General Data Protection Regulation - The Time to Act
Published 16 March 2018
The time to act to make sure you are ready for the General Data Protection Regulation (the 'GDPR') (Regulation (EU) 2016/679) is now. The GDPR provides data subjects with genuine, on-going control over their personal data and requires organisations to be transparent and engage positively with data subjects about the personal data they hold. As a Regulation, it will have direct effect in the UK. It will also be supplemented by the UK Data Protection Act which is still passing through Parliament – but will be in place by 25 May 2018.
Personal Data: the starting point when considering the impact of the GDPR is to determine whether the GDPR applies to the data held. The GDPR only applies to data relating to an identified or identifiable living person, either directly or indirectly, and does not apply to corporate entities.
Organisations should then consider whether:
- the information can be retained in a way which is non-attributable to a living person. This can be achieved be anonymising the personal data they hold or applying an irreversible unique identifier.
- the personal data they hold serves a purpose and needs to retained. Deleting unnecessary personal data will reduce the amount of data which is subject to the requirements of the GDPR.
Special categories of personal data: the processing of special categories of personal data is prohibited unless the data controller can show that explicit consent has been obtained or one of the other nine exceptions applies. Organisations should consider whether they require these categories of personal data as it may be possible to elicit the information required without encroaching in to these categories. It will be necessary to take a long hard look at the data that is currently held and to determine whether it is really necessary at all and, if it is, whether it can be anonymised. Much data is just as useful in anonymised form as it would be otherwise.
Consent: if it is necessary to process personal data, one way to ensure that this is legal will be to obtain the consent of the data subject. It may be preferable to rely another legal basis other than consent as consent can be withdrawn, preventing processing.
Consent must be clear and unambiguous with data subjects being provided with the requisite information to make an informed decision whether to provide consent to their personal data being processed.
The implementation of the GDPR will not necessarily mean that organisations have to seek fresh consent from data subjects, if they are satisfied that the current consent they have obtained complies with the GDPR requirements and is clearly documented. However, in practice, until now, few organisations are likely to have obtained consent which meets the GDPR standards.
Data Subject Rights: the GDPR gives a data subject a number of rights including rights to request that an organisation:
- provide a copy of the personal data held about the data subject, in a commonly used electronic form. 
- rectify any inaccuracies in the personal data held;
- erase the data subject's personal data;
- restrict the processing of the personal data or stops processing it altogether.
The presumption under the GDPR is that data subjects will be afforded these rights, unless there is an exemption under the GDPR or Data Protection Act 2018 permitting the organisation to refuse the request.
Fraud prevention: the GDPR does not expressly address the use of data for fraud prevention; such use would need to be considered like any other processing purpose. This can present particular challenges where special categories of data are processed as there is a limited number of legal grounds which can be relied upon. The Data Protection Bill, currently moving from the House of Lords to the House of Commons, provides additional legal grounds for processing which may be relevant to fraud prevention including (i) preventing fraud (only applicable where such processing is carried out as a member of an anti-fraud organisation); (ii) insurance purposes; and (ii) preventing or detecting unlawful actions (Schedule 1, Part 2 of the Bill). It is anticipated that these grounds will, in certain circumstances, allow organisations to process personal data in order to prevent fraud.
It is important that the information to be processed is restricted to that which is necessary for fraud prevention purposes. The organisation will also need to set out in a policy document why it is processing this personal data so that it can justify its position, if challenged. It is advisable to alert users in a privacy notice that the organisation intends to share personal data with third parties to prevent and detect fraud. Organisations will need to think hard about what data should be processed for fraud detection purposes.
Preparation: it is important to comply with the requirements of the GDPR, it is equally as important that an organisation can demonstrate to the ICO, if required to do so, the processes it has in place for handling data. This can be achieved by ensuring that organisations have clear and easily understandable policies and privacy notices. Organisations should review their:
- data to determine whether it is personal data and if it is, whether they require the personal data in its current form or at all;
- privacy policies;
- circumstances in which they rely on consent. Where possible, a different ground should be relied upon. Where consent is needed it should be reviewed to ensure that it complies with the GDPR;
- data retention policies to ensure personal data is only held as long as necessary; and
- process for allowing data subject to exercise their rights.
The Data Protection Act 2018 and subsequent guidance from the ICO should help to clarify the full impact of the GDPR but organisations cannot delay preparations until the Act is implemented.
 Organisations will not be permitted to charge for initial access requests.