From 25 May 2018, a new European General Data Protection Regulation (the “GDPR”) will apply and change the rules applicable to businesses that process “personal data” such as customer and employee data. Organisations will need to consider implementing new procedures in order to comply. The new rules will impose more stringent requirements on organisations and strengthened rights for individuals, with the risk of substantial fines for non-compliance. We set out some of the key changes and implications for outsource providers and their customers from a UK perspective.
New, harmonised rules for Europe
The GDPR is an EU regulation which will replace the existing EU Data Protection Directive - on which the current UK Data Protection Act 1998 (DPA) is based - and impose new data protection rules across the EU and beyond. In theory, the GDPR will introduce one set of data protection standards which apply in a largely uniform manner across all EU countries.
Applicable in the UK?
It appears likely at this stage that the GDPR will apply in the UK for some time until Brexit negotiations are completed and that the GDPR will therefore replace the DPA. Even if the UK does leave the EU, it is likely the GDPR will be replaced with alternative equivalent legislation. In addition, many UK businesses would continue to fall within scope because of its broad territorial application.
Data processors now caught
A notable feature of the GDPR is that both data controllers (such as employers in respect of their employee data) and data processors (those who process data on behalf of employers, such as outsource providers) will be subject to binding legal obligations. Consequently, for those dealing with clients’ personal data as an outsourced processor, the legal framework is set to become more onerous.
The new requirements will bring several key changes to the outsourcing industry.
New legal requirements for data processors. Data processors (which are not currently subject to the UK DPA) will need to comply with certain requirements of the legislation and the legal risk will not sit solely with data controllers. For the first time, outsource companies in their capacity as data processors will be liable to fines and to compensate individuals in the case of their non-compliance.
Data protection officers. Businesses (whether data controllers or data processors) will need to appoint a data protection officer (DPO) with “expert” knowledge of data protection law and practice, if their core activities consist of:
• regular and systematic monitoring on a large-scale; or
• processing on a large-scale of sensitive personal data and personal data relating to criminal convictions and offences.
DPOs are granted protected status because of the nature of their role. They must be allowed to perform their duties independently and must not be dismissed or penalised simply for doing their job.
New mandatory notification requirement. Notification of personal data breaches (breaches of security leading, for example, to accidental loss or unauthorised disclosure) will become mandatory in certain circumstances. Data controllers will have to notify all breaches to the regulator within 72 hours (unless the breach is unlikely to result in risk to individuals). Breaches which pose a high risk to the rights and freedoms of individuals will also need to be reported to the affected individuals, unless steps have been taken to encrypt the data or otherwise minimise the risk. The rules will require data processors to notify data controllers of any breach without undue delay after becoming aware of a breach.
New penalties. Outsource providers will be at risk of fines going forward and, in addition, the maximum fine for some breaches will increase to EUR 20 million or 4% of annual worldwide turnover in the previous year, whichever is higher. This is significantly higher than the current maximum penalty in the UK of £500,000.
Registration to be replaced with accountability. The existing notification regime, whereby data controllers register with the regulator (in the UK, the Information Commissioner’s Office) and pay a fee, will be replaced with an “accountability principle” which will require those dealing with personal data to take more proactive compliance steps. In particular, data controllers will be required to adopt internal policies and compliance procedures that demonstrate compliance with the requirements and update them where necessary.
Record-keeping. Both data controllers and data processors will need to document their data processing activities and make their records available to the regulator upon request (some organisations with fewer than 250 employees will be exempt from this requirement).
Risk assessments. Data controllers will be required to have an eye to privacy issues at the onset of processing and implement data protection safeguards into projects by design and by default. Where processing carries a high risk, data controllers will need to conduct risk assessments known as “Privacy Impact Assessments” (or PIAs) and consult with the regulator before starting the processing. Time for such project-shaping assessments and discussions will need to be built into project timetables, particularly for more risky projects for example involving large volumes of health personal data.
Sub-contractors and overseas transfers. Sub-contracting will be a particular area of risk for outsource providers, as they will remain fully liable to the data controller for the performance of the sub-processor’s obligations. If the sub-processor is based outside the European Economic Area, the data processor will need to have regard also to the overseas transfer restrictions – which are broadly similar to those in the DPA but now apply to data processors as well as data controllers.
Preparing for implementation
Outsource providers still have just under two years to assess the operational and legal impact of the GDPR on their businesses and make adjustments where required. The ICO has published guidance on its website which aims to help businesses prepare. When negotiating new contracts, both providers and their clients will also need to consider how they will appropriately allocate the additional risk and costs of increased compliance.