23rd March 2017

Expert Advice from Geldards: General Data Protection Regulations – A game changer for everyone

The Information Commissioner has described it as a “game changer for everyone”. So it probably hasn’t escaped your notice that a new, European wide data protection law is on its way. The General Data Protection Regulation 2016 (“GDPR”) will automatically apply in all EU Member States (without the need for national implementing legislation) from 25th May 2018. From this date, the Data Protection Directive 1995 (“DPD”) will be repealed, as will Member State legislation passed to implement the DPD (in the UK this is the Data Protection Act 1998 (“DPA”)).

The UK will still be a member of the EU on this date and even following Brexit the indications from the Information Commissioner and the Government are that GDPR or a similar data protection regime will be here to stay.

The GDPR will introduce a number of significant changes to EU data protection law. It will affect most businesses and other organisations in the UK that process (e.g. collect, record, use or disclose) data relating to an identified or identifiable natural person (“personal data”), whether this is simply because they process personal data relating to their employees or because they process personal data as part of their core business activities.

In this article, we take a look at some of the key changes that are likely to affect businesses in the life sciences sector.

Key Changes

The definition of personal data will be expanded

Personal data will include pseudonymised personal data (e.g. data that has been encrypted to conceal the identity of the data subject) and online identifiers (e.g. IP addresses);
Consequently, more data will be subject to the rules set out in the GDPR. The definition of “sensitive personal data” will be expanded to include genetic data and biometric data;
Businesses that process genetic data and biometric data will need to comply with the extra protections that apply to the processing of sensitive personal data;
In particular, this change will mean that businesses that currently rely on consent to process this type of personal data, will need to “upgrade” that consent to explicit consent.

Even if a business isn’t processing sensitive personal data, obtaining valid consent to processing will be more difficult.

This will only affect businesses which rely on consent as the legal basis for processing personal data;
Under the GDPR, as well as being informed, specific and freely given, consent will need to be unambiguous;
This means that positive action will be required by data subjects in order to demonstrate consent. Pre-ticked boxes, silence and inactivity will not constitute valid consent.

The GDPR also sets out detailed information on the other conditions that must be satisfied in order for consent to be valid. As a result of these changes, existing consents may no longer be valid and may need to be renewed. Alternatively, businesses may need to consider relying upon other legal grounds to legitimise their data processing activities.

Businesses that continue to process personal data on the basis of data subject consent will also need to be able to prove that valid consent was obtained (so evidence of consent will need to be retained), and individuals must be able to withdraw consent at any time.

There will be increased requirements for transparency

The data protection principles will include a new requirement for transparency;
This will mean that businesses will need to be completely upfront about their data processing activities when dealing with data subjects, particularly when obtaining consent to processing;
Businesses will also need to “beef up” their privacy notices to include additional information specified in the GDPR;
In addition, there will be an emphasis on information being, amongst other things, easy to understand, accessible and concise.

Businesses will no longer need to register details of their personal data processing with the Information Commissioner’s Office (“ICO”). However, they will need to keep detailed records and be able demonstrate actual compliance with the GDPR/data protection principles.

The GDPR sets out in detail what the records must include:

Compiling the necessary records is likely to mean that businesses will need to undertake a detailed review of their personal data processing activities;
There will be an exemption to the record keeping requirement for businesses employing less than 250 employees in certain circumstances;
In relation to the requirement that businesses are able to demonstrate compliance, the GDPR makes provision for the introduction of Codes of Conduct and Approved Certification.

There will be changes which will give greater freedom to organisations which carry out processing for archiving purposes in the public interest, scientific and historical research purposes and statistical purposes:

Businesses that process personal data for any of these purposes may be able to benefit from certain extended processing rights under the GDPR.

Data subjects will have better rights

In particular, data subjects will:

Be able to request more information and (generally) receive a copy of their data for free. Under the DPA, data subjects must pay £10 for a copy of their data the ability to request a fee is removed under the GDPR;
Have new and stronger rights to require businesses to erase their personal data;
Have new and stronger rights to object to and stop businesses processing their personal data.

Data subjects will also continue to have rights not to be the subject of decisions made solely on the basis of automated processing. This will include decisions made on the basis of profiling.

Businesses will need to ensure that they have both the technical ability and internal procedures in place to comply with these new rights.

Security Requirements

The general security requirements are “padded out”. For example, businesses must take into account certain factors when assessing security, including the possibility of encryption.

Businesses will need to regularly review the appropriateness of their security measures;
New data processing systems will need to be designed, from the outset, to comply with all elements of the GDPR (“data protection by design”);
Also, by default, businesses will need to subject personal data to the highest security settings (“data protection by default”);
Businesses that are considering undertaking any “high risk” processing, may need to carry out a data privacy impact assessment (“PIA”) and liaise with the ICO before commencing such processing. Guidance will be issued by the ICO as to what kinds of processing will require a PIA.

Data Protection Officers

Businesses involved in certain types of personal data processing specified in the GDPR will need to appoint a DPO. This requirement will significantly increase baseline compliance costs for some businesses. The GDPR sets out detailed provisions relating to the appointment of DPOs and their tasks and responsibilities.

Data Breach Reporting

Data breaches will need to be reported to the ICO without undue delay and, in any event, within 72 hours. Data breaches will also need to be reported to data subjects in certain circumstances. There are currently no such mandatory reporting requirements under the DPA.

Businesses will need to ensure that their systems enable them to quickly detect data breaches and that they have a suitable internal response plan for dealing with data breaches in accordance with the requirements of the GDPR.

The fines will be much higher

Businesses will need to consider the procedural requirements and obligations imposed by the GDPR in the light of the substantial fines that can be imposed for non-compliance.

The GDPR provides for two tiers of fines. Under the higher tier, fines of up to €20,000,000 or 4% of global turnover, whichever is higher, can be imposed. Currently under the DPA, the maximum fine that can be imposed is £500,000.

Businesses should, in particular, review the legal basis on which they process personal data, as processing without a legitimate reason can incur the highest level of fines under the GDPR.

If you process data on behalf of other businesses (i.e. you are a “data processor”), specific statutory obligations and liabilities will apply to you.

Data processors are not currently subject to any statutory obligations or liabilities under the DPA. The obligations imposed on processors by the GDPR will include obligations to keep records, implement appropriate security measures, report data breaches to controllers and appoint DPOs. Processors will be subject to the same sanctions regime (including fines) as controllers. They may also be sued for compensation by data subjects if they breach their obligations under the GDPR or act outside the controller’s instructions

More controllers and processors, including controllers and processors established outside the EU, will be caught.

The GDPR will apply to:

The activities of controllers and processors established in the EU (whether or not the data processing takes place in the EU);
Controllers and processors established outside the EU where such controllers or processors (i) offer goods or services to EU data subjects; or (ii) monitor the online behaviour of EU data subjects;
Non EU controllers and processors will generally be required to designate a representative in the EU to act as their point of contact.

When to start?

It’s best to start preparing for the GDPR straightaway, as many of the changes will call for a major rethink as to how data protection compliance is achieved.

For example:

Ensuring compliance by design and default;
Implementing a new system of regular self-assessment coupled with record keeping; and
Ensuring compliance with the heightened obligations relating to consent and transparency.
The new rights bestowed on data subjects will also mean that businesses will need to review their existing processes and systems and consider what changes will be necessary to meet their increased obligations under the GDPR.

All of this will take time – and it is likely to be those businesses that leave their preparations to the last minute that will run into difficulties.

Where to start?

The most important thing you can do right now is to ensure that key personnel within your organisation (e.g. your HR team, your technical people, your marketing team) understand the changes that the GDPR will introduce, so that they can start evaluating exactly how the GDPR will affect your business. Once this has been done, we would recommend that you put a detailed compliance plan in place to ensure that you are ready for the new law by May 2018.

Further information & legal advice

If you would like any further information about the GDPR and how it might affect your business please download the Geldards Guide or if you would like to discuss how Geldards can help with training on the GDPR, please do not hesitate to contact the Information Law Team.

Cookie	Duration	Description
ARRAffinity	session	ARRAffinity cookie is set by Azure app service, and allows the service to choose the right instance established by a user to deliver subsequent requests made by that user.
ARRAffinitySameSite	session	This cookie is set by Windows Azure cloud, and is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
DYNSRV	session	This cookie is used for load balancing purposes to decide which server to send the visitor.
ep201	30 minutes	This cookie is set by Wufoo for load balancing, site traffic and preventing site abuse.
exp_csrf_token	past	This cookie is used for the purpose of website security that is Cross-Site-Request forgery prevention. It is used to identify the trusted web traffic.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
exp_last_activity	1 year	This cookie is used by the website Content Management System. This cookie is used to record the time of last page load.
exp_last_visit	1 year	This cookie is used by the website Content Management System. This cookie is used to store the last visit date of the registered users.
exp_stashid	session	This cookie is set by the provider ExpressionEngine. This cookie is used for page caching. The cookie creates a unique ID which is used to determine the current state of the website and actions performed by the visitor.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
CSPSESSIONID-SP-8443-UP-redirects-	session	No description available.
EMSSESSIONID	session	No description
ep202	3 months	This cookie is set by the provider Surveymonkey. This cookie is used for statistical analysis and website optmization. It gathers information on user's interaction with the SurveyMonkey- Widget on thewebsite.
GS_GROUP	1 month	No description available.
GS_RESTRICT	session	No description available.
GS_REVENUE_LOC	1 month	No description available.
PERSIST-COOKIE-ENC	session	No description available.
ppwp_wp_session	30 minutes	No description
SKTID	1 year	No description
SQ_SYSTEM_SESSION	session	No description available.

Select categories:

Select categories:

News & Opportunities

Sign up to our newsletter

Expert Advice from Geldards: General Data Protection Regulations – A game changer for everyone

Join the conversation

Helpful information

Subscribe to our Mediwales newsletter