1. Preparing for the new data protection law (GDPR) – what businesses need to be aware of

2. Headline notes
UK data protection law will change on 25 May 2018, when the EU General Data Protection Regulation (“GDPR”) takes effect, replacing the Data Protection Act 1998 (“DPA”)
Many aspects of the GDPR are much the same as those in the DPA (e.g. concepts like personal data, data controller, data processor and data subject)
Best way to comply with the GDPR is to comply with the DPA but there are important new elements and significant enhancements, so some things will have to be done for the first time and some things will have to be done differently

3. Backdrop GDPR seeks to take into account:
fundamental changes to ways in which individuals and organisations communicate and share information
increased transborder flows
significant advances in information technology and identification techniques
need for harmonisation of laws and more consistent set of data protection compliance obligations (although flexibility retained over some decision-making)

4. Key concepts and changes
expanded territorial scope (non-EU data controllers and data processors will be subject to the GDPR if they offer goods or services to data subjects in the EU or monitor data subjects’ behaviour within the EU)
increased fines and enforcement powers
consent, as a lawful basis for processing, will be harder to obtain
risk-based approach to compliance under which businesses bear responsibility for assessing the degree of risk that their processing activities pose to data subjects (proportionality)
“one-stop shop” (businesses will be able to deal with a single supervisory authority (SA) where the business’ main establishment is situated as its lead SA across the EU)

5. Key concepts and changes
privacy by design and by default, privacy impact assessments (PIAs) and prior consultation
maintenance of detailed documentation (accountability and transparency)
new direct compliance obligations (and non-compliance fines) for data processors
strict data breach notification rules
pseudonymisation (processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without additional information)
binding corporate rules (formal recognition of agreements used to lawfully transfer personal data out of the EEA)
data subject access requests and other data subject rights

6. Maintaining detailed records of processing
businesses must document what personal data they hold, where it came from and who it is/has been shared with, as the GDPR requires businesses to maintain detailed records of their processing activities to enable them to respond to the exercising of updated data subject rights. Performing this exercise will also help businesses to comply with the GDPR’s accountability principle, which requires businesses to be able to show how they comply with the data protection principles.
personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable nature person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

7. Communicating privacy information
when businesses collect personal data, they are currently required to give people certain information, such as the identity of the business and how the business intends to use such personal data (which is normally done through a privacy policy or notice)
under the GDPR there are some additional pieces of information that businesses now have to provide to data subjects (in concise, easy to understand and clear language): (i) the lawful basis upon which such data is being processed by the business; (ii) the business’ data retention periods; and (iii) that data subjects have a right to complain to the ICO if they think there is a problem with the way their data is being handled

8. Data subject rights
the GDPR includes the following rights for data subjects:
existing (and in some cases enhanced) rights (i) to be informed, (ii) of access, (iii) to rectification, (iv) to restrict processing and (v) not to be subject to automated decision-making including profiling
the expanded right to erasure (“right to be forgotten”) exercisable where, for example, the personal data is no longer necessary for the purpose for which it was collected or the data subject withdraws consent
the expanded right to object to processing (including profiling, i.e. most forms of online tracking and behavioural advertising)
the new right to data portability (electronically, free of charge and in a commonly used format) which only applies (i) to personal data a data subject has provided to a data controller, (ii) where the processing is based on the data subject’s consent of for the performance of a contract and (iii) when processing is carried out by automated means

9. Data subject access requests
in handling data subject access requests, the GDPR requires businesses to take account of the following new rules:
in most cases businesses will not be able to charge anything for complying with such requests
businesses will have a month to comply (rather than the current 40 days)
businesses can refuse or charge for requests that are manifestly unfounded or excessive
if a business refuses such a request, the business must tell the data subject why and that he/she has the right to complain to the supervisory authority and to a judicial remedy (without undue delay and, at the latest, within one month)

10. Lawful basis for processing personal data
many businesses will not previously have thought about their lawful basis for processing personal data under the DPA
different under the GDPR because some data subject rights will be modified depending on the lawful basis upon which personal data is processed (e.g. data subjects will have a stronger right to have their data deleted where a business uses consent as its lawful basis for processing)
businesses are also required under the GDPR to explain their lawful basis for processing personal data in their privacy policies and notices and when answering data subject access requests
the lawful bases for processing in the GDPR are broadly the same as the conditions for processing under the DPA

11. Consent as a lawful basis for processing
the GDPR requires a higher standard of consent - a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to his/her personal data being processed by a written statement or other positive opt-in – than the DPA
consent cannot be inferred from silence, pre-ticked boxes or inactivity
when processing has multiple purposes, data subjects must give consent to each purpose
data subjects have right to withdraw consent at any time (must be as easy to withdraw consent as it is to give it)
where “clear imbalance” between the parties (e.g. employer/employee relationship), consent is not presumed to be freely given – necessitates employers establishing other grounds on which to justify processing (e.g. “legitimate interests” or necessity for contractual performance)

12. Data breach notification requirements
the GDPR introduces a duty on all businesses to report personal data breaches to the ICO and, in some cases, data subjects (without undue delay and where feasible within 72 hours unless the personal data breach is unlikely to result in a risk to data subjects)
businesses only need to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of data subjects, e.g. if it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage
where a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, businesses will also have to notify those concerned directly in most cases
failure to report a personal data breach when required to do so could result in a fine, as well as a fine for the breach itself

13. Increased fines and enforcement powers
currently, fines under national law vary and are comparatively low (e.g. UK maximum fine for DPA non-compliance is £500,000)
the GDPR will greatly increase the maximum fines capable of being imposed by supervisory authorities (SAs)
up to 2% of annual worldwide turnover of preceding financial year or 10m euros (whichever greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, DPOs and data protection by design and default
up to 4% of annual worldwide turnover of preceding financial year of 20m euros (whichever greater) for violations relating to breaches of data protection principles, conditions for consent, data subject rights and international data transfers
investigative powers of SAs also increased (audit, information recovery and premises access)

14. Privacy by design and by default and privacy impact assessments (PIAs)
having regard to the state of the art and the cost of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk to data subjects, businesses are now required by the GDPR to implement: (i) data protection by design (e.g. when creating new products, services or other data processing activities) and by default (e.g. data minimisation); and (ii) technical/organisational measures (such as pseudonymisation) to ensure GDPR requirements met
the GDPR also makes PIAs mandatory where data processing is likely to result in high risk to data subjects, e.g. a new technology is being deployed, a profiling operation is likely to significantly affect data subjects or there is processing on a large scale of sensitive personal data
if a PIA indicates that the data processing is high risk, and it cannot be sufficiently addressed by the business, it will need to consult the ICO to seek its opinion as to whether the processing complies with the GDPR

15. Data Protection Officers (DPOs)
you as a business must designate a DPO if you are: (i) a public authority (except for courts acting in their judicial capacity); (ii) an organisation that carries out the regular and systematic monitoring of data subjects on a large scale; and (iii) an organisation that carries out the large scale processing of sensitive personal data or other special categories of data, e.g. health records or information about criminal convictions
even if not formally required to designate a DPO, it is important that someone in your organisation, or an external data protection adviser, takes proper responsibility for data protection compliance and has the knowledge, support and authority to carry out the role effectively

16. Ed is able to advise on all non-contentious aspects of commercial, contract, IP, IT, data protection, freedom of information and competition law.
Ed has expertise in the biotechnology, engineering, healthcare, life sciences, manufacturing and pharmaceuticals sectors.
Ed's experience and expertise covers all aspects of the creation, securing, protection and exploitation of IP, including IP assignments, licences and securitisation, academic and commercial R&D and other collaborations, materials and technology transfers, agency, distribution/ reselling, franchising and marketing arrangements.
Ed Wright
Partner T M E

17. Questions