GDPR
The General Data Protection Regulation (GDPR) came into effect on 25th May 2018.
Organisations that monitor, store or analyse data will face more onerous obligations to comply, so it is essential to act now as failure to do so could attract significant fines.
General Data Protection Regulation (GDPR) introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
The information below has been taken from the Information Commissioner's Office (ICO) which has produced an online Guide to GDPR.
Who does the GDPR apply to?
- The GDPR applies to ‘controllers' and ‘processors'.
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
- If you are a controller, the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
What information does the GDPR apply to?
Personal data
The GDPR applies to ‘personal data' meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier including name, identification number, location data or online identifier.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.
Personal data that has been pseudonymised - eg key-coded - can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data
There are special categories of personal data which may be treated differently according to GDPR.
The special categories include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not
included, but similar extra safeguards apply to its processing.
Gaining consent
The new GDPR laws give a clearer guidance on consent. In short, you must give individuals the option to allow their data to be stored and used by your company. In order to comply with GDPR you must be able to agree with all of the statements below.
- We have checked that consent is the most appropriate lawful basis for processing.
- We have made the request for consent prominent and separate from our terms and conditions.
- We ask people to positively opt in.
- We don't use pre-ticked boxes, or any other type of consent by default.
- We use clear, plain language that is easy to understand.
- We specify why we want the data and what we're going to do with it.
- We give granular options to consent to independent processing operations.
- We have named our organisation and any third party controllers who will be relying on the consent.
- We tell individuals they can withdraw their consent.
- We ensure that the individual can refuse to consent without detriment.
- We don't make consent a precondition of a service.
- If we offer online services directly to children, we only seek consent if we have age-verification and parental-consent measures in place.
- We keep a record of when and how we got consent from the individual.
- We keep a record of exactly what they were told at the time.
- We regularly review consents to check that the relationship, the processing and the purposes have not changed.
- We have processes in place to refresh consent at appropriate intervals, including any parental consents.
- We consider using privacy dashboards or other preference-management tools as a matter of good practice.
- We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
- We act on withdrawals of consent as soon as we can.
- We don't penalise individuals who wish to withdraw consent.
Individuals' Rights
Individuals have the right to be in control of their data at all times. In order to comply with this, there are eight rights for individuals you need to bear in mind. You may need to amend your processes in order to deal with any requests from individuals based on the below.
- The right to be informed - Individuals must know how you intend to use their personal data and they must freely give their consent for this.
- The right of access - Individuals are able to request how their data is being used by your company.
- The right to rectification - Individuals can request their personal data to be rectified if it is inaccurate or incomplete.
- The right to erase - Individuals can request their data is removed from your database.
- The right to restrict processing - Individuals can request that a business continues to store the personal data, but not further process it.
- The right to data portability - Allows individuals to obtain and reuse their personal data for their own purposes across different services.
- The right to object - Individuals can request that their data is not used for certain processes, i.e. direct marketing.
- Rights in relation to automated decision making and profiling - Provide safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
Preparing for GDPR
Many of the GDPR's main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements so be sure to check you will still be compliant come May 2018.
There are 12 steps you can start to take now to ensure your compliance in May 2018.
Awareness
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. For most small businesses it won't be a legal requirement to appoint a data protection officer (DPO). However, it may be beneficial to your business to allocate someone on your team that is responsible for your data obligations.
Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit to ask all staff how they collect and use data within the business.
Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.
Individuals' rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically if requested.
Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales (30 days to respond to an individual's request rather than the current 40) and provide any additional information. If your organisation handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly.
Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR i.e. ‘consent from individual', ‘compliance with legal obligation' etc. You must document it and update your privacy notice to explain it. People will have a stronger right to have their data deleted where you use consent as your lawful basis for processing.
Consent
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don't meet the GDPR standard.
Children
You should start thinking now about whether you need to put systems in place to verify individuals' ages and to obtain parental or guardian consent for any data processing activity.
Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the ICO's code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
International
If your organisation operates in more than one EU member state (ie you
carry out cross-border processing), you should determine your lead data
protection supervisory authority. Article 29 Working Party guidelines
will help you do this.
Privacy Notices
Privacy notices are used by organisations to explain at the point of data collection what users can expect will happen to their data. In order to comply with GDPR your privacy notices may need to be updated.
GDPR means the information companies provide about personal data processing must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
The following questions should be considered when writing a privacy notice:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
Here's an example from the ICO guidance:
The privacy notice must be presented at the point at which data is collected.
Further Guidance
The Information Commissioner's Office (ICO) has launched a dedicated advice line to help small organisations prepare for a new data protection law.
The phone service is aimed at people running small businesses or charities and recognises the particular problems they face getting ready for the new law, called the General Data Protection Regulation (GDPR).
There are already resources on the ICO website to help organisations employing fewer than 250 people prepare for the GDPR. But the new phone line will offer additional, personal advice to small organisations that still have questions.
People from small organisations should dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support. As well as advice on preparing for the GDPR, callers can also ask questions about current data protection rules and other legislation regulated by the ICO including electronic marketing and Freedom of Information.
