D-day for General Data Protection Regulation (GDPR) is fast approaching (it applies from the 25th May 2018) and there’s already so much information and scaremongering around that thinking about compliance brings on a headache.
As with every new piece of legislation, it’s important to remember that only some of it is likely to apply to your business so let’s examine:
- the essential things that every business needs to know about GDPR and
- the practical steps you can take right now to make it easier.
(1) Know your personal data
GDPR brings a wider definition of personal data - which is any data which
- Identifies an individual person (a data subject) OR
- could contribute to identifying someone
It’s all about whether you COULD identify someone from the information that you have using “reasonable means”. So, for example, you could have IP addresses and also hold data such as social media accounts and home addresses which, when put together, provides a lot of personal information. As technology advances, it’s going to become much easier to identify people using less information.
- This is a good opportunity to get to grips with your personal data system. Review the data that you hold, how you collect it (including where it came from), how you store it, how you use it and who you share it with.
- If you don’t need specific data, destroy it
- If you do need it, look at the wider definition and identify everything that will be personal data
- Keep a record of what data you have, where it’s come from and who you share it with
- Make sure that your data system enables you to separately store data which you can’t use or process, because it will make it much easier to comply with your other GDPR obligations
You’ll see as we continue that having an effective data system will make it much easier for other aspects of compliance too.
(2) Lawful Processing and Consent
Under the existing Data Protection Act you can only process data if you meet one of the “lawful conditions” which include obtaining consent from the individual involved. You can still use this consent under GDPR except that the individual’s consent must be
- A specific, informed and unambiguous indication of the data subject’s wishes. You need to keep your data protection information separate, for example, to your terms and conditions
- Given freely given - so it can’t be conditional on, for example, entering a competition
- Given by either a statement or a clear affirmative action - the individual must “do” or “say” something, so no pre-ticked boxes or adding business card emails collected at networking into email lists.
- Easy for the data subject to withdraw
You’ll also need consent for each different way you process data – so for example, consent to contact someone to discuss a contract requires a separate consent to a consent for marketing activities
The information that you need to give before an individual consents and the way in which they provide consent is much tighter.
- Start by deciding whether there is another “lawful condition” you can rely on to process data
- If you do need to rely on consent make sure that the information you give to someone before they consent is GDPR friendly – separate, clear, easy to read and not full of legal jargon
- Make sure that you get that “indication of consent” by, for example, using boxes the individual must actively “tick” them rather than pre-ticked options. Then keep a record of the consent - how and when it was obtained, together with a master copy of any page used
- Have a straightforward process so consent can be withdrawn easily
(3) When individuals exercise GDPR rights
Under GDPR individuals have various rights, including, in specified circumstances, rights
- of erasure, when they can ask you to delete or remove personal data if there isn’t a “compelling reason” for continued processing, for example when they withdraw their consent
- to object to certain processing which includes direct marketing and profiling,
- to block or suppress personal data processing
Even if you have a right to refuse a request you will need to respond to these requests as soon as possible - “without undue delay” - and within one month. You will also usually need to be able to tell anyone you’ve shared that data with.
Implement or review a system for dealing with data subjects who exercise those rights which includes
- keeping to the one month time frame
- isolating data which you can no longer use and retaining enough so that you can make sure that, for example, you can comply with requested restrictions
- a process for easily updating anyone with whom you’ve shared the data and keeping proof that you’ve done this
Most of us know about the potential high non-compliance fines but is it as onerous as it all sounds?
Think about your data protection system in the same way as your accounts system. GDPR just means that you
- continue to be responsible for complying with data protection obligations but
- must now be able to prove your compliance and
- must notify certain (more serious) data breaches to the ICO
What should you do now?
Most organisations don’t need to appoint a designated Data Protection Officer. What you do need to do is to
- Review how you comply with data protection now
- Understand your GDPR obligations
- Have written GDPR compliant policies which clarify how you comply with GDPR and your general data protection obligations
- Follow those policies and keep a written record to prove that you do
Remember that the aim of GDPR is to provide “greater transparency and enhanced rights for citizens” so it’s an ideal opportunity to overhaul your data protection system as well as providing you with a vehicle to show that you value a data subject’s rights, which will help build up mutual trust and respect.Return back to Knowledge