As everyone with an email inbox can attest to, there are huge changes underway for the data protection regime in the UK with the General Data Protection Regulation (GDPR) now on our doorstep. Many of the GDPR’s main concepts and principles are not new—they are familiar from the Data Protection Act 1998 (DPA 1998). There are, however, some new elements and significant enhancements, meaning you will have to do some things for the first time and some things differently.
The challenge of complying with the GDPR should not be underestimated, nor should the consequences of failing to do so.
There is more to GDPR than sending an email asking everyone on your marketing list whether they are content to stay on your marketing list. It doesn’t just prevent you from adding that little pre-ticked opt-in box at the end of an email or form. It also affects matters such as whether or not you can google applicants for new positions and check their social medial accounts, how you market to your customers/clients and, how you respond to requests for the release of personal information (not forgetting whether or not you should have retained that information in the first place).
GDPR represents a huge overhaul of the existing data protection law which has stood since 1998 and introduces conceptual changes in the way in which data protection works, new and onerous obligations on businesses, changes in regulatory oversight and in liability/ penalties for non-compliance for those businesses affected.
External companies offering to ‘do’ GDPR for you are proliferating. However GDPR compliance demands a culture change within businesses in the UK so that we start to take data protection compliance seriously and create compliant cultures from within and maintain those cultures or face the consequences. Failure to comply with the GDPR could have serious implications for your business’s reputation, attract claims by aggrieved data subjects, and expose you to fines up to €20m or 4% of the total worldwide annual turnover of an undertaking (whichever is higher).
However, it doesn’t have to be the scary and expensive minefield which you have been hearing about. The key is preparation; having the correct systems and documentation in place is crucial. The new regime introduced by the GDPR, planning for it and compliance with it is well covered by information freely available on the ICO website. We have put together some Frequently Asked Questions for you.
Does the GDPR apply to my business?
It is virtually impossible to operate any business without handling personal data, so it’s safe to assume your business is caught by the GDPR.
What does the GDPR mean for my business?
The short version is that when the GDPR kicks in on 25 May 2018, any person or organisation that handles personal data must comply with seven core data protection principles when processing that data. They are:
- Principle 1: Lawfulness, fairness and transparency
- Principle 2: Purpose limitation
- Principle 3: Data minimisation
- Principle 4: Accuracy
- Principle 5: Storage limitation
- Principle 6: Integrity and confidentiality
- Principle 7: Accountability
What is personal data?
Personal data is any information relating to an identified or identifiable natural person for example if you hold the following type of information: first and last name together; postal address; email address; telephone number; signature; photograph then you hold personal data.
What does processing data mean?
Processing data means obtaining, recording, holding, organising, adapting, altering, retrieving, consulting, using, aligning or disclosing any data or information. You cannot do any of these things with personal data simply because you want to. Every element of processing must be justified on the basis of one of six grounds set out in the GDPR — these are often called the lawful grounds for processing.
What are the lawful grounds for processing personal data?
Processing of personal data will be broadly lawful where the data subject has given their consent or if the processing is necessary:
- for the performance of a contract (if the data subject is a party);
- to comply with a legal obligation;
- to protect the vital interests of the data subject or another natural person;
- to perform a task carried out in the public interest; and/or
- for the pursuit of the legitimate interests of your business or a third party
What should I do if I process personal data?
It is advisable to conduct an extensive data mapping exercise to establish what data you process and the legal bases for doing that processing. You should document this so you will later be able to demonstrate compliance.
What rights do the people whose information I hold have?
The people you hold information about are known as ‘data subjects’. The GDPR significantly enhances the rights which they have compared to the DPA 1998.
|Data subject right/request||Comment|
|To be given access to personal data held about them||The GDPR expands the mandatory categories of information which must be suppliedYou must provide a copy of the personal data free of charge|
|To have inaccuracies corrected||This pre-existing right has not significantly changed under the GDPRHowever, you must now notify any third parties with whom you have shared data if the data subject requests any corrections|
|To have information erased (the right to be forgotten)||This is a new right to have personal data erased under specific circumstances.You must implement new systems and procedures to facilitate this, and to notify affected third parties about the exercise of this right.|
|To object to direct marketing||This is an absolute right—once an individual objects, you must stop processing their data for direct marketing purposes.The main difference from the pre-GDPR regime is the need to provide information about the right, which should be reflected in privacy notices|
|To prevent automated decision-making and profiling||The GDPR preserves the previous position, with only minor changes—the explicit consent of the data subject is a valid basis for evaluation on the basis of automated profiling|
|To be provided with their data in an electronic and commonly used format||This is a new right (known as data portability)|
The GDPR also imposes shorter deadlines for dealing with data subject requests, i.e. one month from receipt of the request.
What if I hold information on children?
The GDPR brings with it special protections for children’s personal data, particularly in the context of commercial internet services such as social networking. If you offer goods or services to children, or collect information on children, you will need a parent or guardian’s consent and your privacy notices must be written in language that children will understand. This means that you will need to put systems in place to verify individuals’ ages and gather parental or guardian consent for the data processing activity.
Why am I getting all these emails?
The GDPR raises the bar for consent, meaning you can no longer rely on silence or opt-out consent as a lawful ground for your marketing activities, e.g. pre-ticked boxes on your website are out. Getting, recording and managing consent is more onerous under the GDPR so it is advisable to consider whether there is an alternative lawful ground under the GDPR for some or all of your marketing activities. The GDPR specifically acknowledges that legitimate interest can be used as a lawful ground for direct marketing activities, but only where you have conducted a legitimate interest assessment and concluded that your interests in engaging in the marketing activity are not outweighed by the rights and interests of data subjects.
Do I need to appoint a Data Protection Officer?
Not necessarily. It is not compulsory to appoint a Data Protection Officer (DPO). This is only required where the core activities of an organisation involve carrying out large-scale: regular and systematic monitoring of individuals; or processing of special categories of data or data relating to criminal convictions and offences. However even if not strictly required, you might wish to voluntarily appoint a DPO so that you know who is taking the lead on GDPR in your business
We are about to start a project that involves handling a lot of personal data. Is there anything we need to do?
You must conduct a data protection impact assessment (DPIA). A DPIA is used to identify, evaluate and mitigate the potential risks and impacts that your processing activities might have on those people you hold the information on. Generally, a DPIA is conducted at the start of a project that could have data protection or privacy implications, e.g. rolling out a new HR system. DPIAs are a preventative measure—if data security risks are assessed and addressed at the start of the project, you far less likely to need remedial action midway through or, suffer a breach.
We have messed up and processed personal data without a lawful ground for doing so. What now?
The GDPR brings in a compulsory breach notification requirement — you must report yourself to the ICO when you suffer a data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When notification is required, this must be done without undue delay and, where feasible, within 72 hours. A reasoned justification must be provided if this time frame is not met. In some cases, you must also notify the affected data subjects.
This is meant to be a summary of the implications of GDPR. It is not a statement of the law and it should not be relied on for compliance. GDPR is a particularly complex area and if you require specific advice tailored to your business, we can provide that. Please contact us for details of our packages which range from just £250 plus VAT to £2,500 plus VAT depending on the level of assistance you require.
To find out more about how we can advise you on GDPR please fill in our contact form, or phone our Truro office on 01872 241414.
Join us for our free employment law seminar “Dealing with Problem Employees” on Thursday 19 July. This is an area of employment law that we are frequently asked about. Employers are often frightened of saying the wrong thing and can end up saying nothing at all –...read more
Join us for our last minute cramming session on the GDPR. As everyone with an email inbox can attest to, there are huge changes underway for the data protection regime in the UK with the General Data Protection Regulation (GDPR) now on our doorstep. Many of...read more
The government has now changed its mind on its earlier decision not to contact people due a refund after paying (now unlawful) employment tribunal fees. The Justice Secretary, David Gauke, has stated that the refund scheme had been making ‘reasonable progress’ but...read more