The Things You Need to Know about the General Data Protection Regulations (GDPR)

People generate a huge amount of data and for years now firms have been collecting and using it in digital and physical space. In a bid to ensure that consumers are protected, the European Parliament and Council have published the GDPR, which will come into binding effect on 25th May 2018. Whether your firm is big or small, for-profit or for-charity, you will almost certainly be affected, and need to consider a host of implications that come with the new regulations.

So, what’s currently going on?

At the moment, all personal data being collected and used must be handled in accordance with the Data Protection Act (DPA). The DPA outlines what your responsibilities are when you are processing data, and is underpinned by a set of principles that require things like data security and legitimate reasons for processing data.

Why do we need the GDPR at all?

With greater technology comes even more data, and ways of processing and using data. The key thing to remember is that these new regulations are designed to protect consumers and to make sure everyone in the EU, and everyone who trades with the EU, is on the same page. More security for individuals, and making trade between countries easier, are the main reasons behind the GDPR. Arguably the biggest changes include jurisdiction, consent, and data rights, all of which we will cover in more detail.

Wait, does the GDPR replace the DPA?

Yes, the GDPR will take immediate effect on 25th May 2018 and you will need to be fully compliant by this date. The GDPR goes further than the DPA to make sure that personal data and sensitive personal data, which are defined further down, are fully protected, and grants more rights to individuals over data which concerns them. In a lot of ways, it may seem like not all that much has changed – it’s just the DPA with harsher fines – but there are some key changes which make the whole thing worth reviewing.

“if you handle the personal data of an EU citizen you must follow GDPR”

Who does it apply to? Me?

GDPR applies to anyone who is handling the personal data of living people in the EU. It doesn’t matter whether you live in the UK, Spain, or even Australia, if you handle the personal data of an EU citizen you must follow GDPR.

Much like the DPA, GDPR places different responsibilities with data controllers and data processors. Both have expanded responsibility under GDPR, and must comply irrespective of where the processing takes place!

Data controllers and processors – where do I fit in?

Don’t let the jargon scare you, these are just how the GDPR mark out who must do what. The definitions for these are broadly the same as under the DPA, but with more responsibility for both parties.

“You are a controller if you keep or process any information about living people and decide what information is kept and to which use it is put”

Data controllers can be people, such as GP’s, Pharmacists or sole traders, or ‘legal persons’ such as firms, government departments or charities. You are a controller if you keep or process any information about living people and you decide what information is kept and to which use it is put.

In contrast, data processors may hold or process data but have no responsibility for or control over the data involved. For example, accountants, market researchers, and Cloud providers i.

There are still principles to uphold, right?

The data protection principles set out your primary responsibilities under GDPR, and these are similar to under the DPA. We will deal with the new accountability requirement further down, but it is important to note at this stage it is the controller’s responsibility to ensure and demonstrate compliance with the principles ii.

These include lawful processing of data, legitimate purposes for processing, limiting processing to what is necessary, accuracy of data, and upholding security of data. There are also new legal obligations for data processors, who must now maintain records of personal data and activities related to processing.

If we’re leaving the EU anyway, why do I have to bother?

Well, for a start, the implementation date of GDPR is going to come far, far sooner than any deal with the EU, which means you will likely need to be compliant for well over 6 months. Indeed, the government has already stated that Brexit negotiations will not influence the commencement of GDPR.

“non-compliance could mean hefty fines – up to 4% of annual global turnover”

On top of that, there is an enormous amount of data flow between companies and organisations in Europe and the UK, so it is more than likely that the UK government will impose similar regulations as part of a deal to simplify things. This also means you are covered post-Brexit if you trade with any EU member states.

Brexit aside, you have to bother because non-compliance could mean hefty fines – up to 4% of annual global turnover or 20,000 EUR, whichever is higher. So, you can see that the penalties are severe if you haven’t taken appropriate measures.

Okay, I know who I am, but what do I have to do?

Well, you need to understand what counts as personal data and sensitive personal data, as the GDPR includes greater detail than the DPA – for example, IP addresses now count as personal data.

“You need to have a lawful basis for processing personal information”

Let’s start with why you need data processing, or what the DPA called the “conditions of              processing” iii. You need to have a lawful basis for processing personal information, such as:

  • the explicit consent of the data subject obtained in a clear, non-confusing manner;
  • processing is necessary to perform, or induce, a contract with the data subject;
  • or, processing is necessary for compliance with a legal obligation.

A special section for special or sensitive data

You cannot, and must not, process sensitive personal data, such as that which reveals ethnicity, political or sexual orientation, religious beliefs, trade union membership, or genetic/biometric data for “uniquely identifying a natural person” iv.

That is, unless that person has given explicit consent for those purposes! There are some other cases, such as protecting vital interests, interests of public health, or establishing legal claims, but it is vital you check before handling such data.

More conditions for lawful processing personal and sensitive personal data can be found here:

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider/

“GDPR-compliant consent is purely opt-in, and cannot be inferred from a failure to opt-out”

It’s cool, they didn’t uncheck that box that time, so now I have their consent, right?

This is no longer true. Consent is a common form of lawful basis, but GDPR is stricter than DPA about how this consent may be obtained. You can no longer infer consent from silence, pre-ticked boxes or inactivity – it must be an unambiguous, informed, positive action on behalf of the data subject to grant consent. This means GDPR-compliant consent is purely opt-in, and cannot be inferred from a failure to opt-out. If you rely on consent, you need to make sure it meets the GDPR standard before 28th May, or you must change the way you obtain consent, and have it re-granted in a way which complies. The other option is to achieve lawful basis using a condition other than consent.

“if you process or handle data from a firm that is not GDPR compliant then you are not GDPR compliant”

What else am I missing?

Under GDPR you absolutely must review your contracts with other firms. These must specify compliance with GDPR since if you process or handle data from a firm that is not GDPR compliant then you are not GDPR compliant!

On top of this, you need to maintain internal records of your processing activities. If your firm has over 250 employees this does, unfortunately, mean all processing activities. For those with less than 250 employees, you must record activities related to higher risk processing. These records include the details of your organisation, the purposes of processing, types of data and other recipients of the data, safe transfer mechanisms, retention schedules and security measures.

Furthermore, the GDPR enforces Privacy by Design, which is an approach to business that highlights privacy and data protection compliance from the start v. For example, this makes data privacy and security a key consideration when building new IT systems which will store or process personal data, when developing strategies with privacy implications, when thinking about sharing data, and when using data for new purposes.

This used to be implicit in the DPA, but is now an explicit legal requirement. For you, this means that not only will you be compliant, you will likely identify potential problems at an early stage, making addressing them less complex, less time-consuming, and, importantly, less costly. Measures include data minimisation (using only the data necessary for pursuing legitimate interests), transparency, and allowing individuals to monitor processing.

You mentioned something about accountability?

This is a new principle which means you must show that you comply with the data protection principles. This includes organisational measures such as internal data protection policies; staff training; internal reviews of processing activities; maintaining documents on processing activities; appointing a Data Protection Officer (where appropriate); using data protection impact assessments (DPIA); and using measures which meet the idea of Privacy by Design.

“it is important not to overlook things like CCTV when determining what data must be protected”

DPIAs can help you work out the best way to meet the regulations. You must carry out a DPIA when using new technology or when processing may result in high risk to the rights and freedoms of individuals, such as extensive processing activities, activities relating to criminal offences, and large-scale monitoring of public areas (CCTV). Indeed, it is important not to overlook things like CCTV when determining what data must be protected under GDPR vi.

Do I need a Data Protection Officer (DPO)?

Under GDPR, internal data requirements replace having to submit processing details to local data protection authorities. Now, you must appoint a DPO if your core activities include processing data on a systematic, large scale, processing sensitive data, or data relative to criminal convictions and offences vii.

What are the rights and what do they mean for me?

The GDPR seeks to strengthen some of the rights for individuals that already exist under the DPA and includes some new ones. For clarity, we’ll run through the nine rights specified in the GDPR.

  • The right to breach notification means that breaches likely to cause risk for the rights and freedoms of individuals must be disclosed to them within 72 hours. Processors must notify controllers of a breach “without undue delay”.
  • The right to be informed details the information you must supply to your data subjects and when this information must be supplied. This is dependent on whether the data is obtained from the individual in question or a third party. The ICO has a useful table, and information on all the rights granted to individuals, that can be found here:
    https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/the-right-to-be-informed/
  • The right of access allows individuals to confirm processing of their data and access the data held and other supplementary information.
  • The right to rectification means individuals can have their data rectified if it is inaccurate or incomplete; you must respond to rectification requests within one month in most cases.
  • The right to erasure means individuals can request that you delete the data you hold on them in certain circumstances. This is particularly powerful where consent is the only lawful basis.
  • The right to restrict processing means blocking the processing of personal data. It is important to check in these instances whether the right of the individual is stronger than your legitimate grounds for processing.
  • The right to data portability allows individuals to have and use their own personal data in a commonly used and “machine readable format”.
  • The right to object gives individuals the right to object to processing for direct marketing, scientific or historical research, and tasks in the public interest. This is not always granted.
  • The right not to be subject to a decision applies under automated processing which will produce a legal or otherwise significant effect on the individual. It does not apply in all cases.

Isn’t this a massive undertaking, though?

Making sure you won’t be caught out by GDPR requires careful thought and attention to detail, but it doesn’t have to be an inconvenience. Yes, it is a necessity, but by incorporating GDPR requirements into your overall business strategy you can set yourself apart as a secure, trustworthy company that consumers and other firms seek out. GDPR are more than just new rules, they’re an opportunity for you to improve your brand.

Where can I go for more information?

There EU has a website specifically dedicated to helping educate people about the consequences of GDPR: http://www.eugdpr.org/ 

Alternatively, the Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals viii.

They post publications from the Article 29 Working Party (Art. 29 WP), a representative body which regularly updates guidelines on different aspects of GDPR.

You can find a host of useful information, including Art. 29 WP updates, on the ICO’s website:
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/whats-new/

Sources

Overview of the General Data Protection Regulation (GDPR), ico.org.uk

http://www.eugdpr.org/

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, Official Journal of the European Union

McAree, N (Sept 2017) The Link between Cyber Security and Data Privacy, LinkedIn

Gough, O (Nov 2017) Is your CCTV system GDPR compliant?, smallbusiness.co.uk

Frost, J (Nov 2017) Torrent of claims expected across Europe under GDPR, Insurance Times

Hauschild, M (Nov 2017) UK SMEs Not Yet Sufficiently Prepared for GDPR, The Manufacturer

Green, A (March 2015) Privacy by Design Cheat Sheet, blog.varonis.com

Footnote

I https://www.dataprotection.ie/docs/Are-you-a-Data-Controller/y/43.htm

II https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/principles/

III https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider/

IV GDPR Article 9 IV

V https://ico.org/for-organisations/guide-to-data-protection/privacy-by-design

VI http://smallbusiness.co.uk/cctv-system-gdpr-compliant-2541510/

VII http://www.eugdpr.org/key-changes.html

VIII https://ico.org.uk/