General Data Protection Regulation (EU 2016/679) Philippa Doyle Associate 22 June 2017

Overview What is the GDPR? How will it affect me / my organisation? What do I need to do? What about Brexit?

What is the GDPR? Replaces current European data protection directive Implements a single data protection law across Europe As it is a Regulation, it has direct effect in the UK without national implementing legislation Greater / more prescriptive obligations on those that process personal data Serious consequences for non-compliance

How will the GDPR affect me / my organisation? In many ways – not at all because you are unlikely to be trading with or operating in other EU member states In other respects – lots of changes to take on board and implement Sensitive personal data becomes “special categories of personal data” Introduces concept of joint data controllers Removes ability to charge for a subject access request

How will the GDPR affect me / my organisation? Cont. No general notification requirement Not enough to comply with the GDPR, got to demonstrate compliance – “the Accountability Principle” (detailed – see later) Greater clarity on consent required Public authorities can no longer rely on legitimate interests in relation to processing Enforcement – incl fines /audit / order compliance / ban on processing

What do I need to do? Review: Appoint a Data Protection Officer Consent forms Policies Procedures Training Appoint a Data Protection Officer

Accountability Principles Must be able to demonstrate compliance with the following: Personal Data must be Processed lawfully, fairly and in a transparent manner Collected for specific / explicit / legitimate purposes and not further processed in an incompatible manner Adequate, relevant and limited to what is necessary Accurate (every reasonable step must be taken to rectify / erase inaccurate date without delay) Kept in a form which permits identification for no longer than is necessary Kept secure

Accountability Principles cont. Consent Consent must be freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual by a statement or by clear affirmative action, signifies agreement to the processing of their personal data Consent to process sensitive personal data must be explicit Needs to be intelligible (plain clear drafting) Silence, pre-ticked boxes or inactivity not appropriate

Accountability Principles cont. New principle – requires you to be responsible for and able to demonstrate compliance with the data protection principles Means keeping detailed records that may need to be presented to the regulator on request Means building in evidence of compliance with DP principles throughout your processes Means implementing appropriate technical / organisational measures to ensure & demonstrate compliance – policies and procedures

Written records to demonstrate compliance Written records of processing activity must be kept including: The purpose of processing The description of data subjects / personal data The categories of recipients The details of transfers outside the EEA The envisaged retention periods A description of security measures Remember you hold two types of records Staff files Patient files

Data Protection Officer Do I really need one? Yes, not necessarily an employed member of staff Could engage services of a specialist to support your organisation or share between providers Needed where: Controller / processor is a public authority or body; Core activities involve regular or systematic monitoring on a large scale; or Core activities consist of processing special categories of data

Data Protection Officer cont. What is their role? Must be designated on the basis of professional qualities and expert knowledge of data protection law and practice Must directly report to highest management level in the organisation Tasks: Inform and advise Monitor compliance

Data Subject Rights Information & communications must be consider, transparent, intelligible, accessible and in clear / plain language Rights exercised free of charge unless manifestly unfounded /excessive Information must be provided promptly and generally within “one month” Review and update data retention policies

Breaches Two tiers of fines: Up to 2% of annual turnover or €10,000,000 (whichever is higher) Up to 4% of annual turnover or €20,000,000 (whichever is higher) Rights of audit, order compliance, ban on processing Rights of compensation to data subjects

What about Brexit? GDPR applies from 25 May 2018 UK will still be a member of the EU therefore GDPR will apply ICO will be represented on the European Data Protection Board Once we leave EU – we will need to implement GDPR into national law – government will review Hopefully still get a seat at the EUPB

In summary…. GDPR will apply from 25 May 2018 and likely will continue to apply in same or very similar format post Brexit Start preparing now – Identify a Data Protection Officer Review policies / procedures / governance structures / training Audit and document data processing activities Review consent forms Secure a copy of the ICO guidance

E: p.doyle@hempsons.co.uk Any questions? Philippa Doyle Associate T: 01423 724028 E: p.doyle@hempsons.co.uk