With less than a month until the General Data Protection Regulation (GDPR) becomes UK Law, time is running out for businesses and organisations to become compliant. It’s not too late to make sure you’re ready for the deadline on 25th May, but you do need to get your skates on!
Every organisation, whether a business, charity, campaign group or non-profit, keeps records that unavoidably contain personal data. There’s no way around it. If you operate with customers, have employees, advertise for job applicants, use suppliers, or conduct direct mailings, you have no option but to keep records.
The personal data covered by the new rules relates to anything that could identify someone. This includes the obvious information such as contact details, payment records, staff files, etc. However, there are also some less obvious categories of information, such as IP Addresses. Essentially, it’s anything at all that would give enough detail for a person’s identity to be discovered – even if it’s encrypted. So, for example, if you track website visitors, that information could identify a person and is therefore covered by GDPR.
Here’s the background to the new legislation and what you need to do, before the deadline…
GDPR has actually been in place since 25 May 2016. The two-year period between then and when it becomes law on 25 May 2018, was designed to allow businesses and organisations time to bring their processes into line.
One important point to make is that Brexit will not have any effect on the new rules. This is because the regulations will apply to all organisations within the EU, but importantly, it also applies to those located anywhere outside Europe that trade within its borders. The legislation is being introduced to create greater cross-border consistency.
Thanks to developments in technology, it’s now very easy for individuals and businesses to buy and sell successfully with customers and suppliers that are based overseas. It therefore makes sense to have a standardised approach to data.
For trade conducted outside of the EU regulatory area, additional restrictions will apply to any data that is transferred. This is why you will have seen amendments to the data handling and privacy policies of organisations such as Facebook and Google.
Within the UK, it’s likely that the majority of organisations currently handling data are already working within the parameters of the UK’s legal framework. This is set out in the Data Protection Act, (DPA). This existing legislation covers all data handling and processing. In addition, if you hold data, there is an existing obligation to register with the Information Commissioner’s Office in the UK. This means it’s likely that anyone who must comply with the new GDPR, will already have data handling procedures. This makes it a little easier to step up to GDPR.
The security of personal information is the key reason behind GDPR. Personal data is extremely valuable and it’s important to be protected against any unauthorised use of, or access to it. Under the regulation, businesses and organisations have a legal obligation to create and implement proper processes that protect data in their care.
The changes focus on the individual having more control over their personal data. This brings legislation up-to-date with the development of technology and changes in behaviour relating to technology. People now are more likely to do everything from shopping to banking online. Whilst this makes things much more convenient for the customer, it also means that it’s easier than ever for businesses to obtain personal information.
GDPR doesn’t only apply to electronic data though. Manually retained information and records are also covered.
The additional responsibilities required under the new regulations are as follows:
You must be able to prove you have consent in order to store and use any data in your care, as well as clarity over how and why it is required and processed. Company processes relating to consent, use and security of data, must be recorded and documented.
Consent must be an active decision – you cannot have a disclaimer stating that consent is assumed if a box is not checked. There must also be a clear definition of why the consent is required and why the information is required. You must also make it clear that consent can be withdrawn at any time.
If you wish to change the reason for using the data, such as adding someone’s details to your mailing list, you need to obtain additional consent from them to do so.
In business networking terms, it means you can’t give and receive business cards, assume details can be added to a contact database or email distribution list.
PURPOSE – LAWFUL BASIS
You must have a valid ‘lawful basis’ in order to hold and use personal data. It must only be used for the specific purpose for which it was obtained and nothing else. Under the DPA’s ‘conditions for processing’, this requirement already exists, but GDPR takes the requirement further and applies greater accountability.
You must also ensure that information is up-to-date and you may only hold it for as long as necessary, for the purpose you have specified. This could mean you have to hold it for several years, in line with HMRC protocols, or it could be that it can be deleted after a week. The important point is that anyone for whom you hold information, knows exactly what the parameters are and if they ask you to remove their data, you do so, whilst abiding by any additional legal requirements.
Many organisations are now sending emails requesting renewal of consent for data to be held and used. Remember, the onus is squarely on you as a data holder or processor.
People for whom you hold data will have easier access to it and greater control over how it is used. They can also request a copy of all information held about them, under a ‘subject access request’. This must be provided within one month and no longer attracts a handling fee, unless the requests are repetitious, vexatious or excessive.
All processes for how data is held and processed must be documented and everyone within the organisation must be made aware of their obligations under GDPR.
Under GDPR, failure to meet data regulations could lead to serious penalties. The upper threshold is €20 Million or 4% of turnover, whichever is greater.
WHAT DO YOU NEED TO DO?
- Prepare now! Make sure all staff have the relevant information and are trained in GDPR requirements.
- Carry out a Data Protection Impact Assessment (DPIA). This is an ICO-recommended tool, which helps you to discover any data handling issues within your organisation. Check out the ICO’s guidance to PIAs.
- Document your data protection policies – include staff training and any certifications you have obtained.
- Review and update data handling processes; make sure they are fully documented. Perform a data audit – covering the data you hold, how it was obtained, the purpose for which it is required and how it is used.
- Remove any data that is no longer needed.
- Review and document your security processes.
- Catalogue any individual or organisation with whom data is shared and why.
- Create proper processes for how you communicate with people whose data you hold and how you will amend or delete their data if requested.
- Create and document a proper consent process. Check that your current consents meet GDPR requirements. It may be better to obtain updated consent for all contacts.
- Check your ‘lawful basis’ is correct. This can be found on the ICO website.
- If necessary, you should appoint a Data Protection Officer (DPO). Certain organisations, mainly public authorities, are required to do so. It can be useful to have a named person who holds responsibility for ensuring compliance practices are maintained. The DPO should report to board level.
The full text of the GDPR, can be found here and the EU’s GDPR portal contains additional guidance. The European Commission also has a catalogue of information here, which also contains links to Data Protection Authorities around the world.