Ten things you need to know about the Data Protection Regulation

Presentation to MRS Members Evening

10th February 2016

Dr Michelle GoddardDirector of Policy & Standards

2

Topics for tonight

Why is it important? What do you need to know?

How should you prepare?

3

Why this matters!

It’s been a long road to get here ….

2012

• European Commission GDPR proposals tabled

2014

• European Parliament adopted a first reading

2015

• Council of the EU agreed a general approach after trialogues

Dec 2015

• Informal Agreement reached on Compromise Text

4

From Directive to Regulation

… but the end is in sight

June 2018Enforcement of GDPR begins

May to June 2016GDPR enters into force in the UK

April 2016Publication of Approved Text in Official Journal

February 2016Translation of GDPR Compromise Text

5

6

Ten Things

1. Applies a harmonised regime directly in all Member States2. Widens scope and application of data 3. Places liability on both data processors and controllers4. Requires greater business accountability5. Enhances individuals rights6. Maintains exemption for research7. Introduces notification of data breaches8. Mandates appointment of Data Protection Officers9. Raises standards for cross border transfers10. Increases fines and strengthens the enforcement regime

7

1. Directly applicable and harmonised

From Directive to Regulation and no need for national implementation Built in consistency mechanisms such as European Data Protection

Board and the One-Stop Shop for enforcement

….but over 50 areas for national carve-outs and

modifications in Union and Member State Law

… and will this affect ICO’s enforcement approach

8

2. Much wider scope and application

Expanded categories of personal data (including online identifiers) and special categories i.e. sensitive personal

data include biometric and genetic New explicit category of pseudonymised data as a security

measure but an art not a science Extra territorial scope to activities of controllers and

processors within and outside EU processing data of EU citizens so need to consider appointment of representative

9

3. Significant culture and risk shift for data processors

Data Controller

• Determines purposes and manner in which personal data is collected/used e.g. client companies

• New mandatory contract terms inc security measures, right of audit of DP, sub-processor approvals

• Liability still includes full range of enforcement action and liability for breach of contract

Joint Data Controller

• Determines (with other DC) purposes and manner in which personal data is collected/used e.g. research suppliers

• New mandatory contract terms inc security of measures, right of audit of DP etc and how data subjects can exercise rights and who provides information

• Liability still includes full range of enforcement action and liability for breach of contract

Data Processor

• Process data on behalf of others e.g. any other suppliers working on research data e.g. transcription, processing, coding, analysing translation

• New mandatory contract terms inc seek approval of DC for appointment of sub-processor and data transfer out of EEA

• Direct liability now includes full range of enforcement action in addition to liability for breach of contract

10

4. Requires greater business accountability

Reduction of administrative burdens e.g. no notifications to ICO but …Accountability and transparency requirements to

entrench privacy by design and default maintain good records inc privacy policies/notices and

detailed internal documentation on processing activities undertake privacy impact assessments for riskier or large

scale activities Implement technical and security measures

Some exemptions for SME’s but less useful for researchers

11

5. Enhances rights of individuals

Individual Right Right to data portability New Right to erasure New

Right to restrict processing* New but limited impactRight of access to data* Strengthened –includes retention period

and possibly free and within 30 daysRight to information in notices Strengthened – clearer and greater detail

Right to object to different types of processing (including profiling and marketing)*

Strengthened – burden now on controller to demonstrate compelling grounds

Right not to be evaluated on basis of automated processing

Equivalent provision

Right to rectification (of inaccurate data)*

Equivalent provision

Obligation on DC to notify third parties for rectification, erasure or restrictionNeed to promote these rights to individuals

12

6. Maintains an exemption for research

EFAMRO/ESOMAR gains from EU advocacy/lobbying include

Broad definition of research:

Scientific research purposes should be interpreted in a broad manner

Statistical research purposes include statistical surveys and their results may be used for other purposes

Research is a compatible purpose for further processing

Segmentation is not considered as profiling under the GDPR

Research exemption available to Member States

13

Grounds for processing research data under GDPR

Research exemptio

n

Legitimate Interests

Consent… but remember obligations under MRS Code of Conduct

14

7. Personal data breaches must be notified

When?without undue delay or within 72 hours

To who?Controllers, supervisory authorities and/or individuals affected

Why? Likelihood of risk/high risk to individuals but not if unlikely to cause harm i.e. encrypted data breaches

15

8. Need to appoint Data Protection Officer

Who needs to appoint a data protection officer? Dependent on type of processing and risk but likely to

be mandatory for all researchers Businesses should publish contact details and advise

ICO

What is their role? act independently reporting to highest level of

management Should understand your business Liaison between business and data subjects/consumer

champion? Employee (or outsourced) protected from dismissal

16

9. Raises standards for cross border transfers

Current rules and mechanisms remain but will be kept under review Safe Harbor invalidity decision remains (not affected by

this process) Adequacy decisions can be made by EU Commission for

territories, sectors and states such as EU-US Privacy Shields

Binding corporate rules still valid

Some procedural streamlining/flexibility Model clauses favoured and no longer require DPAs

approval DPAs may also create own model clauses New avenue for transfers under approved codes of

conduct

17

10. Higher legal risks of non-compliance

Heavy sanctions for non-compliance up to €20m (£15m) or 4% turnover

Increased powers for supervisory authorities and liaison with European Data Protection Board

Data subject claims for compensation for breaches “Class actions” by consumer associations

…. and also reputational risks …

Reputation at risk

18

80% of people would think twice about giving their business to an online company that made headlines for failing to stop a data security breach

You Gov 2016 poll for ICO

19

How should you prepare?

20

GDPR Compliance Project should start now

1. Assess business risk through understanding data use2. Draw up compliance plan covering IT systems, staffing and

policies3. Commit to best practice in research and data management4. Keep up to date through MRS

21

Practical Tips

Obligation What your business needs to doAdhere to data controller or data processor compliance obligations

• Audit and understand data use • Review and strengthen existing data policies

o Review and revise legacy contracts to consider mandatory terms and negotiations on apportionment of liability

o Establish appropriate technical and security measures for data protection

o Consider adequacy of mechanisms for cross-border transfers i.e. contracts with cloud providers

o Set up process for written record-keeping of all categories of personal data

o Consult with ICO on riskier activities and privacy impact assessments

Respect individual rights • Use clearer language in privacy policies and fair processing notices but cover off intended purposes

• Review getting consent and implement steps for recording• Establish clear data retention and deletion policies and communicate

retention periods to individuals• Review mechanisms for consent of children online• Work with IT to set up procedures and systems for individuals to

exercise new rights of data portability and to be forgotten and enhanced information and rectification rights etc

22

Practical Tips

Obligation Practical TipsPromote accountability across the business

• Set up demonstrable processes to ensure accountability • Conduct individual and staff training • Appoint a data protection officer considering outsourcing and

sharing role

Prepare for data breach notifications

• Set up internal procedures/strategy for data breach identification • Establish process for notification to DPA and individual• Explore what “risk” to individuals means• Build in effective ways of detecting breaches

Embed privacy by design and default in research projects

• Collect minimum information required for research projects• Maintain accurate and up to date/current databases• Client side need to engage with product teams earlier in process• Use anonymisation, pseudonymisation and encryption security

techniques

Keep up to date

Guidance and tools FAQ’s, webinars and guidance notes

But let us know how we can best help you Training areas; webinar topics; new guidance

Follow guidance from ICO

Seek advice from CodeLine Codeline@mrs.org.uk

Keep informed through MRS www.mrs.org.uk @tweetmrs

THANK YOU www.mrs.org.uk/standards