Tag Archives: Data Controllers

New Data Protection Fees

The draft Data Protection (Charges and Information) Regulations 2018 have now been laid before Parliament by the UK Government; it is intended that they will enter into force on 25th May 2018.  The Regulations will introduce the new charging regime that is to replace “notification fees”, once the requirement upon data controllers to notify the Information Commissioner of their processing of personal data.

As expected, the fees will move from the current two-tier structure to a three-tier structure; however, the fee amounts are different to what was proposed in the consultation last year.  The tiers are as follows:

Tier 1
Data controllers who fall into tier 1 will pay an annual fee of £40 to the Information Commissioner.  You fall into this fist tier if you have a turnover of less than or equal to £632,000 for your financial year, or you have no more than 10 members of staff.  Charities also fall into this category as do small occupational pension providers.

Tier 2
Data controllers who fall into tier 2 will pay an annual fee of £60 to the Information Commissioner.  You will fall into this tier if you do not fall into tier 1 and have a turnover less than or equal to £36m for your financial year, or have no more than 250 members of staff.

Tier 3
Data controllers who fall into tier 3 will pay an annual fee of £2,900 to the Information Commissioner.  All non-exempt data controllers who do not fall into the first two tiers will fall into tier three.  The Commissioner has indicated that they will assume that every data controller falls into tier 3 unless they prove the contrary.

These fees do represent a shift from the levels that were consulted on last year.  In particular the top-tier fee that was suggested in October was £1,000 but has now become £2,900.  Data controllers can save themselves a bit of money (a grand total of £5) by paying their annual fees by Direct Debit.

The fees structure that was consulted on had suggested that there would be a premium to be paid by any data controller that also carried out direct marketing activities by electronic means; however, that hasn’t been given effect to in the draft Regulations that have been laid before Parliament,

In terms of working out how many members of staff you have for the purposes of these regulations you can’t just count the number of employees you have.  A member of staff, for the purposes of the Regulations, is: (i) an employee; (ii) a worker, within the meaning of s.296 of the Trade Union and Labour Relations (Consolidation) Act 1992; (iii) an office holder; or (iv) a partner.  Part-time members of staff are counted as one member for these purposes.  To calculate the members of staff you need to work out how many members of staff you employed each month in your last financial year, add together the monthly totals and then divide it by the number of months in your last financial year.  Even members of staff who work outside of the United Kingdom (and, indeed, the European Union) need to be counted.

You do not need to work out how many members of staff you have if you are a charity or if you are a small occupational pension scheme.  Public authorities are required to ignore those reference to turnover and are required only to determine how many members of staff that they have.

If you are processing personal data solely for one of the following eight purposes, you do not need to pay a fee to the Information Commissioner:

  1. Staff Administration;
  2. Advertising, marketing or public relations,
  3. Accounts and records,
  4. Not-for-profit purposes
  5. Personal, family or household affairs
  6. Maintaining a public register
  7. Judicial functions
  8. Processing personal information without an automated system such as a computer

To be able to rely upon this exemption your processing must be solely for one or more of the above noted purposes.  If your processing is for one of those activities in addition to another activity then you will need to pay the fee at the appropriate tier.

In order to ensure that data controllers are paying the correct level of fee, the draft Regulations have provision within them for data controllers to supply various pieces of information to the Information Commissioner; this information fits around establishing which, if any, of the three tiers the controller falls into.

There are a couple of final things to note.  The first is that if you pay a notification fee prior to 25th May 2018 then you will not be required to pay the new fees until that notification has expired.  Therefore, if you are due to notify the ICO under the Data Protection Act 1998 on or before 24th May 2018 you will not be required to pay the new fees until next year.  The final thing to note is that these Regulations are only in draft form; they are still subject to parliamentary approval and could be amended.  However, this blog post reflects the position as contained within the draft Regulations.  Large organisations should, however, be planning to pay significantly more to the Information Commissioner than the £500 they have been paying until now.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, including the GDPR, or any other information law matter then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

GDPR: Do I need consent?

The General Data Protection Regulation becomes applicable in the United Kingdom later this year, the 25th May to be precise.  There is a lot of information out there on the GDPR; some of which is incorrect.  Relying upon incorrect information could cause data controllers and processors unnecessary headaches.

In this blog post I am going to focus on just one aspect of the GDPR, upon which there seems to still be a large amount of misinformation floating around.  It is an issue of such fundamental importance that getting it wrong will inevitably lead to headaches and crises in businesses and other organisations that simply do not need to exist:  that aspect is consent.

It is not difficult to find information on the internet selling the idea that the GDPR requires the consent of data subjects before a data controller can process personal data.  It should be obvious, but in case it is not, that is completely false.  Article 6 of the GDPR sets out six grounds which make the processing of personal data lawful under the GDPR; one of those six grounds is indeed consent, but it therefore follows that there are five other grounds of lawful processing which do not require the consent of the data subject.

It is important to understand Article 6 to ensure that your GDPR preparations are on the right track; one of the first things that any data controller who is preparing for the GDPR needs to establish is upon what basis they are processing the personal data.  If a data controller goes off in the wrong direction by assuming that consent is always required then they’re going to hit a problem:  what if a data subject refuses you consent, or withdraws consent which was previously given, to process personal data where you have a statutory obligation or some other compelling business need to process it?  You’re still going to have to process that personal data, but having asked the data subject for their consent you have given them a false impression.  One of the most fundamental aspects of the GDPR is fairness:  giving a data subject a false impression on the need for consent cannot be considered to be fair.  In short, if you need to process personal data irrespective of whether the data subject has given their consent; then consent is not the appropriate Article 6 ground to rely upon.

As noted above, there are a total of six grounds in Article 6 of the GDPR which make the processing lawful.  The grounds in Article 6 are (and note they do not appear in any special order of importance):

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • the processing is necessary for compliance with a legal obligation to which the controller is subject
  • the processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

Picking the right Article 6 grounds to legitimise your processing is vital; it feeds into so many other aspects of data protection compliance (such as your privacy notice).  Consent should only become a consideration where none of the other grounds of lawful processing in Article 6 apply.  Where some may be becoming confused with regards to consent is the requirement to be transparent with data subjects.  You have to tell data subjects clearly, and in easy to understand language, what personal data you are processing about them, how it is being processed and why you are processing it.  This is not the same as gaining their consent and should not be confused as such.

Alistair Sloan

If you require advice and assistance with any aspect of getting prepared for the GDPR, or any other Privacy and Data Protection law matter then contact us on 0345 450 0123 or you can send Alistair Sloan and E-mail.

Data Protection Officers under the GDPR

Many data controllers already have people within their organisation who are referred to as “Data Protection Officers”.  Currently, people with the job title of “Data Protection Officer” can be senior members of staff, or (more often) quite junior members of staff, and their job roles can vary quite considerably from organisation to organisation.  Under the current data protection framework within the UK there is no formal concept of a Data Protection Officer, but that will all change in May 2018 when the General Data Protection Regulation becomes applicable.

The Data Protection Officer

The Data Protection Officer, or DPO, is a specific concept within the GDPR.  All public bodies will be required to appoint a DPO (with one exception, on which see further on) as will many private sector organisations.  The DPO is a key person within the new data protection framework and organisations should avoid giving people who are not a DPO within the context of the GDPR job titles which could be misleading.

The DPO should operate at a senior level and be able to feed into the highest level of the organisation.  The DPO should be a person with expert knowledge of data protection law and practices and should assist the controller or processor to monitor internal compliance with the GDPR.  The DPO can be a full-time or part-time member of staff, but can also be provided by a third party in terms of a service contract.

Where a DPO has been appointed, the data controller is required to publish the name and contact details for their DPO.

When does a Data Protection Officer require to be appointed?

All public authorities, regardless of size, (and with the exception of courts acting in their judicial capacity) will be required to appoint a DPO under the GDPR.  The GDPR does not define what is meant by “public authority or body” and this will largely be left up to national laws to determine.  It would be fair to say that in the UK any organisation that is deemed to be a public authority for the purposes of the Freedom of Information Act 2000 or a Scottish public authority for the purposes of the Freedom of Information (Scotland) Act 2002 will be considered as a public authority or body.

It is also probable that private companies who carry out functions of a public administrative nature will also be considered as a public authority or body and so the definition of public authority for the purposes of the Environmental Information Regulations 2004 and the Environmental Information (Scotland) Regulations 2004 should also be considered.

As already noted, the requirement to appoint a DPO is not simply confined to public authorities; private sector organisations will also be required to appoint a DPO if they meet certain criteria.  Private sector organisations (whether they are a data controller or a data processor – references to data controller in this blog post should be taken to include data processors) will need to appoint a DPO where their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.

Finally, any data controller whose core activities consist of processing, on a large scale (which is yet to be properly defined), special categories of data or personal data relating to criminal convictions and  offences.  Special categories of personal data broadly corresponds with what the Data Protection Act 1998 describes as “sensitive personal data”, which includes personal data such as race, religion, political beliefs, health data etc.

What this means is that there is likely to be a requirement on a large number of private sector organisations to appoint a DPO.

The tasks of the Data Protection Officer

The GDPR sets out various tasks that Data Protection Officers will be required to carry out; these are:

  • to inform and advise the controller or the processor and the employees who are
    processing personal data of their obligations pursuant to the GDPR;
  • to monitor compliance with the GDPR, including the assignment of responsibilities, awareness- raising and training of staff involved in the processing operations, and the related audits;
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35
  • to co-operate with the Information Commissioner as the supervisory authority
  • to act as the contact point for the supervisory authority on issues related to the processing of personal data

Data Protection Officers must be able to carry out their functions independently and must also be given sufficient resources to enable to them fulfill their obligations (for larger organisations, this is may include, for example, having a staff to assist them).  The requirement for them to conduct their responsibilities independently means that they should not be subject to direction on the performance of their responsibilities by anyone in the organisation and should not be treated unfairly for discharging their duties (e.g. they shouldn’t be side-lined or dismissed if they give an opinion that isn’t appreciated).

There is no obligation within the GDPR for an organisation to do what their DPO advises them to do; however, the accountability principle in the GDPR will mean that the ICO will likely want an explanation as to why an organisation has gone against the advice of their DPO if that is what they decide to do.

It is for each data controller and processor to decide whether or not they require to appoint a DPO; however, the accountability principle of the GDPR will mean that organisations who have decided they do not require a DPO should be able to demonstrate how and why they came to that decision. Organisations that are not required to appoint a DPO under the GDPR can still appoint one if they wish, but persons who are “electively” appointed as a DPO will be viewed in exactly the same way as those whose appointment is mandatory.

Core Activities

What constitutes and organisation’s core activities is not specifically defined within the GDPR.  However, Recital 97 of the GDPR states that in the private sector, the “primary activities [of the controller] and do not relate to the processing of personal data as ancillary activities”.  The Recital is not part of the law, but is a tool which assists with the inetrpretation of the law.  Oragnisations will need to be clear as to what their “primary activities” are in order to be able to work out whether processing personal data is one of their “core activities”.

The Article 29 Woking Party, in its Guidelines on Data Protection Officers expresses it in the following way:

“Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms as inextricable part of the controller’s or processor’s activity. For example, processing health data, such as patient’s health records, should be considered as one of any hospital’s core activities and hospitals must therefore designate DPOs.

On the other hand, all organisations carry out certain supporting activities, for example, paying their employees or having standard IT support activities. These are examples of necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.”

Large Scale Processing

As noted above, the GDPR does not define what is meant by large scale processing activities.  In its guidelines on Data Protection Officer, the Article 29 Working Party has suggested four factors which should be taken into consideration when decideing whether processing is taking place on a large scale.  Those factors are:

  1. the number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
  2. the volume of data and/or the range of different data items being processed;
  3. the duration, or permanence, of the data processing activity;
  4. the geographical extent of the processing activity

As the phrase remains underfined within the GDPR it is a matter that will require a level of judicial interpretation.  No doubt the domestic courts will be asked to grapple with the concept of large-scale processing at somepoint; as will the Court of Justice of the European Union (although, what impact a decision of the court will have in the UK given Brexit is a matter that remains to be seen).

Penalties

A failure to appoint a DPO where one is required is a matter which can attarct an administrative fine; in this case the maximum is €10m or 2% of global turnover (which ever is greater).  I have covered administrative fines in more detail in another blog post.  Articles 38 and 39 of the GDPR, which relate to the position of the DPO and their tasks, are also subject to the administartive fine provisions; again with the maximum being €10m or 2% of global turnover (whichever is greater).

Alistair Sloan

If you would like advice on Data Protection Officers under the GDPR, or on any other matter relating to data protection/privacy or Freedom of Information, then you can contact Alistair Sloan on 0345 450 0123, by completing the contact form on this blog, or you can send him an E-mail directly.