It's been five months since GDPR became enforceable. The 25 May deadline has come and gone, but organisations must continue to focus on their data protection obligations - the Information Commissioner has referred to this as an ongoing compliance journey.
Part of that is not just keeping up with the ongoing actions to comply, but awareness of, and applying, the regulatory guidance changes still emerging. With data protection headline news each week, whether it be fines, lobbying for US data protection laws or other concerns around data use, now is a great time to uplift your compliance approach.
The Information Commissioner's Office (ICO), the UK's supervisory authority for data protection, provided guidance and support to businesses and individuals in the run up to the GDPR deadline, and has continued to do so. This guidance has largely been amalgamated into the ICO's 'Guide to the General Data Protection Regulation' (the ICO Guide). It also refers to the European Data Protection Board's guidance (the organisation replacing the Article 29 Working Party).
Further eagerly-awaited guidance has been introduced since 25 May and many parts of the guidance, previously limited in scope, have been expanded upon. Key additions and changes to the ICO Guide over the past five months include:-
What is personal data?
A more comprehensive and in-depth analysis of what actually constitutes personal data has been added. The guidance outlines techniques and considerations organisations may employ in order to assist them with identifying whether the information they process is in fact personal data for the purposes of the GDPR.
In addition to the overview found in the ICO Guide, the ICO has also produced a separate, detailed publication, which provides more specified guidance considerations and practical examples.
Key takeaway: having a good understanding of what is personal data (and what is not) is vital to compliance.
The ICO Guide now includes individual sections on each of the GDPR's core data protection principles (Article 5 GDPR), namely: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability.
The new sections include guidance and practical examples which explain what these principles mean, as well as their correct and incorrect application. Checklists are given as a quick point of reference to clearly outline key considerations organisations may need to take when implementing measures to ensure adherence to the principles above.
Key takeaway: note that if you currently rely on consent for processing, you cannot usually swap this for another legal basis of processing. If consent is withdrawn, you must stop processing the personal data. Consider carefully then if consent really is the right basis for processing.
The previous section covering international transfers of personal data has been significantly expanded. The ICO Guide now includes: a list of questions organisations should ask themselves to check whether they are able to make a restricted transfer; specific guidance on when a restricted transfer may be permitted, such as where the transfer is covered by appropriate safeguards or a relevant exception; and supplementary practical examples.
Key takeaway: with Brexit approaching, understanding and documenting your international transfers has never been more important
Information regarding exemptions has also been expanded and the ICO Guide now includes guidance on the exemptions found in Schedules 2-4 of the Data Protection Act 2018 (DPA 2018). Article 23 GDPR allows member states to introduce exemptions and derogations to the GDPR (which are found in the DPA 2018 in the UK).
Exemptions found solely within the GDPR are dealt with elsewhere in the guide where they relate to particular provisions.
Key takeaway: familiarise yourself with the exemptions from the rights of access, the right to be informed (e.g. privacy notices) and disclosures.
Data Protection Fee
As we've previously raised in our articles, a data protection fee now applies to many organisations in the UK - further information on the new fee regime and the introduction of the Data Protection (Charges and Information) Regulations 2018 is provided by the ICO.
Key takeaway: check your registration and whether/when you need to register/renew.
Right of erasure as applicable to backups
The ICO's updated guidance emphasises the need to ensure erasure from backup systems as well as live systems (provided the data subject's request is valid and no exemption applies). For delayed erasure of backup data, it is important to put the data 'beyond use'.
Several areas of uncertainty have now been clarified in the ICO Guide following the introduction of the DPA 2018 at the same time as the GDPR, such as:
- exemptions found in the DPA 2018;
- that in the UK, only children aged 13 and over are able to provide their own consent; and
- confirming that "public authorities" are covered by certain provisions, expressly including "public bodies" also.
The ICO has also finalised its detailed guidance on children and the GDPR.
What to do now
The additions made will certainly assist organisations in fulfilling their data protection duties, however, more comprehensive guidelines in other areas would be welcomed and is expected.
It is important that organisations familiarise themselves with the guidance published since 25 May (and review developments in the future) in order to assist their understanding of the GDPR, and ensure their compliance with their relevant data protection obligations. You can find more of our commentary and services to assist you at www.shoosmiths.co.uk/data