We asked attendees at our series of GDPR Roadshows across the UK “On a scale of 1 to 10, how prepared do you feel you are for the GDPR? (10 = very ready, 1 = not ready at all)” and 61% scored 5 or lower.
As the deadline draws closer, experts at Link Market Services have explored some of the myths surrounding the coming regulation, to ensure issuers have a sound understanding of what the GDPR means for their business and their shareholders.
For more information see the ICO website at https://ico.org.uk/for-organis...
There is much in the GDPR you will recognise from the current law, but there are significant differences. The enhanced compliance plus increased sanctions of the GDPR equals a significant change in the world of data privacy. The GDPR will introduce:
Many of the protections in place for data subjects exist under the current legislation. Whilst the right to data portability is new, the others have been strengthened under the GDPR.
Data subjects have eight rights under the GDPR:
However, remember these rights are usually qualified and only arise if certain conditions are met. It may also be possible to refuse to provide these rights depending on the circumstances.
The GDPR rules on giving privacy information to data subjects are more detailed and specific than in the current legislation and place an emphasis on making privacy notices understandable and accessible.
The GDPR includes a longer and more detailed list of information that must be provided in a privacy notice. The GDPR says that the information you provide to people about how you process their personal data must be:
There is still discretion for Data Controllers to consider where the privacy information required by the GDPR should be displayed. A ‘layered’ approach may be appropriate as this would allow key privacy information to be provided immediately and have more detailed information available elsewhere for those that want it. This might consist of a short notice containing the key information, such as the identity of the organisation and the way you will use the personal information. It may contain links that expand each section to its full version, or a single link to a second, longer notice which provides more detailed information.
The UK will still be in the EU at the time of the GDPR implementation and subject to this EU regulation. After Brexit the regulation will apply to UK companies and those not based in the EU who deal with the data of EU citizens. This “extra-territoriality” in the regulation would mean that the GDPR will still apply to UK companies after Brexit if they provide UK goods and services to citizens in the EU.
Also, in August 2017 the UK Government set out its intent in relation to the forthcoming Data Protection Bill that will include and implement the changes being brought about by the GDPR to update and strengthen current data protection legislation in the UK. In effect the GDPR provisions will be included in UK law so that they will still apply post-Brexit. Ireland and other jurisdictions will be updating equivalent legislation.
Obtaining clear and affirmative consent to record, use and transfer personal data is more important under the GDPR. However, there may be another lawful condition that means that specific consent is not always required.
Data Controllers and Processors who are looking to process data lawfully should be operating within one or more of the lawful conditions outlined in the GDPR. These include
For example for Link Market Services to operate share registers and administer share plans for our client Data Controllers we need to record and use data about shareholders and share plan participants when shares are bought, sold or transferred. Consent for these activities may not have been specifically sought. However, these activities are necessary and usually fall within the categories of lawful processing above – legal obligation, performance of a contract, or legitimate interest.
Legitimate interest is the most flexible lawful basis for data processing, but you cannot assume it will always be the most appropriate.
It may be appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
There are three elements to the legitimate interests basis which you should consider:
• identify a legitimate interest;
• show that the processing is necessary to achieve it; and
• balance it against the individual’s interests, rights and freedoms.
Not necessarily. If you obtained consent in the past for data processing or to issue marketing material to an individual this will continue to be valid in most cases. It may be worth reviewing the terms of such consents to ensure that they comply with the GDPR.
It is also worth noting that another lawful processing basis might be more suitable than consent, given the ability for data subjects to withdraw consent at any time.
Under the GDPR individuals do have a ‘right to be forgotten’ or ‘right of erasure’ and can request the deletion or removal of personal data where there is no good reason for processing to continue. However, the GDPR also sets out grounds for refusing a request to remove personal data.
One of the grounds for refusing to delete personal data is that it is being held to comply with a legal obligation. For example in our industry once a shareholder has ceased to hold shares in a company they may think that their personal data should be removed from the register records. However, there is a legal obligation under the Companies Act 2006 (s.121) that a register entry may only be removed from the register after 10 years has elapsed since the shareholder ceased to be member.
SARs have been part of the data protection regime for some time. However, there are changes under the GDPR which may make compliance with any SARs more onerous. The current statutory limit of 40 days to comply with a request will be changed to a response being provided ‘without undue delay’ and at the latest within one month of receiving the request. The timescales can be extended by another two months if the request is complex or there are numerous requests.
Other changes to SARs include
No – there are some major changes. Currently, Data Controllers have statutory obligations and can be held to account under the law by the ICO when data handling goes wrong. Data Processors have contractual obligations to the Data Controllers that have appointed them but processors have no direct statutory compliance obligations.
Under the GDPR, Data Processors will be liable for many more of the activities they undertake on behalf of Data Controllers. In this sense, processors will have ‘liability parity’ with controllers for the correct handling and protection of personal data.
Whenever a controller uses a processor it needs to have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.
Processors must only act on the documented instructions of a controller. They will have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they do not comply.
Whilst the GDPR is an evolution of current data protection legislation, there are some very specific changes and more onerous requirements and enforcement which will mean that all contracts between Data Controllers and Data Processors should be reviewed. There is a high probability that these contracts will need some changes.
The GDPR makes written contracts between controllers and processors a general requirement and these contracts must now include certain specific terms, as a minimum. Contracts must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller.
Contracts must also require the processor to take certain actions including that they should:
In addition to its contractual obligations to the controller, under the GDPR a processor also has direct responsibilities including:
If a processor fails to meet any of these obligations, or acts outside or against the instructions of the controller, then it may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures.
If a processor uses a sub-processor then it will, as the original processor, remain directly liable to the controller for the performance of the sub-processor’s obligations.
Some organisations are already required to notify the supervisory authority when they suffer a personal data breach. The GDPR extends this requirement to all Data Controllers in relation to certain thresholds of data breaches, and also requires individuals to be notified in some cases.
A notification must be given to the supervisory authority within 72 hours of becoming aware of a breach, if the breach is likely to result in a risk to the rights and freedoms of individuals. A notification must also be given to the affected individuals without undue delay.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
The legislation does give some discretion for controllers to decide not to notify a breach to the supervisory authority, if the organisation concludes that the breach is unlikely to result in a risk to the rights and freedoms of individuals. However, Data Controllers could run the risk of an administrative fine of up to €10 million or 2% of global turnover if it turns out a notification should have been made, in addition to a fine for the breach itself. If you use a Data Processor, and this processor suffers a breach, then it must inform you without undue delay as soon as it becomes aware.
Under the GDPR, the supervisory authority (the ICO in the UK) have greater fines and enforcement powers to sanction those who do not abide by the regulation.
In addition to the power to impose fines for breaches of the GDPR requirements, the ICO will have investigative powers – the ability to request information, carry out data protection audits and access premises. They will also be able to issue warnings and reprimands, have the power to order compliance and to suspend or limit processing or data flows.
In terms of the system of fines, this will be a two-tier fine system to be applied depending on the nature of the breach or failure by the processor or controller. Tier-one infringements are subject to administrative fines of up to €10 million or in the case of an undertaking, up to 2% of the worldwide annual turnover (whichever is higher).