GDPR Resources

Please visit regularly to find out our latest thoughts on GDPR. You can also sign up for email updates.

Speak to an expert now

 


The General Data Protection Regulation or GDPR is new data protection law that comes into force on 25th May 2018. It applies not only to the UK but also right across the European Union.


 

GDPR: Data Protection Impact Assessments- what are they and when must an organisation carry them out?

One of the requirements of the General Data Protection Regulation (the GDPR) is to carry out a data protection impact assessment (DPIA) in certain circumstances. When should your organisation do this?

Let’s start with the wording in the GDPR. This says that a data protection impact assessment must be carried out where the type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. Well that’s nice and clear!

Fortunately, there is some non-binding EU guidance which states that, as a rule of thumb, if your organisation’s processing of personal data meets at least two of the following criteria, a DPIA is required:

  • Evaluation or scoring, including profiling and predicting
  • Automated decision-making
  • Systematic monitoring
  • Involves sensitive data
  • Carried out on a large scale
  • Matching or combining datasets
  • Relates to vulnerable data subjects
  • Applies the innovative use or application of technological or organisational solutions
  • Involves data transfers across borders outside the European Union
  • When the processing prevents data subjects from exercising a right or using a service or a contract.

Hopefully the above will give organisations some more constructive guidance but, for each of the criteria, an organisation is likely to require a more detailed investigation as to whether its processing activities are caught or not.

How should your organisation carry out a DPIA? The GDPR does specify some minimum standards for a DPIA which are set out below in a summary form:

  • A description of the processing and the purposes of the processing, including, where applicable, the legitimate interests pursued by the controller
  • An assessment of the necessity and proportionality of the processing in relation to the purpose
  • An assessment of the risks to individuals
  • The measures in place to address the risks, including security and to demonstrate compliance

As both the requirement and how to carry out a DPIA are new, we would recommend that your organisation speaks to us first to ensure that it is acting in compliance with the GDPR.

By Simon Bates


GDPR: Does your organisation need to appoint a data protection officer?

A question that we are frequently asked is whether, under the GDPR (the General Data Protection Regulation, the new data protection law coming into effect on 25 May 2018), an organisation must appoint a data protection officer. Normally the question is accompanied by a statement such as, “we only have 70 employees”. We should dispel this common myth. Whether your organisation is required to appoint a data protection officer (DPO) has nothing to do with its number of employees or indeed its turnover.

There are only 4 circumstances in which an organisation is legally required under the GDPR to appoint a DPO. Let’s look at each in turn.

1. Your organisation is a public authority
That’s quite easy. You will generally know whether that is the case though there are occasionally some grey areas.

2. Your organisation carries out large scale systematic monitoring of individuals
As might be expected when it comes to legal wording at the outset of new legislation, the meaning of “large scale systematic monitoring” is not clear. The Information Commissioner’s Office (ICO) (the UK authority responsible for data protection enforcement) gives the example of an organisation carrying out online behaviour tracking would be caught within the definition.

3. Your organisation carries out large scale processing of special categories of data
What are special categories of personal data therefore? Whilst these are fully defined in the GDPR, in the main it includes data relating to racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; health; genetic and biometric data; sex life and sexual orientation.

However, what’s processing on a large scale? Large scale is not defined in the GDPR. However non-binding EU guidance suggests that processing patient data by a hospital would be caught but processing by an individual doctor would not be. This does suggest that size may be relevant here but, of course, this guidance is non-binding and does not come from the ICO. Accordingly, our view is that if you are doing anything other than routine or occasional processing of special categories of personal data, your organisation should seek legal advice as to whether it needs to appoint a DPO.

4. Your organisation carries out large scale processing of data relating to criminal convictions and offences
Subject to the comment above about “large scale”, this is largely self- explanatory.

Notwithstanding, whether your organisation is legally obliged to appoint a DPO, it is sensible to ensure that somebody within your organisation is given overall responsibility for data protection. We frequently find that within an organisation data protection is inconsistently applied with different teams, such as IT, HR, marketing and operations, all taking different approaches.

As well as advising on whether your organisation needs to appoint a DPO, we can advise on the specific law relating to and obligations of a DPO as there are rules regarding the qualities that the DPO must possess and the position that they must hold within your organisation.

By Simon Bates


GDPR: should you be concerned if your organisation is outside the EU?

Many of our clients are based outside the EU and sell goods or services in the EU. Do such non-EU organisations have to comply with the General Data Protection Regulation (GDPR)? The simple answer is yes. If they are selling goods or services to data subjects (individuals) in the EU or monitoring the behaviour of individuals in the EU (for example online tracking), Article 3 of the GDPR expressly states that non-EU organisations must comply with the GDPR. Therefore, for example, an organisation established in the US but selling on-line to citizens within the EU must comply with the GDPR.

There is also an additional obligation on such a non-EU organisation. It must appoint a designated representative in the EU. The designated representative is the contact for all data protection issues relating to the non-EU organisation and so, for example, must be named in the organisation’s privacy policy.

If the non-EU organisation’s processing is occasional it will, subject to certain conditions, usually be exempt from appointing a designated representative. It is not yet clear what is meant by “processing that is occasional”. However, it is likely to be the case that, in our example above, if the US established organisation’s website is aimed solely at the US market and priced in US dollars, but once in a while a sale is made into the EU, this will be occasional processing. Therefore, there would be no need to appoint a designated representative.

Who can be a designated representative? There is no restriction on who can be appointed a designated representative. The problem for designated representatives is that the preamble to the GDPR states that they are liable for fines for non-compliance of the GDPR by their appointers. Given the potential level of fines for non-compliance with the GDPR, no properly advised individual would ever willingly accept the role of designated representative. We do, however, have a solution to this problem.

If you are a non-EU organisation and need advice about whether you need to or how to comply with the GDPR or need to appoint a designated representative, please contact us.

By Simon Bates

GDPR Email Update

Get the latest updates on GDPR delivered to your email inbox.

This field is mandatory.
This field is mandatory.
This field is mandatory.
This field is mandatory.

Talk to our experts


Simon Bates
Executive Director, Solicitor, Commercial 
T: +44 (0)117 918 1210
E: 
sbates@jordanscorporatelaw.com


Helen Wright
Associate Director, Solicitor, Commercial
T: +44 (0)117 918 1208
E: 
hwright@jordanscorporatelaw.com


Stacey Edwards
Solicitor
T: +44 (0)117 918 1256
E: 
sedwards@jordanscorporatelaw.com

 


The General Data Protection Regulation or GDPR is new data protection law that comes into force on 25th May 2018. It applies not only to the UK but also right across the European Union.


 

Our thinking

Get fresh insight on the legal issues that matter on our blog, whitepapers and more.

Find out more

GDPR

Are you GDPR compliant?

Find out more

Subscriptions

Keep informed with our free online newsletters and email updates.

Find out more