The new data protection regulations come into force on 25 May 2018, make sure that you comply
On 25 May 2018 the new General Data Protection Regulations (GDPR) come into force. It is extremely likely that these regulations will affect you in some way, and especially if you store and maintain databases of your clients, customers, prospects, business, and even accounts and email contacts. The new legislation gives individuals more control over how personal data is used and introduces tougher enforcement measures.
Let’s start with the basic what, who, why, how and when of the new rules.
What is covered?
ANY personal data information that relates to any person who can be identified (either directly or indirectly). That includes not only names, but also online identifiers and even pseudonyms, as well as sensitive personal information, such as genetic and biometric data. It applies to data held electronically and manually, and don’t forget backed up data and data in emails.
Who does it apply to?
The rules apply to ‘controllers’ and ‘processors’ of data.
- The controller is the person or organisation who decides how and why personal data is processed, and could be any type of organisation, from big business to a charity or government.
- The processor is the person or organisation who does the actual processing of the data on behalf of the controller (excluding the data controller’s own employees). This could include anything as seemingly trivial as, for example, storage of data on a server or an analytics provider for business insights.
- You can be both a data controller and data processor by controlling how and why you are collecting the data as well as processing and analysing it.
Why are you keeping it?
You must be obtaining personal data for a specific purpose and once that purpose has been fulfilled and the data is no longer required, it should be deleted. In particular, this could impact maintaining databases containing old customer accounts and prospects for marketing campaigns. Retaining data for marketing purposes without having express consent to do so will not be permitted.
How are you obtaining it?
The information must be obtained lawfully and transparently, explaining what you are doing with it in clear, plain language. You can obtain the personal data:
- Through consent provided by the subject of the data. This must be active, affirmative action, such as having to tick a ‘yes’ box – and not via a passive acceptance for example though pre-ticked boxes or opt-outs.
- To comply with a contract or legal obligation.
- In the controller’s legitimate interest e.g. to prevent fraud.
- Controllers must keep a record of how and when an individual gave consent.
- Consent may be withdrawn at any time.
When can people access their stored data?
- People have the right to know why an organisation is holding personal data on them, the right to access it, the right to know how long it’s stored for, and the right to know who gets to see it.
- Where possible, data controllers should provide secure, direct access for people to review what information is stored about them.
- People can ask for access at “reasonable intervals” and controllers must generally respond within one month.
- People can ask for mistakes in the data to be rectified whenever they want.
What is the ‘right to be forgotten’?
- Individuals can demand that their data is deleted if it’s no longer necessary to the purpose for which it was collected.
- The controller is also responsible for telling other organisations (e.g. Google) to delete any links to copies of that data, as well as the copies themselves.
What if they want to move their data elsewhere?
- Controllers must store people’s information in commonly used formats (like CSV files), so that they can move a person’s data to another organisation (free of charge) if the person requests it.
- Controllers must do this within one month.
What if we have a data breach?
- You must tell the people affected by the data breach within 72-hours or you could face a penalty of up to 2% of annual worldwide revenue, or €10 million.
- You must inform the Information Commissioner’s Office (ICO) of any data breach that risks people’s rights and freedoms within 72 hours of your organisation becoming aware of it.
What are the penalties?
- If you don’t inform them within 72 hours, you could face fines of up to €20 million or 4% of your global annual turnover, whichever is greater. Under GDPR TalkTalk’s record £400,000 fine would work out at £59 million!
- However, it’s important to note that the fines will be proportionate to the breach.
- Also, if you can demonstrate that you work hard to ensure your organisation is compliant with GDPR, the ICO would likely issue a more lenient fine.
The Information Commissioner’s 12 Steps to take now
1. Awareness: Make sure that decision makers and key people in your organisation know that the law is changing and how it will affect them.
2. Audit your Data: Document the personal data that you store, where it comes from, why you have it, where you keep it and who you share it with.
3. Individuals’ rights: Ensure your procedures cover individuals’ rights including how you can amend, delete or provide data in a commonly used format.
4. Communicating privacy information: Review your privacy notices and plan any necessary changes in time for GDPR implementation.
5. Subject access requests: Update procedures and plan how you will handle requests and provide any additional information.
6. Lawful basis for processing personal data: Identify the lawful basis for your data processing activity in the GDPR, document it and update your privacy notice to explain it.
- Review how you seek, record and manage consent and if you need to make any changes.
- Refresh existing consents now, if they don’t meet the GDPR standard.
8. Data breaches: Ensure you have the right procedures in place to detect, report and investigate a personal data breach.
9. Children: Consider if you need systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
10. Data Protection by Design and Data Protection Impact Assessments: Familiarise yourself now with the ICO’ guidelines on privacy by design and the code of practice on Privacy Impact Assessments to help you to identify the most effective way to comply with your data protection obligations and meet individuals’ expectations of privacy.
11. Data Protection Officers: Designate someone in the organisation to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer, which you do if you are:
- A public authority (except for courts acting in their judicial capacity).
- An organisation that carries out regular and systematic monitoring of individuals on a large scale.
- An organisation that carries out the large-scale processing of special categories of data, such as health records, or information about criminal convictions.
12. International: In the UK the supervising body for data protection is Information Commissioner’s Office where you will find more information on compliance.
If your central administration, or the location of where the decisions about the purposes and means of processing are taken and implemented is overseas, then your leading data protection supervisory authority will be based there.