General Data Protection Regulations (GDPR) Guidance Note

What is GDPR?

The EU General Data Protection Regulations (GDPR) came into force on 25 May 2018 and places greater obligations as to how organisations handle personal data.

GDPR replaces the current EU Data Protection Directive which was transposed into UK law by the Data Protection Act 1998 (DPA 1998). The Data Protection Act 2018 came into force on the same day and supplements GDPR.

What information does GDPR apply to?

GDPR applies to ‘personal data’ which is any information relating to an identified or identifiable natural person, also known as the ‘data subject’.

The definition of ‘personal data’ under GDPR has been expanded and includes:

• Basic identity information such as name, address and ID numbers
• Web data such as location, IP address, cookie data and RFID tags
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation

What does this mean for my practice?

GDPR is principles based (Article 5 GDPR) and takes a risk-based approach to data protection. This enables practices to decide what steps are appropriate and proportionate for them to comply with GDPR.

Practices that already comply with the DPA 1998 and that have effective data governance in place have a good starting point when preparing for GDPR. However, new elements have been introduced by GDPR and there are some significant changes that practices should be aware of.

What are the key changes?

1. Transparency and consent – practices must be open and transparent about the reasons they are collecting personal data and what they intend to do with it. The most common way to do this is to provide the information in a privacy notice. Practices must also consider whether they need to obtain the necessary permissions to use individuals’ personal data.
2. Accountability – practices must be able to demonstrate compliance with GDPR. This may be through data protection policies, record keeping, archiving and erasure, data management and providing information to data subjects.
3. Enhanced rights for individuals – individuals are given increased rights, including the right to be forgotten (to have their data erased) and the amended right to access their data through a subject access request.
4. Data protection by design and default – practices should review what personal data they collect and the length of time that they hold it. Practices should not collect any data over and above what is necessary for the intended purpose. In some circumstances, a Data Protection Impact Assessment (DPIA) may be required to help practices identify the best way to comply with their data protection obligations.
5. Data breach notification – in the event of a personal data breach which could impact the individual or cause harm, the breach must be reported to the Information Commissioner’s Office (ICO) without undue delay and no later than 72 hours after detection.
6. Fines – fines are significantly higher under GDPR. Up to 4% of annual turnover or 20 million euros, whichever is higher, could be imposed for breaches of GDPR.

What resources are available?

GDPR is principles based and takes a risk-based approach to data protection. This allows practices to decide for themselves what steps are appropriate and proportionate to comply with GDPR, meaning that the approach large practices need to take to get ready for GDPR is likely to be different to the approach smaller firms and sole-practitioners need to take.

The ICO has produced a Guide to GDPR which will be regularly updated along with a package of tools to help organisations prepare for GDPR:

• a micro business resource page;
• a number of small business FAQs;
• a number of data protection self- assessment checklists; and
• an advice helpline for small organisations.

Practices should be able to demonstrate compliance with GDPR and may consider documenting i) what personal data the practice holds, ii) where it came from, and iii) who it is shared with. An information audit should help to achieve this.

Other ways of demonstrating compliance may be through a data protection policy, a data breach notification procedure, data protection impact assessments and consent forms. The scale of the policies and processes should be appropriate to the size and complexity of the practice.

What information should be included in a privacy notice?

GDPR includes a more detailed list of information that must be provided to an individual than the DPA 1998. The most common way to provide the information is through a privacy notice.

The ICO has produced guidance on privacy notices and what information should be included.

What is a data protection officer (DPO) and does my practice need to appoint one?

The DPO’s tasks may include:

• informing the practice and its employees of their obligations under GDPR, including providing staff training;
• monitoring compliance with GDPR and ensuring there are policies in place for the protection of personal data;
• providing advice in relation to DPIAs; and
• cooperating with the ICO and acting as its contact point.

GDPR requires the data controller to appoint a DPO where:

1. the processing is carried out by a public authority or body, or
2. the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or
3. the core activities of the controller or the processor consist of processing on a large scale of sensitive personal data or personal data relating to criminal convictions and offences.

Whilst it is unlikely that the majority of CLC regulated practices fall under these criteria, practices may still wish to appoint a DPO.

The ICO has produced guidance on DPOs and when they need to be appointed.

What are the lawful grounds for processing data?

Article 6(1) GDPR sets out the lawful grounds for processing data, in other words, the reason for collecting the data. The lawful grounds are:

• Consent
• Performance of a contract
• Compliance with a legal obligation
• Necessary to protect the vital interests of an individual
• Public interest
• Legitimate interests of the organisation as long as the rights and freedoms of the individual are not overridden

Personal data can only be collected for ‘specified, explicit and legitimate purposes’ therefore data gathered for one purpose cannot then be used for something else unless consent is obtained from the data subject or there is a legitimate purpose to do so.

Practices should be able to demonstrate how decisions about lawful grounds for processing have been reached and may consider documenting their decisions.

What should I do if I discover a personal data breach?

Any personal data breach which could impact an individual or cause harm must be reported to the ICO without undue delay, and no later than 72 hours after detection. If the breach is likely to result in a high risk of adversely affecting individuals’ rights, practices must also inform those individuals without undue delay.

Records of any personal data breaches should be kept whether or not they are reported to the ICO and/or the individual.

The ICO has produced guidance on personal data breaches.

How does GDPR impact file storage?

Under the GDPR, personal data must not be kept for longer than is necessary for the purposes for which it was processed. However personal data stored for legitimate reasons under existing legislation, for example, the Limitation Act 1980 or the Money Laundering Regulations 2017, can be stored and processed under the lawful ground of compliance with a legal obligation.

As stated in the CLC Transaction Files Code, practices should retain the contents of files relating to all matters for a minimum of six years, except those relating to:

• other conveyancing matters (other than the sale of property) for a minimum of fifteen years
• wills for a minimum of six years after the testator has died, and
• probate matters for a minimum of six years from the end of the executor’s year.

Practices should review their file storage policies and the legal and regulatory reasons for retaining personal data for specified periods of time.

Do I need to pay a fee?

The Government has announced a new charging structure for data controllers which is yet to be approved by Parliament. The ICO has produced a Guide to the Data Protection Fee to help explain the new funding model and what payments are required.

If your practice is currently registered under the DPA 1998, you will not need to pay the new fee until your current registration expires.

What is the Data Protection Act 2018 and how does it relate to GDPR?

The Data Protection Act 2018 (Act) came into effect on 25 May 2018 and replaces the DPA 1998. The Act updates data protection laws in the UK by supplementing GDPR. It also implements the EU Law Enforcement Directive and extend data protection laws to areas not covered by GDPR.

More information can be found on the ICO website: Data Protection Bill.

Will Brexit impact GDPR?

No. GDPR comes into effect before the UK leaves the EU and the UK government has committed to fully implement it.

May 2018