General Data Protection Regulation (GDPR)

An Update for MSPA Europe Members

Introduction

On 24 May 2016, the General Data Protection Regulation (GDPR) came into force.  This means it will apply from 25 May 2018 - giving us one more year to prepare.  The GDPR updates and replaces the current data protection rules based on the 1995 Data Protection Directive.

The Regulation will establish a single, pan-European law for data protection meaning that organisations deal with one law, not many laws.  However, there will be some country variations as Member States still have discretion on specific provisions.  Over 50 articles have been left to member states to implement in their own national law - including provisions governing the processing of personal data for research purposes.

The new rules mean we must build in data protection by design and by default, carry out privacy impact assessments for riskier or larger scale projects, and implement privacy-friendly techniques such as data minimisation and encryption.  They are designed to be future-proof, technologically neutral, fit for innovation and big data analytics.

Key messages

• Compliance must be an integral part of market research, is not a bolt-on.  Privacy must be built in by design and default. More detailed record keeping and data protection/privacy notices are required
• It will impact on the activities of all researchers working in the EU as well as those operating further afield.

Updated Data Protection Principles

Additions have been highlighted below:

Personal data must be:

• Processed fairly, lawfully and in a transparent manner
• Processed only for specified purposes
• Adequate, relevant and limited to what is necessary for purpose
• Accurate and kept up to date
• Not kept longer than necessary
• Processed in accordance with the Data Subjects’ rights
• Kept secure by appropriate organisational and technical means
• Not transferred outside the EEA unless privacy is respected  

Key Points

• The definition of ‘personal data’ remains unchanged, but it has been made clearer that location data and online identifiers can constitute personal data.
• Increased territorial scope - GDPR applies to any individual handling the personal data of EU residents wherever the data handler (i.e. the Controller or Processor) is located.  
• The legal grounds for processing personal data under the GDPR reflect the existing position and informed consent will continue to be key.  
• There will be increased privacy notice obligations.
• Mandatory notification of serious data breaches to the data protection authority will be required.
• Penalties for non-compliance are significant with fines of up to 4% of worldwide turnover or €20 million/£15 million.  Data Processors will now be directly liable for any breaches by the Processor.
• Greater accountability and more detailed compliance responsibilities placed on the shoulders of both Data Controllers and Processors.

Practical Implications

Organisations handling the personal data of EU citizens that do not have a physical presence in the EU will need to appoint a Representative in an EU Member State.  For example, if you are a Japanese Controller collecting personal data from individuals in France, you are required to have a representative based in France to act as a point of contact for regulators and data subjects unless the processing is covered by an exemption.

More information must be provided to data subjects such as lawful basis for the processing, retention periods or criteria and actively promote awareness of rights to individuals.  Information has to be provided in an intelligible form using clear and plain language.

The requirement to notify the Data Processing Authority (DPA) of data processing has been removed but in its place is a risk-based accountability scheme with obligations to: 

• Keep detailed internal records of processing activities because demonstrable processes to ensure accountability will be required; 
• Implement privacy by design and default;
• Complete privacy impact assessments (DPIA’s) for riskier or large scale activities – these provide a framework for identifying, assessing and reducing the data protection risks of your project and then identifying and evaluating the privacy solutions;
• Appoint a Data Protection Officer (DPO). 

With the majority of these requirements being mandatory for all Controllers and Processors.

Requirements placed on Data Processors and Data Controllers and now explicitly referenced:

• GDPR places obligations directly on Processors and enforcement action can be taken directly against them;
• Extensive terms need to be included in contracts between Controllers and Processors;
• Controllers have a right to audit Processors.

Informed consent:  

• Must be specific and informed;
• Must involve clear affirmative action (active opt-in);
• Consent must be as easy to withdraw as it is to give;
• You also need to be able to provide evidence that you obtained consent from specific data subjects, which may require different/better record keeping and the use of clearer language in privacy policies/notices. 

The research exemption has to be specifically introduced into national legislation by each Member State so there may be inter-country variation in the definition of research and whether it include commercial market research or not.  The research exemption means that:

• Additional grounds for processing personal data for research can be introduced; 
• Personal data that has already been collected for specified purpose or purposes can be further processed for research without that further processing breaching the GDPR

Organisations will need to review their policies and contracts, as it will be necessary to strengthen and/or design new compliance policies.  It is important to make sure that:

• Methods of obtaining consent and data breach notification are adequate;
• Only necessary personal data is collected and that it is pseudonymised or anonymised as soon as possible;
• Systems can cope technically with the new rights of data portability, the right to be forgotten, and can record objections or withdrawal;
• The supply chain all meet the new standards.

Organisations may need to appoint a Data Protection Officer (DPO), this is very likely to apply to market research agencies.  The DPO is required to act independently and report to the highest level of management - but this position can be outsourced to a competent firm or individual.

The Impact of the UK Referendum

The reforms will impact the UK as the UK will still need to have a data protection regime in place that meets EU standards of adequacy.  

Jill Spencer, Vice President MSPA Europe

Published 24 April 2017

An update has been prepared for MSPA Europe Members.  This will be placed in the members area for your ongoing reference, and further information will be provided as it becomes available.