The General Data Protection Regulation (GDPR) comes into force on 25 May 2018, and rarely has a piece of legislation caused so much conversation (and panic) in the business world. While the prospect of GDPR compliance might seem daunting, it’s important to understand the key issues at hand, have a clear idea of the steps towards compliance, and see through some of the common misconceptions.
“The B Word”
Although the GDPR is EU legislation, and will not apply directly to the UK following “Brexit-Day”, the government has already published draft UK legislation which closely mirrors the obligations of the GDPR, and it’s clear that the intention is for the UK to have the same level of data protection regulation as the EU. In addition, the GDPR will still apply to businesses outside of the EU which deal with EU residents’ personal data. So in practice, Brexit will not affect the changes brought about by the GDPR.
The scope of personal data
Personal data is defined in the GDPR as “any information relating to an identified or identifiable natural person”. That’s a very broad definition, but some areas which include personal data are often overlooked. Data you hold on your employees will be personal data, and the GDPR will apply to it. CCTV footage, visitor logs, first aid incident reports, all of these will contain personal data, and must be considered in the compliance process. Even if all your customers are other businesses, the information you hold about the individual personnel at that business will be personal data.
Consent
A common misconception around GDPR is that consent will be needed for all personal data held by an organisation. While the standard of consent required will be higher, there are other lawful bases on which you can process personal data. Although many organisations may assume that they use data based on “consent”, under the current law most uses of data will be based around complying legal requirements, performing contracts with an individual, and “legitimate interests”. The GDPR will not change that, but it will mean that organisations need to examine the basis on which they use personal data, and keep a record of that reasoning.
Marketing
Inevitably, almost all direct marketing will involve personal data. The GDPR isn’t the only relevant legislation in this area however, separate EU privacy regulations apply to electronic marketing, and there are additional draft regulations which would update these. While there will be distinctions between marketing to consumers and marketing to businesses, any marketing activity will need to be reviewed to ensure it’s compliant.
Privacy Notices
The GDPR places greater requirements on organisations to communicate their use of personal data to individuals. More detailed and comprehensive privacy policies will be needed to ensure compliance. As the GDPR applies to employee data as well, internal privacy policies may also be required to make clear how employee data is used.
Contracts
Any contracts under which organisations obtain or share personal data should be reviewed and may need amending. A key distinction here is between contracts with a “data controller” and contracts with a “data processor”. Data controllers are organisations which make decisions over how and why to use data. Data processors are essentially service providers who process data on another’s behalf and don’t exercise control over it. Data processor contracts will need to contain certain provisions and information under the GDPR, and data controllers may need to carry out due diligence on their service providers to ensure that they have appropriate measures in place to ensure compliance.
Just because an organisation is a data processor in one sense (for instance, a cloud storage business which holds personal data on behalf of its clients) they will almost certainly be a data controller in another sense (for instance, the business will be a data controller in respect of personal data it holds about its employees).
A bigger stick
Maximum fines under current law are £500,000, which will increase to an eye-watering £17m or 4% of group turnover (whichever is higher). While these don’t necessarily mean that vastly increased fines will be imposed from day one, the increased fines are intended to act as a deterrent, and the average level of fines will probably increase.
Security
A secure IT system is certainly a big step in the right direction, but the obligations under current law and the GDPR extend beyond that. Most data breaches aren’t from malicious cyber-criminals, but relate to lost or stolen paperwork and communications being sent to the wrong people. Data security measures are only as good as their weakest link, and often the biggest issue is a lack of awareness from staff, and an absence of practical measures to address risks.
Privacy by design
The GDPR emphasis the importance of “privacy by design”, meaning that privacy protections are built into processes from the outset, not tacked on at the last minute. More specifically, organisations should maintain a record of their processing activities and adopt an internal data protection policy setting out their compliance processes. Some organisations may need to appoint a Data Protection Officer with a suitable level of expertise and independence, and some activities will require a Data Protection Impact Assessment (essentially a risk assessment from a privacy perspective).
Individual rights
The GDPR both expands on existing rights and implements new ones. The “Data Subject Access Request” in which individuals can ask for copies of their personal data, and details of how it was obtained and is used, will be easier to exercise, and organisations will have less time to comply with requests. The headline-grabbing “right to be forgotten” is an important change, but is not a universal right. Broadly, if an organisation has a compelling reason to still hold and use an individual’s data, then they can continue to, even if a request is made to delete them. As requests become more common, organisations should consider implementing policies and templates to enable them to deal with requests consistently and efficiently.
Steps to compliance
Key to achieving the compliance goals outlined above is a clear understanding of how an organisation uses personal data, and what measures it already has in place. Step one of any compliance process should be mapping data flows into, around and out of the business, followed by an audit of the policies and contractual provisions which apply to it. Once this is completed, a gap analysis can be conducted to identify areas of non-compliance, and the relevant measures can be implemented. Finally, policies, templates and processes can be created and put into practice to ensure ongoing compliance.
You can find out more about the GDPR on Cripps’ GDPR Hub; an online resource containing detailed information on the different aspects of the regulation and a simple 5-step approach to becoming GDPR compliant