Act now to comply with GDPR
The General Data Protection Regulations (GDPR) will replace the current Data Protection Act 1998 on 25th May 2018. Business should prepare themselves for the May 2018 deadline by mapping data flows and planning for changes required to comply with the new GDPR regime. Whilst the GDPR builds on the existing framework for data protection, it introduces many new obligations on both data controllers and data processors, including direct liability for processors.
Businesses cannot ignore the requirements of the new legislation. Steps need to be taken to ensure compliance by the 25th May 2018 deadline.
The Information Commissioner’s Office (ICO) has issued guidance on the GDPR including a 12-step checklist to assist organisations in their preparations for the introduction of GDPR which you may find useful - click here to access this guidance.
Over the next few months, we will be breaking GDPR down into bite size chunks, which we hope will be helpful.
However, in this article, we will outline GDPR and what it means for you and your business. The GDPR will replace the current Data Protection Act 1998 (DPA). Human rights laws of the 1940’s and 1950’s were designed to “protect human rights and fundamental freedoms” and the Data Protection Directive 1995 was designed for harmonisation. Everyone has the right to protection of personal data concerning them. There are many reasons why the GDPR has been introduced now, mainly because of the growth of the internet and use of social media, as well as the growth of on-line/telephone marketing and advertising. The DPA is 20 years out of date and needs to be updated, it also lacks cohesion across Europe and requires better control and improved rights for individuals in protecting their personal data.
What is personal data? Personal data is “any information relating to an identified or identifiable natural person”. Identified or identifiable information is using that information alone or two or more pieces of information held and together it can identify a natural person – in other words, anything that allows you to identify an individual. Examples of personal data are:
- Personal details (name; address; date of birth; gender; marital status);
- Online identifiers (IP addresses and cookie identifiers)
- Family and lifestyle details medical detail (including biometric data)
- Qualifications and educational details (CVs)
- HR records and work history
- Financial details (bank account numbers, salary)
What is processing? Processing is the obtaining, recording, holding of data or carrying out an operation on data, including anything that is done electronically on a computer by automated means. Processing also includes non-computer based storage, such as personnel files. In a nutshell, it is the cradle to the grave principle – everything from initial collection, storage, retrieval, modification, disclosure to erasure and/or destruction.
Data controllers and Data processors – A Data Controller is an individual in your organisation who decides to collect personal data and decides on the legal basis for processing that data. The data controller will determine what is collected – what to collect; from who; about what. The data controller also decides why the data is collected – the purpose for which the data will be used, including whether this will be shared with others and if so, who. The data controller will also decide how long the data should be kept – the days of keeping data indefinitely are gone!
Any organisation with a statutory obligation to process data will be a controller –all businesses with employees will process data! In bigger organisations, there may be more than just one data controller and joint controllers who will both have control over the data.
Data Processors are individuals who process the data on behalf of the data controller, whether this is through IT systems or other methods of collecting data. Data processors will decide how to store the data and maintain security measures to protect that data. Data processors should have a means for the transfer of personal data back to the data controller; a means to retrieve data; ensuring that any retention schedule is adhered to and a means to delete or dispose of data.
The relationship between the data controller and the data processor is key because if the relationship is complex, this can make it difficult to get the balance right. Too often processors will be acting as controllers and vice-versa. It is vital to get it right and it is essential to ensure that the two are distinct. The Data controller will ultimately have most control but the processor may have a higher level of control over the technical aspects of delivery.
Legal basis for processing personal data
There must be a legal reason for processing personal data, whether it is under a contract or whether it is for contact. Different statutory requirements will apply. In both cases, there must be a legitimate interest for processing the data and in circumstances where sensitive data is being processed, additional conditions will apply where you will require explicit consent. Consent is the biggest area of change.
Data Protection Principles
There are six basic principles to GDPR –
- Lawfulness, fairness and transparency – be clear about how the data will be used
- Purpose limitation – ensure the data will be used for the agreed purposes
- Security Integrity and confidentiality- prevent unauthorised use or loss of data
- Data minimisation – limit the use of data for the purpose for which it was obtained
- Storage limitation – ensure that the data is stored securely and not indefinitely
- Accuracy – ensure the data is accurate
Looking at these principles in turn:
Lawfulness, fairness and transparency
When you are processing personal data, you should be considering whether your use of the personal data is fair to the individual, in deciding this you should consider the balance between the individual’s interest and yours – you should not be putting your interests above those of the individual. There are certain circumstances where you satisfy one of the legal conditions for processing data, however, this must still be processed fairly and in a transparent manner.
If you are processing sensitive data, you must ensure that you take extra care in doing so – sensitive data relates to race or ethnic origin; religious or philosophical beliefs; sexual life or orientation; trade union membership; political opinions; health (including mental health); genetic and biometric data.
You can only process sensitive data when you have explicit consent to do so; if it is necessary for employment or social security; for the protection of vital interests; if the data is already made public by the individual; it is necessary in any legal action; it is in the public interest; for medical diagnosis or treatment; it is in the interest of public health or for historical, scientific or statistical purposes. Again, the principles of processing sensitive data must be processed in a lawful manner, fairly and with clear transparency.
Obtaining consent is one of the biggest changes in data protection. Consent must be given freely and for a specific reason or purpose. The individual giving consent must be informed on what they are consenting to and how their data will be used. The consent must be positive op-in (not opt-outs). It is really important that when consent is given it is given freely. It mustn’t be bundled together with other conditions. If third parties are going to be used, they must be identified. Any forms of consent must be clearly documented through consent management. Individuals must be able to freely and easily withdraw their consent at any time (either permanently or for a period of time).
Transparency can be achieved by ensuring that you have a well drafted privacy statement which includes a clear explanation as to who you are and the reasons for processing personal data. The statement should identify the legal basis upon which you are processing the data – if you are relying on the legitimate interests, you should explain what they are. If you are going to be sharing the data with third parties, you should identify who those parties are and explain why you will be sharing the data. If you have a data protection officer, you should disclose their details. It is essential that you set out details of your retention practices and the criteria for retaining the data. You should always confirm the individual’s rights (see below). The statement should also confirm the individual’s rights to complain to the ICO. If the data is processed through automated decisions and profiling, this should be disclosed.
Be clear on how the data will be used.
You should only use the data for the agreed purpose and the individual should be informed of the reasons for the use of the data. Don’t use the data for anything else other than for the reasons you have stated. If you are going to use the data for another purpose, you must notify the individual and obtain their consent.
Only collect data appropriate for the purpose for which it is needed. The data must be relevant and collecting it makes sense for that particular purpose. You should only collect the data you actually need (not the data that would be “nice to have”). The data should be sufficient (and not excessive) for the purpose.
In a nutshell, only do with the personal data what you said you would do and nothing else!
Security and integrity
You should take all reasonable steps (appropriate to your business and technical means) to ensure that the data you process is protected. Data should only be accessed by those who are authorised to access it and all reasonable steps should also be taken to prevent unauthorised access to the personal data. Furthermore, all reasonable steps should be taken to prevent the loss of any personal data.
Don’t keep any personal data for longer than is necessary unless it is the public interest or used for statistical or historical research purposes and only permit data access to those who need it for the purpose for which you have it. If you don’t need it, don’t keep it.
If you are processing personal data, every reasonable step must be taken to ensure that it is accurate. All data must be up to date if you are processing it. You must be able erase or amend any incorrect data (including any data held by a third party).
Under the GDPR, individuals have been given greater rights in relation to their personal data and how and why it is processed; namely, the right to be informed; the right to access; the right to rectification; the right to erasure (the right to be forgotten); the right to restrict further processing; the right to data portability; the right to object and the rights to automated decisions.
Privacy notices and fair processing policies in relation to individual’s rights should be concise; transparent and written in a language that a child could understand. The privacy statement should be provided at the point of need (in other words, you can’t give a blanket privacy statement, it must be specific).
Individuals have the right to access any data that you may hold on them. When a Subject Access Request is received, you must confirm what data is held and allow the individual to have access to all that data. You can no longer charge a fee and there is a stricter timeframe within which to respond. Businesses must have a documented process when responding to Subject Access Requests.
Individuals can request that any information that is held be rectified, whether it be incomplete or inaccurate information. Rectifying any incomplete or inaccurate information must be carried out without undue delay. Once the data has been rectified, you should notify the individual. Don’t forget that if the personal data is shared to a third party, they too must rectify the incomplete or inaccurate information.
Individuals have the right to be forgotten (the right to erasure). This may be used when the data is no longer needed for the purpose for which it was collected; or when consent has been withdrawn (when no other legitimate basis for processing exists). If a request to exercise this right is made, unless there is a legitimate basis for objecting to the erasure, all data must be erased.
An individual has the right to restrict further processing for example if the individual contests the accuracy of the data or if the processing is unlawful but erasure is not required. If the data controller no longer needs the data but the individual does. In circumstances where an individual is objecting to the processing of the data but you are claiming a legitimate interest, until the matter is resolved, you must not process the data. Before any restriction is lifted, the individual must be notified. The data controller can still store the data but the data processor must not process the data.
Individuals can request a copy of any personal data held if the data was provided by the individual in the first instance; the data processing is based on consent or a contractual requirement and processing is carried out by automated means. If the individual has requested for their data to be transferred from one controller to another, this must be done without hindrance.
Whilst an individual has the right to object to their data being processed, this only applies in certain circumstances. Processing of personal data can continue if necessary if it is in the public interest or to complete a legal task or for a legitimate interest (of the data controller or third party). The right to object can be sued to prevent direct marketing or as a check on profiling or automated decision making.
In the case of automated decision making, if decisions are made solely by automated means or if the decision can have a negative or legal effect on the individual, they have the right to ask for human intervention in order to express their point of view and challenge the decision.
Don’t ignore GDPR, consider what you should be doing now.
Awareness – all businesses should start preparation now by making key decision makers aware of GDPR and compliance. Businesses should be auditing and documenting the personal data they hold, recording where it came from and who it is shared with. You should be reviewing the legal basis for the various types of processing you carry out and document this. You should be reviewing privacy notices and put in place a plan for making changes to ensure GDPR compliance.
Consent – businesses in the UK have, so far, being able to rely on implied consent. Businesses must now be able to demonstrate that an individual gave their consent to the processing of their data. Business that rely on consent, as a legal basis for processing personal data, will need to carefully review their existing practices to ensure that any consent they obtain is positively obtained. Businesses must ensure that an individual can withdraw their consent at any time. It must be as easy to withdraw consent as it is to give it! Any changes to the mechanics of obtaining consent will require a careful review, and may take some time to implement.
Technical and organisational measures – the GDPR will require businesses to implement technical and organisational measures to ensure that the requirements of GDPR are met. Businesses must both take data protection requirements into account from the inception of any new technology, product or service that involves the processing of personal data, with an ongoing requirement to keep those measures up to date and to conduct a date protection impact assessment where appropriate.
Maintained detailed documentation recording – businesses should be reviewing their existing compliance programmes and, ensure that those programmes are updated and expanded as necessary to comply with GDPR. You should be ensuring that you have clear records of all your data processing activities and that such records are also available to be provided upon request. You should be considering appointing a data protection officer (particularly where it is necessary) with expert knowledge on data protection.
Breach notification rules – businesses will need to develop and implement a data breach response plan (including designating specific roles and responsibilities, training employees and preparing template notifications) enabling you to react promptly to a data breach.
Data processors – the GDPR is likely to have a substantial impact both on data processors and data controllers as there are increased compliance obligations and penalties which are likely to increase the cost of data processing services. Negotiating data processing agreements may become more difficult as processors will have greater interest in ensuring that the scope of the controllers’ instructions is clear. You may wish to review your existing data processing agreements to ensure that all parties have met their own compliance under the GDPR.
Current processes and procedures – Businesses should be reviewing their procedure and legal basis for processing personal data. Businesses should be carrying out a full review on all the personal data they hold and give due consideration on how they will become GDPR compliant.
Compliance with GDPR is likely to require organisation-wide changes for many businesses, to ensure that personal data is processed in compliance with the GDPR requirements. Such changes may include redesigning systems that process data, renegotiating contracts with third party data processors. Businesses should consider the impact these changes may have on their business as it may require a significant amount of time to implement – plan ahead – failure to do so may mean that you will be left with new requirements to implement, without having set aside appropriate resources to achieve compliance.
In our next news article we will be looking at processing employee data under the GDPR.