I've been reading up about the implications of GDPR for us as a company and as I gathered my notes, I thought it would be useful to create a shared resource, both for our own staff, but also for others in our industry who are starting to look into the upcoming changes to data protection.
In this blog post I’ve tried to bring together the relevant information using the recent guidance from the ICO (Information Commissioners Office). There is so much information out there (and so many initialisms!), I thought a quick summary of the main themes may be helpful.
Please note this article is only intended to act as a quick guide; please ensure you stay up to date with the latest guidance from the ICO and seek relevant legal advice if needed. I am not claiming to be qualified as a data protection ‘authority’.
DPA – Data Protection Act
DPIA – Data Protection Impact Assessments
DPO – Data Protection Officer
GDPR – General Data Protection Regulation
ICO – Information Commissioners Office
PECR – Privacy and Electronic Communications Regulations
PIA – Privacy Impact Assessment
Data controller: A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data processor: In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
The GDPR will come into place in the UK on 25th May 2018 and will replace the current Data Protection Act.
The main concepts and principles are the same as the DPA, but the GDPR introduces more focus on accountability and governance. You will now need to show how you comply with the data protection key principles. This includes demonstrating a structured framework of policies and procedures, clearly showing how you will comply with the GDPR.
If you haven’t already, you’ll need to register your company with the ICO to make sure that you are informed of the latest updates. If you process any data at all, even just staff HR records, then you’ll need to be registered.
First Steps for GDPR
Firstly, it’s important that all staff know the regulations are changing and what it means for them, which means staff training in your organisation might be useful, to ensure everyone is brought up to speed.
It may be useful to raise awareness with your clients too. If your company acts as a data processor for your clients, then their company data may become your responsibility too.
Maintain accurate records
It’s important all staff know where to find the necessary information relating to data protection. If you have a company handbook containing all your policies and procedures – this may be the best place to store the information. It will of course depend on your individual circumstances, but we personally store all our company policies and procedures in a shared staff handbook, which is regularly reviewed and updated.
Communicate privacy information clearly
Under GDPR it’s important to communicate to people clearly about why and what you are doing with their data, and how long it is kept for.
Clear consent should be obtained when collecting data and a lawful reason for processing data demonstrated. Privacy information should be documented in company records and the privacy notice of your website.
Maintain individuals’ rights
As you prepare for the GDPR, now might be a good time to ensure company procedures cover the following individuals’ rights (most of which should have already been covered by the DPA):
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing:
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making, including profiling.
The right to data portability is new under GDPR. This right applies to personal data the individual has provided to a controller (which is processed electronically) and grants them the right to request a copy of the personal data held about them. Once requested, the data should be sent in a commonly used format and must be provided free of charge.
Subject access requests
As you will probably already be aware, under the DPA, individuals currently have the right to request information held about them. However, the GDPR makes some amendments to this area:
- In most cases, you will now not be able to charge for complying with a request.
- You will now have a month to comply, rather than the DPA’s recommended 40 days.
- For requests that are determined to be ‘manifestly unfounded or excessive’ then a reasonable processing fee can be charged or a request refused.
- If you do refuse a request, you must tell the individual the reason why you are refusing, and explain they have the right to complain to the supervisory authority. This must be done without any delay and within one month.
Documenting the lawful basis for processing personal data
Under the GDPR, you should identify the lawful basis for your processing activity, document the process and update your privacy notice to explain it.
Following the new regulations, arguably the biggest difference to the DPA, is that people will have a stronger right to have their data deleted and as the controller, you must use ‘consent’ as your lawful basis for processing an individual’s personal data. I touch upon consent a little more, below.
The GDPR states there must be a positive ‘opt-in’. Consent cannot be inferred from silence, pre-ticked boxes or inactivity.
It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent. Consent has to be verifiable and individuals generally have more rights, where you rely on consent to process their data.
As you prepare yourself to be GDPR compliant, you should review how you seek, record and manage consent and whether you need to make any changes. Now is the time to start refreshing existing consents, if they don’t meet the GDPR standard.
Children’s personal data
The GDPR is bringing in special protection measures for children’s personal data.
If your business offers services directly to children, you will need to communicate the privacy information in a clear, plain way, that a child will understand.
Depending on the services of the business offered to children, you will need systems in place to verify individuals’ ages and to obtain parental or guardian consent.
The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most cases.
You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Data Protection by Design and Data Protection Impact Assessments
The GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’.
It has always been good practice to incorporate a privacy by design approach or to carry out a Privacy Impact Assessment (PIA) – for more information on these see the ICO code of practice.
Data Protection Officers
You only need to appoint a DPO, if your company carries out large scale processing of personal data. But it might be wise to designate someone to take charge of dealing with the responsibilities or to take charge of keeping your company up to date with new guidance.
The Data Protection Act already had rules for protecting data shared outside of the EEA. There are now further conditions under GDPR. The ICO has a useful checklist to follow if you’re going to be transferring personal data out of the EEA.
Demonstrating Compliance with GDPR
The following bullet points summarise how your organisation can demonstrate your compliance with GDPR:
- Implement appropriate technical and organisational measures that ensure and demonstrate compliance.
- This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintain relevant documentation on processing activities.
- Use data protection impact assessments where appropriate.
- Adhere to approved codes of conduct and/or certification schemes.
- Implement measures that meet the principles of data protection by design and data protection by default.
Measures can include:
- Data minimisation
- Allowing individuals to monitor processing
- Creating and improving security features on an ongoing basis
Records of processing activities
If you are processing data, the following information explains what you should be recording:
- Name and organisation details (and where applicable, of other controllers, your representative and data protection officer).
- Purposes of the processing.
- Description of the categories of individuals and categories of personal data.
- Categories of recipients of personal data.
- Details of transfers to third countries including documentation of the transfer mechanism safeguards in place.
- Retention schedules.
- Description of technical and organisational security measures.
- You may be required to make these records available to the relevant supervisory authority for purposes of an investigation.
If you made it to the end of this rather long and technical blog post, then congratulations! All content for this article has come from our own research from the ICO website and I have tried to summarise the most prominent themes and changes relating to the GDPR.
For more information about this or any other aspect of data protection, check out the ICO website.
Further useful links include: