This is a slightly modified version of a presentation that I gave to fellow lawyers last week. It explains what GDPR is, the policy of data protection and the evolution of data protection legislation from the OECD Guidelines and Council of Europe Convention to the GDPR. It explores the regulation focusing on the data protection principles and, in particular, the lawfulness requirement and the validity of consent. The presentation mentions the Law enforcement data protection directive, the Data Protection Bill and the arrangements post Brexit. Finally, it considers the preparations recommended by the Information Commissioner for small busiesses
2. Topics to be discussed
● What is the GDPR?
● What is data protection?
● Why we need data protection legislation
● Data Protection Principles
● Lawfulness of processing
● Consent to processing
● Law Enforcement Data Protection Directive
● Data Protection and Brexit
● Data Protection Bill
● Basic Preparation for Small Businesses
3. What is the GDPR?
● “General Data Protection Regulation”.
● Regulation (EU) 2016/679 of the European Parliament and Council of 27 April
2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing
Directive 95/46/EC.
● Directive 95/46/EC is the present source of law
● GDPR will supersede Data Protection Act 1998 for 25 May
4. What is Data Protection?
● Data protection is a set of rules for processing personal data.
● “Personal data” means any information relating to an identified or identifiable
natural person (art 4 (1) GDPR)
● “Processing” means any operation or set of operations which is performed on
personal data or on sets of personal data (art 4 (2) GDPR).
● It includes collection, collation, storage and transmission.
5. Why we need Data Protection Legislation?
● Younger report on privacy identified computers as a potential threat to privacy
in 1972
● Lindop recommended legislation to regulate this threat in further report
● Sweden enacted the first data protection law in 1973
● Swedish data protection banned export of data to UK
● OECD Guidelines on Transborder Data Flow in 1980
● Council of Europe Data Protection Convention in 1981
6. Structure of GDPR
Regulation consists of 173 recitals and 99 articles divided into the following
chapters and sections:
● Chapter I: General Provisions
● Chapter II: Principles
● Chapter III: Rights of Data Subjects
○ §1 - Transparency and modalities
○ §2 - Information and access to personal data
○ §3 - Rectification and erasure
○ §4 - Right to object and automated decision making
○ §5 - Restrictions
7. Structure of GDPR
● Chapter IV: Controller and Processor
○ §1 - General Obligations
○ S2 - Security of Personal Data
○ §3 - Data Protection Impact Assessment and Prior Consultation
○ §4 - Data Protection Officer
○ §5 - Codes of Conduct and Certification
● Chapter V: Transfers of Data to Third Countries and International
Organzations
● Chapter VI: Independent Supervisory Authorities
○ Independent Status
○ Competence, Tasks and Powers
8. Structure of GDPR
● Chapter VII: Cooperation and Consistency
○ §1 - Cooperation
○ §2 - Consistency
○ §3 - European Data Protection Board
● Chapter VIII: Remedies, Liabilities and Penalties
● Chapter IX: Provisions Relating to Specific Processing
● Chapter X: Delegated Acts and Implementing Acts
● Chapter XI: Final Provisions
9. Data Protection Principles
Art 5 of GDPR requires personal data to be:
● (a) processed lawfully, fairly and in a transparent manner in relation to the
data subject (‘lawfulness, fairness and transparency’);
● (b) collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes; …..
(‘purpose limitation’);
10. Data Protection Principles
● (c) adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed (‘data minimization’);
● (d) accurate and, where necessary, kept up to date; every reasonable step
must be taken to ensure that personal data that are inaccurate, having regard
to the purposes for which they are processed, are erased or rectified without
delay (‘accuracy’);
11. Data Protection Principles
● (e) kept in a form which permits identification of data subjects for no longer
than is necessary for the purposes for which the personal data are processed;
……………………. (‘storage limitation’);
12. Data Protection Principles
● (f) processed in a manner that ensures appropriate security of the personal
data, including protection against unauthorised or unlawful processing and
against accidental loss, destruction or damage, using appropriate technical or
organisational measures (‘integrity and confidentiality’)."
Art 6 (2) provides: “The controller shall be responsible for, and be able to
demonstrate compliance with, paragraph 1 (‘accountability’).”
13. Lawfulness, Fairness and Transparency
● Art 6 (1) provides 6 grounds upon which data controllers can justify their
processing of personal data.
● One of those grounds is tha the data subject has given his or her consent to
the processing of his or her personal data for one or more specific purposes
(art 6 (1) (a)).
● Data controllers tend to rely on that ground because it is easy
to prove compliance.
● That is important because art 5(2) requires data controllers
not only to comply with the data protection principles but to
demonstrate compliance.
14. Consent to Processing
● By definition, consent must be freely given, specific, informed and
unambiguous (see art 4 (11) GDPR).
● Art 7 sets out the conditions for consent which must be complied with if it is to
be binding.
● Consent need not be in writing but it probably must be recorded if it is be
binding.
● Para 171 of recitals makes clear that consent obtained under
existing law is effective so long as it meets the conditions of
art 7
15. Consent to Processing
● Consent can be obtained on a form that includes other matter but the
provision relating to consent must be clear and cover all the purposes for
which consent is required.
● Data subjects must be informed of their right to withdraw consent at any time
and withdrawing consent should be as easy as giving it.
● If the data controller and data subject have unequal bargaining
power the controller should not use (or give the impression of
using) his leverage to extract consent.
● Parental consent is required for data subjects aged 16 or less,
16. Law Enforcement Data Protection Directive
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of
personal data by competent authorities for the purposes of the prevention,
investigation, detection or prosecution of criminal offences or the execution of
criminal penalties, and on the free movement of such data, and repealing Council
Framework Decision 2008/977/JHA
Art 63 (1) requires it to be implemented by 6 May 2018
17. Data Protection and Brexit
Art 50 (3) Treaty of European Union:
“The Treaties shall cease to apply to the State in question from the date of entry
into force of the withdrawal agreement or, failing that, two years after the
notification referred to in paragraph 2, unless the European Council, in agreement
with the Member State concerned, unanimously decides to extend this period.”
18. Data Protection and Brexit
Art 67 Draft Withdrawal Agreement:
“Union law on the protection of personal data shall apply in the United Kingdom in
respect of the processing of personal data of data subjects outside the United
Kingdom, provided that the personal data:
(a) were processed in accordance with Union law in the United Kingdom before
the end of the transition period; or
(b) are processed in the United Kingdom after the end of the transition period on
the basis of this Agreement.”
19. Data Protection Bill
● Makes consequential provision for the GDPR
● Repeals the Data Protection Act 1998
● Implements the Data Protection Law Enforcement Directive
● Preserves the GDPR after 29 March 2019 or 31 Dec 2020 if a transition
period after 29 March 2019 is agreed
● Passed the Lords and is now in committee in the Commons
20. Basic Preparation for Small Businesses
Information Commissioner published on 12 March 2018 “Getting ready for the new
UK data protection law Eight practical steps for micro business owners and sole
traders”
● “Know the law is changing – which you now do, so that’s one thing you’ve
done already!
● Make sure you have a record of the personal data you hold and
why.
21. Basic Preparation for Small Businesses
● Identify why you have personal data and how you use it.
● Have a plan in case people ask about their rights regarding the personal
information you hold about them.
● Ask yourself: before I collect their data, do I clearly tell people why I need it
and how I will use it
22. Basic Preparation for Small Businesses
● Check your security. This can include locking filing cabinets and password
protecting any of your devices and cloud storage that hold your staff or
customers’ personal data.
● Develop a process to make sure you know what to do if you breach data
protection rules.
● Don’t panic: we’re here to help ………………”
23. Further Information
● Office of the Information Commissioner (https://ico.org.uk/)
● Jane Lambert Another Data Protection Act! "You're joking! Not another one!" -
A Short History of Data Protection Legislation in the UK 23 Sept 2017
(www.nipclaw.com)
● NIPC Data Protection Blog (http://nipcdp.blogspot.co.uk)
Links to existing legislation, GDPR and Directive, Data
Protection Bill, Commission, Department of Culture, Media and
Sport and Information Commissioner’s Office
24. Any Questions?
Jane Lambert
4-5 Gray’s Inn Square
London
WC1R 5AH
Tel 020 7404n 5252
Mob 07966 373922
E jlambert@4-5.co.uk
www.nipclaw.com