Public bodies must be wary of consent and legitimate interest issues under GDPR
Public bodies and government departments cannot rely on legitimate interest under the General Data Protection Regulation (GDPR) and may be limited in the circumstances in which consent can be used.
These assertions were made by John Keyes, assistant commissioner, investigations, Office of the Data Protection Commissioner, at the 2018 National Data Protection conference.
“It is critical that processors and controllers know what the legal bases for holding personal data is”
Keyes said that many data controllers have not engaged with how data has been collected.
It is critical that processors and controllers know what the legal bases for holding personal data is, said Keyes. As data controllers, you must not only look at your own legitimate interest, but also that of the data subject.
Gap analysis is required to examine where legislation will be necessary to comply with GDPR, said Keyes, speaking in advance of the publication of the Data Protection Bill 2018. There is, he said, significant concern that large gaps in the legal bases may arise if action is not taken shortly.
Keyes commended the Article 29 Working Party guidelines on the topics of data portability, consent, transparency, personal data breach notification, profiling and automated decision making, data protection officers, lead supervisory authority and data protection impact assessments.
The regulation, he said, seeks to increase transparency to make sure that organisations cannot hide behind impenetrable language, overly long documentation and obscure references.
Keyes highlighted that data integrity and security are among the articulated principles of data protection, set out in Article 5 of GDPR. However, recent cases of data breaches, he said, have shown that organisations often fail to take basic steps in ensuring data integrity and security.
Many people get the impression when breaches are reported, said Keyes, that they are sophisticated attacks, but in many cases, this is not true. He cited the Carphone Warehouse investigation by the UK Information Commissioner’s Office (ICO) which found that revealed that there were basic failings, such as re-used administrative passwords across servers, significantly out of date software and in some cases, was no antivirus software running on the severs.
Keyes urged organisations to read and familiarise themselves with the regulation and the data protection bill, now published.
With regard to Article 24 covering the responsibility of the data controller, Keyes said there is no one size fits all solution.
There is a facility in GDPR, he said, that allows organisations to make a risk-based implementation appropriate to them. Read this, he said, and know what is appropriate to you.
“We need to protect the data, because it is not going to protect itself,” said Keyes.
Anne Marie Bohan of Matheson, asked how harmonised data protection rules will really be across the various member states.
Bohan said that there was potential for fragmentation across a number of issues, such as the one-stop-shop procedure where the potential for multiple supervisors remains. Also, law enforcement and administrative sanctions could vary, as well as interpretations.
There are questions too, around the impact of member state laws, said Bohan, with regard to the specification of these laws, possible restrictions of same, and application across jurisdictions.
Under the one stop shop procedure, Bohan highlighted cross border processing, and activities across more than one member state and where a single establishment may substantially affect data subjects in more than one member state as instances where harmony may be threatened.
Bohan gave examples of varying approaches to GDPR implementation, such as in Germany, where the threshold for the appointment of a data protection officer (DPO) was lower and extends to an organisation with more than 10 employees concerned with automated processing.
In Austria, there are additional confidentiality privileges for DPOs, while in Denmark, data protection rights are being extended in certain cases to the deceased. In Sweden, the rights of access under GDPR do not extend to rough drafts of documents or notes.