The new European data legislation or GDPR requires a balance between the needs of the many and the needs of the individual.

The benefits and risks of using personal data splits opinion particularly within the medical research sector. 

'Big data' can digest previously unimaginable quantities of information and uncovers previously-unforeseen patterns.  On the one hand, it may address the challenges posed by chronic conditions such as heart disease or cancers. But, the way forward is less clear.  

The minimum information needed for a processor to comply with its legal responsibilities, and for the controller to comply with Article 28, is to specify whether the data includes special categories of personal data, this raises the risk profile of the data set.

For Personal Data that does not fall into one of either:

The regulation is not merely for the 28 EU-member states (27 after Brexit). It is for the 31-member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein. GDPR is being integrated into the 1992 EEA Agreement.

And not only does it affect EEA nations, but any organisation across the globe offering goods or services to European data subjects OR, organisations controlling, processing, or holding personal data of European nationals are also captured.

While GDPR will bring harmonisation across the 31 EEA nations, the new provisions make European data protection law even more different from the laws of 'third countries', presenting a big challenge for international business and litigation.

For example, US courts have interpreted certain privacy rights from amendments to the Constitution, including the first 10 amendments, known commonly as the Bill of Rights. By comparison, Europe places a greater importance on privacy, and is a fundamental right under article 8 ECHR.

The Key terms and definitions you need to know: 

Binding corporate rules: personal Data Protection policies adhered to by controller or processor in the Member State for transfer of personal data to controller or processor in third country

Originally devised by Article 29 Working Party to transfer secure large data internationally while reducing bureaucracy

GDPR establishes conditions for Member State to establish own binding corporate rules to streamline international transfers.

The key changes including in the General Data Protection Regulation (GDPR): 

• The Regulation will enforce tough penalties – proposed fines up to 4% of annual global revenue or €20million, whichever is greater.

• Even though the UK will not be in the EU in post-Brexit, we will still have to comply with the Regulation. Although regulation beyond EU borders will be a challenge, those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.

• GOOGLE'S DATA BREACH COVER UP

  

  Following Google’s announcement this week (8 October 2018) regarding a data breach in 2015, they have temporarily shut down their social network Google+, where a security bug enabled third party developers to gain access to user data, potentially affecting around 496, 951 Google+ users.

  The announcement on Monday was the first time Google discussed the breach, which although occurred three years ago, was not exposed and remedied until March 2018. Google’s reasoning for late exposure was relayed in an internal memo, which discussed the avoidance of “regulatory interest”, and potential comparisons to Facebook’s Cambridge Analytica scandal.

  The bug may have allowed third party developers to gain access to usernames, email, gender, data of birth, location, pictures, as well as occupation and relationship status. However, there is no concrete evidence to confirms this (as Google only holds API data for two weeks) therefore they cannot determine how many users were exposed. Google have advised that there was “no evidence that any profile data was misused” as well as there being “no evidence that any developer was aware of this bug, or abusing the API”.

• HOW THE GENDER RECOGNITION ACT CRIMINALISES STAFF

  Following the closure of the Gender Recognition Act consultation, many people have voiced their opinions regarding the need to reform the act, due to a variety of problematic issues.

  The Employment Lawyers Association (ELA) have discussed the negative implications of the Gender Recognition 2004 act and have called for a repeal of section 22 of the act, which they believe inadvertently criminalises innocent members of staff, especially HR employees who assist trans job seekers.

  Section 22 of the Gender Recognition Act 2004 states:

• HOW TO MAKE YOUR HR POLICIES GDPR COMPLAINT

  The General Data Protection Regulation (GDPR) was enforced on the 25^th May 2018, which applied major changes to the way data is protected, enabling employers to reconsider their employment and HR procedures, and amend them in order to comply with GDPR requirements.

   Employers should maintain focus on the following factors:

• HR Data on the Cloud

  

  There are many outsourced-HR companies, and so naturally, they hold personal data such as an individual’s Name, Address, DOB, NI, Bank Details, Salary etc. Some HR companies provide software or Apps to process payroll, pay invoices and employee expenses, bonuses etc.

   Care needs to be takes as to whether the servers for these apps are based outside the EU or EEA, for example, the United States.

• ICO STUDY SHOWS A 75% INCREASE IN DATA BREACH REPORTS

  

  According to a study from the Information Commissioners Office (ICO), data breaches have shown a 75% increase in the past two years.

  The report was conducted by Kroll, one of the top corporate investigations and risk consulting firms, based out of the US. Kroll compiled data breach reports which were submitted to the ICO, regarding breaches of personal data, including financial and health details. Some of the data contained in the reports were of public knowledge, whilst other forms of data were accessed under the Freedom of Information Act.

  The final report established that over 2,000 reports submitted to the ICO were due to human error in the past year, with the most common grounds for a data breach being: data being sent by email or fax to the wrong recipients and the loss or theft of paperwork.

• IMPROVING CYBERSECURITY MEASURES

  

  In the past year there have been an array of high-profile data breaches from some of the UK’s biggest organisations including: British Airways, Dixons Carphone, and Ticketmaster UK.

  It is alarming that such large established organisations have jeopardised not only their company’s data, but also the personal data of their customers, through their lack of cyber security.

  Many cybersecurity experts believe that a data breach can occur due to a simple mistake being made possibly when updating systems or when processing the migration of data. Although there has been a substantial amount of investment placed on cybersecurity, there are still gaps in the basic procedures, which must be addressed.

• INTERPRETATION AND PRACTICABILITY OF GDPR ARTICLE 19

   

  

  Does a data processor need to be informed when a data controller deletes data?

  A Data Processor only needs to be informed if the Data Controller is in need of support, in regard to undertaking the right to be forgotten. Although, it is important for a data controller to define the relationship with the data processor, in order to understand the dynamics between the two.  It is also seen as good practice to allow the controller to gain access to deleted records through a Subject Access Request that the controller has obtained. If a Data Processor retains copy records as well as back up records, they must be deleted if requested by the Controller. 

  The deletion process can be difficult to carry out efficiently, although it is an essential process, according to GDPR, all the subject’s data must be deleted and backed up again, which is a lengthy but essential process.

• KEEPING UP WITH GDPR REQUIRMENTS

  

  The EU General Data Protection Regulation (the “Regulation”) came into effect on 25 May 2018, replacing the Data Protection Act 1998. The GDPR requirements largely repeat the security principles set out in the DPA, although with a much tougher regime and more severe sanctions for breach.

  This change has brought about business challenges for which there is little, if any, legislative or regulatory clarity at present.

   1. How does controllerand processorliability work in practice? 

• Legal Basis for Processing

  Does a data processor require a legal basis (beyond the contract it has with the data controller) in order to processes data provided by the data controller?

  The processor has to consider the reasonable expectation of the data subject and ensure a legitimate interest is pursued.

  A contractual basis will only work if there is a contract with the data subject, therefore there would need to be legitimate interest. However, the purpose of the processing should be limited solely to the process categories intended by the contract with the controller.

• MAINTAINING GDPR COMPLIANCE

  

  According to recent survey, 17 out of 24 regulatory authorities were unprepared for the General Data Protection Regulation (GDPR), when it was introduced on 25 May 2018.

  Regardless of these statistics, organisations cannot afford to become complacent, as all businesses are at risk of data breaches. Therefore, GDPR compliance must be continually enforced.

• MARKETING DATA GATHERED PRIOR TO 25TH MAY 2018

  

  Imagine the scenario: you hold marketing data, collected from lead generation firms, meetings, seminars etc maintained as a contacts database for marketing purposes. You have already contacted some of the people on this database, but others you have not.

  In order to comply with the GDPR requirements you need to know:

  How is this affected by GDPR?

  Do you need contact all the earlier contacts to get consent?

  Can this be deemed legitimate business use?

• OBTAINING CONSENT

   

  When seeking to acquire informed consent the default solution tends to be that you can obtain a written consent from each and every customer. This is of course perfectly fine, if it is manageable. But even  overcoming this task leaves the burden of gathering the consent documents and filing them, followed by ensuring the data is correct etc.

  Remember, consent is just one of the ways in which processing data might be justified. Therefore, consider the processes that you are seeking consent to carry out, and look at alternative lawful bases.

• RECORD KEEPING

  

  GDPR gives individuals the right to have their personal data deleted, although this is not an 'absolute' right. If you still need to retain the personal data concerned, you may be able to refuse the request. Moreover, the right to erasure does not mean you erase all the data if you have a need and legitimate interest basis to process their data for audit records. If you cannot erase data (for example, there is a legal requirement to keep certain records for 6 years) then consider restricting the processing, such as moving to archiving.

  The data minimisation principles should also be applied, together with an appropriate retention period. Ensure that you inform the data subject as to what data you are keeping.

• SAR AND CONFIDENTIAL REFERENCES

  

  A Subject Access Request (SAR) is a written request from an individual, in relation to their access to information, which they are entitled to ask for under the Data Protection Act.

  There has been some debate on what must be included in an SAR:

  Recently in relation to the inclusion or exemption of confidential references. As previously, under the Data Protection Act 1998, employees had the right to access their personal information, including references from current or former employers, although employers did have the right to refuse disclose of this information to the employee. In this instance, an employee could overrule the employer’s decision by applying to the recipient employer regarding their reference, whereby the employer could not decline disclosure.

• SARs OUTSIDE OF THE EU

  

  On some occasions, an EU subject may require a Subject Access Request (SAR) which involves a transaction outside of the EU. Therefore, data processors must be aware that a data controller outside of the EU will not necessarily give up any or many obligations to the General Data Protection Regulation (GDPR).

  So, the question is whether data processors need to address the Subject Access Request without the controller or not?