Many public authorities are well on the path to readiness for the introduction of the General Data Protection Regulation on 25 May, according to Fiona Killen, a partner at Anderson Strathern specialising in data protection, who works with a team of other data protection specialists at the company advising a range of organisations on compliance with data protection law.
“We are seeing a number of public authorities who are well positioned to be ready by May,” said Killen. “They have been doing information audits, developing information asset registers, and they have been looking at their privacy notices to ensure they can comply with fair processing requirements. We have also been involved in reviewing and revising a significant number of data sharing and data processing agreements for public bodies who share data with third parties.”
One of the challenges is that, under the GDPR, public authorities can no longer rely on ‘legitimate interests’ as a legal basis for processing data where they are doing so in the performance of their public authority tasks. “So, part of the work in preparing for its introduction has been in identifying what legal basis a public authority is going to rely on for the different purposes of processing data. They need to maintain a clear audit trail of decision making in relation to their legal basis for processing.”
Staff training is a key element of being ready, she said, from public facing personnel, to legal teams, right through to board level. Public authorities are required to appoint a data protection officer under the GDPR. “In some cases, they have been able to do that based on internal expertise,” said Killen. “Others may recruit, and some authorities are looking at a shared service provision.”
Whichever way public authorities decide to achieve compliance with the GDPR, they will need to ensure responsiveness in dealing with subject access requests and in meeting other new individual rights, such as the right to erasure. The timescale for data controllers to deal with subject access requests has been reduced in most cases from 40 calendar days to just one month, and the statutory £10 charge for processing a request will be abolished.
These factors, combined with the degree of publicity around introduction of the GDPR, could result in more requests having to be dealt with by data controllers within a shorter time-period.
“It underlines the importance of data controllers doing a good information audit, having a sound asset register on what they hold, where they hold it, why they process it, and who it relates to,” said Killen. “All these things will help them comply with the enhanced rights for individuals. If you don’t know what you hold or what you are processing in relation to someone, then at the point they exercise one of their individual rights in respect of that data, it’s obviously going to be difficult to turn that round in the timescale set out.”
The requirements around fairness – telling people what is being done with their data – will add to public awareness and increase the possibility of requests.
“Where we are seeing good practice is among organisations who have grasped this as an opportunity to address how much personal data they need to hold and what they are doing with it,” said Killen. “It’s a form of housekeeping, an opportunity for good records management, the recognition that, although they hold data, it is the personal data of the individuals and what those organisations do with it could have a direct impact on those individuals.”
GDPR’s processing principles and individual rights
- According to the GDPR, personal data must be processed in accordance with the principles of lawfulness, fairness and transparency.
- Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible to those purposes.
- A data controller or a data processor must also make sure to respect
the principle of data minimisation, meaning that personal data “shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they were processed”.
- Personal data must be accurate and, where necessary, kept up to date.
- Storage limitation, integrity, and confidentiality have to be respected. That is, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary and must be processed in a way that ensures security of the data.
- The GDPR maintains, “often reinforces”, and further develops the rights of the individuals, including the right to information, the right to be forgotten, the right of restriction of processing, and the right to data portability.