness of rights e.g., right to request information (Data Subject Access Requests, Right to erasure)

• Plan ahead for increase in queries from clients/public

• Training for client/customer service teams

Processor’s liability (Articles 82

and 83) and other obligations• Data protection obligations now shared between controllers and processors

• Processors subject to fines where not complied with processor obligations under Regulation or acted outside or contrary to lawful instructions of controller

• Privacy by Design/Privacy by Default

• Appointment of DP officer if processing activities require regular and systematic monitoring of individuals on a large scale or large scale processing of sensitive personal data (Articles 37-39)

- 2 year appointment

- Independent reporting to board

- Information and training

- Maintenance of documentation

- Data protection impact reports

• International transfers of data outside EEA – law would apply to any processing of data on EU citizens

Enhanced sanctions (Article 83)

• Up to €10 million or 2 % annual worldwide turnover for breaches of obligations

of controller and processor Regulation

• Up to €20 m or 4 % of annual worldwide turnover for other compliance failures

in respect of

- basic principles for processing

- data subjects rights

- transfers to third countries

• Depends on:-

- size of organisation involved

- nature and gravity of breach

- whether intentional or negligent

- technical and organisational measures

- previous breaches

- co-operation with ICO

Zach Thornton

External Affairs Manager

DMA

zach.Thornton@dma.org.uk

Contact Details