Acknowledgements

The course has been written by Amanda Kearsley, a data protection solicitor and director of law:matix.

law:matix is a specialist law firm that focuses solely on privacy, data and technology law. Further information about Amanda and law:matix can be found via http://www.lawmatix.com

What about external support?

  • you may find it helpful to speak to and share resources with other businesses in the pharmaceutical industry
  • the Information Commissioner’s website (www.ico.org.uk) has useful guidance and information
  • the official European Union website (europa.eu) has information about the existing data protection laws and details of proposed changes
  • external data protection experts can provide you with advice, drafting and training

How to ensure compliance

There are many things a controller and processor can do to ensure compliance. It is only by good compliance that the business can avoid enforcement action and reputational risk and be able to capitalise on the opportunities available to data rich organisations.

INTERNAL

  • ensure your organisation adopts a top-down culture of compliance
  • designate a suitable individual as the data protection officer or privacy officer and provide him or her with appropriate training. This will help you to co-ordinate compliance. Remember, the GDPR may impose this on your business in any event
  • have in place policies, procedures and standard documents for ensuring compliance. It will be important for these to be suited to your business and business needs, not just basic templates that are difficult to apply. Remember data protection law is a policy driven law so deals with concepts of ‘fairness’ and ‘appropriateness’
  • consider having departmental guides – not all departments use personal data for the same purposes or in the same way
  • provide training for all staff that ‘touch’ personal data. This will include induction and refresher training

Data breach reporting

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

The GDPR requires certain breaches to be reported to the supervisory authority and, in some cases, to affected data subjects.

  • where the data breach is a risk to individuals it must be reported to the supervisory authority
  • where the data breach is a high risk to the rights and freedoms of individuals, the data subjects must also be notified

There are specific timescales for reporting:

  • data processors must notify the controller of a breach without undue delay after becoming aware of it
  • controllers must notify the breach to the supervisory authority without undue delay after becoming aware of it and, where feasible, within 72 hours 
  • where data subjects have to be notified, this must be without undue delay

All breaches, even those that are not reportable, should be included in a breach log as part of demonstrating compliance with the accountability principle.

Subject access: practical points

The administration of a subject access request can be complex and costly and there are a number of practical considerations to bear in mind:

  • the data subject’s motives for seeking access are irrelevant 
  • the data subject is not entitled to documents – he or she is only entitled to personal data. If a data controller chooses to comply by supplying documents that is the controller’s decision alone
  • if the data controller has poor retention procedures (see Principle 5), the cost of administration of a subject access request will be higher as the data controller will have more personal data to find
  • network and non-network devices and systems need to be searched as do archives and back-up systems and those used by data processors 
  • where providing access to the data subject’s personal data would necessarily involve disclosing personal data relating to another person, you may, in some cases, need the consent of that other person (unless his or her personal data can be redacted)

The cost of administering a subject access request is likely to be significant and, in most cases, you cannot charge a fee. You should, therefore, have good data management and streamlined processes to ease this burden.

Subject access: Third party information

Sometimes, you may find that providing a data subject with access to his or her personal data may involve you disclosing information relating to another individual who can be identified from it. In this situation, where you can redact (black out) the information relating to the other person without removing personal data relating to the data subject, you should do so. If you cannot, you should:

  • only provide the information relating to the other individual if you have his or her consent to the disclosure to the data subject or
  • if it is reasonable in all the circumstances to comply with the request without the consent of the other individual. This means you must consider:
    • the type of information that would be disclosed
    • any duty of confidence owed to the other individual
    • any steps taken to seek the consent of the other individual
    • whether the other individual is capable of giving consent 
    • any express refusal of consent of the other individual

Subject access exemptions

There are a number of available exemptions that a data controller may choose to apply when giving access to personal data. The most common of these are:

  • where the personal data consist of an educational, training or employment reference given about the data subject by the data controller in confidence
  • where the personal data are processed for the purposes of management planning or, to management forecasting, to the extent that providing access would prejudice those purposes 
  • where the personal data consist of records of the intentions of the data controller in relation to negotiations with the data subject, to the extent that providing access would prejudice those negotiations

Where an exemption applies to the extent the relevant purpose would be prejudiced, once the decisions have been taken / the negotiations have concluded, the exemption ceases to apply.

The right of subject access

Each data subject is entitled to access to a copy of their personal data, within 1 month of receipt of a request (and to be able to make repeat requests at reasonable intervals), in order to be aware of, and verify the lawfulness of, the processing. This includes the right to be provided with the following information (including a copy):

  • the purposes of the processing
  • the categories of personal data concerned
  • details of those who have received or will receive the personal data
  • details of how long the personal data will be stored 
  • the existence of the rights to request rectification or erasure, restriction of processing or to object to the processing
  • the right to lodge a complaint with the supervisory authority
  • details of the source of the personal data
  • the existence of any automated decision-making (including profiling) and the logic involved
  • if the data are subject to transfer outside the EU, the appropriate safeguards used to protect the data in the transfer

The GDPR specifically states that, wherever possible, the controller should provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. Systems and processes should be designed with the exercise of subject rights in mind.

Data subject rights

The GDPR affords data subjects with a number of legal rights. The key ones are:

  • the right to be informed about details of the processing (this will take the form of a privacy notice)
  • the right to withdraw consent. This is an absolute right and may be exercised by the data subject at any time
  • the right to object to automated decision taking. This right is only a right to prevent a decision being taken solely by automated means (e.g. by a computer applying an algorithm). In order to address this right, you will need to have a person involved in the process e.g. as part of the confirmation of decision process or as part of an appeals process
  • the right of access to his or her personal data 
  • the right of erasure. Generally where the data are no longer needed or consent to processing is withdrawn and there is no other legal basis for retention
  • the right to restrict processing. Generally where erasure would be used but it is is not appropriate
  • the right of data portability. In some limited cases, this requires a controller to transmit to another controller data provided electronically
  • the right to complain to the supervisory authority

Many of these are obvious from their description and there are exemptions for most of them. The right of access is the most complex and gives rise to difficulties for some data controllers. Let us take a closer look at this right.

Where you have a continuing legal obligation, such as in respect of pharmacovigilance, this can provide an exemption from the right to erasure but you will probably need to apply the right to restrict processing to just those things you have a legal obligation to do.

Transfers outside of the EU: derogations for specific situations

If you are unable to address the adequacy options we have looked at, you may be able to rely on one of the derogations, the key ones being where the transfer:

  • is made with the explicit consent of the data subject
  • is necessary for the performance of a contract between the data subject and the controller
  • is necessary for important reasons of public interest 
  • is necessary for the establishment, exercise or defence of legal claims
  • is necessary in order to protect the vital interests (i.e. life or death) of the data subject or of other persons

Remember the rules for consent. It must be freely given, informed and specific. This requires you to inform the data subject of the purposes for the transfer and, where possible, the countries involved. If the transfer gives rise to any particular risks, then these should also be communicated to the data subject. Data subjects must be given an opportunity to make a genuine choice for their consent to be valid.