As is the case for data processors, data controllers will also find themselves subject to more stringent rules under the new EU General Data Protection Regulation (GDPR), which is due to come into force in May 2018.

Just to brush up on the data protection lingo, the term "data controller" is used to describe any entity that determines the purposes and manner of data processing. This captures a huge number of organisations and companies operating in the United Kingdom – most businesses will be data controllers because of the customer and employee personal data they hold and collect. Most data controllers should be registered with the Information Commissioner's Office (ICO) so if the above has set off any alarm bells, we'd encourage you to pay a visit to the ICO website post-haste. They also have a very useful online tool that you can use to self-assess whether your organisation needs to be registered or not.

Under the current law, data controllers have had to bear the brunt of data protection compliance. It's the controllers who have had to evidence compliance with the legal requirements, make sure that processors maintain adequate organisational security measures and ultimately deal with the consequences where the ICO has ruled that any processing activities have fallen short of the requirements under the Data Protection Act. We recently wrote about the increased duties of data processors, which mean that processors will have separate liabilities under the GDPR, but data controllers will also find themselves subject to more stringent rules under the new regime.

Under the GDPR, the duties of data controllers are described in more detail than previously. The most noteworthy developments include:

  • the general requirement for greater transparency towards the data subjects all the way from the content of privacy notices to the manner of processing itself, such as being more forthcoming about the rights of data subjects;
  • increased requirements for consent to data processing, particularly in relation to data of a sensitive nature;
  • being more mindful of the age of the data subject and potentially obtaining consent to the processing of a child's data from an adult, particularly where a child's personal information is being processed for the purposes of providing information society services (such as social media accounts) directly to the child;
  • tighter timelines to respond to data subject access requests;
  • carrying out privacy impact assessments and appointing data protection officers;
  • notifying data breaches to the ICO and also to individuals in the case of severe breaches;
  • complying with the new rights that individuals have under the GDPR, including the right to be forgotten, the right to restricted processing, the right to data portability and the right to object to automated decision-making and profiling;
  • the obligation to pseudonymise or encrypt personal data as an additional security measure in certain circumstances; and
  • maintaining records of data processing activities, such as the purposes of the processing and details of third parties to whom the data has been or will be disclosed (although, thankfully for data controllers, the requirement to register their data processing activities with the ICO will disappear).

Looking at the above list, data controllers will be affected by the majority of the changes implemented by the GDPR in one way or another. We will discuss most of these topics further in future blog posts.

Data protection policy

What should be flagged up, though, is the requirement to implement a data protection policy, where this is proportionate to the controller's data processing activities. This is part of the overarching requirement to ensure that the data controller's technical and organisational measures are on par with the extent and risks of the relevant data processing activities as well as the rights and freedoms of individuals. For example, where data processing activities are extensive, a data protection policy should be put in place (and of course enforced) to ensure the processing will be considered lawful under GDPR.

A data protection policy helps to ensure that your employees are aware of the requirements you are faced with as a data controller and will provide practical tips (such as dos and don'ts) when it comes to their daily tasks. A data protection policy can also be incorporated into your agreements with data processors to ensure they are required to comply with the same standards that apply within your organisation.

© MacRoberts 2016

Disclaimer

The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.