Over the last few months, there has been an enormous focus on the General Data Protection Regulation (GDPR). Coming into effect on 25th May 2018, the GDPR is set to revolutionise the way we store, handle and use personal data. In what can be classed as the first major shake up of European data laws since “The Directive” in 1995, we are about to see a set of regulations that will affect businesses of all sizes. Led and enforced by the Information Commissioner’s Office (ICO), you will be expected to be compliant by May 25th.
Summarising The GDPR
The GDPR has been created to give an individual, who is a citizen of the European Union (EU), greater control over their personal data. Regardless of where you and your business are based, if you handle the data of someone inside of the EU, then the GDPR applies to you.
Put simply, if you hold data that can be used to identify an individual, then you hold personal data. The person whose data it is has multiple rights over how the data is processed, with key aspects of the GDPR focusing on what you’re able to do with the data. From requesting the data to be amended, to more complicated issues such as objection to process, you’ll need to understand the various requests and how to act upon them (including how to record a request). Storing any collected details securely, with access limited to essential personnel, is of paramount importance.
When collecting personal data you need to clearly define how that data will be used and whether it will be passed onto any third parties. The rights you have over controlling and processing that data will be determined by its categorisation:
- Consent – An individual gives you permission to process their data. You will have provided them with a clear and specific description of how their data will be used and who will have access to it. This type of data processing gives an individual far greater control over their data than any other reasons to process data.
- Contract – Processing of personal data is essential for the individual or business to fulfill a contractual obligation.
- Legal Obligation – There is a legal requirement for an individual or business to continue processing personal data.
- Vital Interests – The processing of data is essential to protect someone’s life.
- Public Task – Data processing is necessary to perform a task or function that is in the public interest and is supported by the law.
- Legitimate Interests – This is a grey area of consent.There may be a legitimate reason to process personal data in a certain way, but there is still scope for an individual to object to the processing and storage of their data.
Generally, data collected for marketing purposes will come under the consent category which is the minefield of opt in you may have heard about!
Consent – Why It’s Important
Fulfilling contractual and legal obligations gives businesses more scope on how to use personal data and how it can be processed. You still have to be specific in why the data is being processed, how it is being done and how long it will be held for but there is allowance for businesses to reject certain requests.
If data comes under the consent umbrella, e.g. website opt ins and contact form submissions, then an individual has greater control over their personal data compared to under “The Directive”.
Consent is important because it means that an individual is okay for you to contact, store and process their personal data. When gaining consent from an individual you must be clear and concise in why you are collecting the data, who will have access to it, how you will use it (no deviating from this) and how an individual can opt out of further storage, processing and contact after giving consent.
Consent & Your Website
Opting in, or giving consent, requires a positive action from an individual. You can no longer gain consent as part of the terms and conditions of a contract and you cannot automatically opt somebody in. Pre-ticked boxes on a website cannot be used to gather a person’s data, process it (for marketing purposes) and pass it on to third parties. Privacy policies must be updated to give specific information on how and why the data is being collected, as well as who it is used by and passed to (including all third parties).
The Rights Of An Individual
An individual can make several requests and, depending on the categorisation of data, you will have to take specific actions. Keeping accurate records of all requests made, by all individuals, is vital to ensuring you are GDPR compliant. The different requests a person can make are outlined below:
- Data Access Request – If an individual requests access to their data you must provide them with all the data that you hold on them and who you have shared it with. You must do this within 30 days of the request and free of charge.
- Data Modification Request – If an individual requests for an update to their data, you must update your records and pass the modification request to any third parties you have shared the data with. Again, this must be free of charge. Data that cannot be updated for legal or contractual purposes should remain in its current state and the individual should be informed of this.
- Data Deletion Request – If an individual requests for their data to be deleted then you must do this free of charge. If you are required to hold onto the data then you should inform the individual of this requirement (contractual, legal or some legitimate interest categories). A date for deletion should be agreed as you should not hold onto data longer than necessary according to the GDPR.
- Data Processing Restriction – If an individual wants to restrict the processing of their data, you should only continue processing the data that is essential in fulfilling contractual, legal and some legitimate interest obligations. You should determine whether or not this is a temporary restriction and then decide whether the restricted data should still be kept.
- Data Transfer Request – If an individual requests a data transfer then you should consolidate all the data you hold on them and transfer it to their desired location, free of charge. Once again you can object to this if there is a legal or contractual reason not to do so, and in some cases this will apply to situations where there is only a legitimate interest in not doing so.
- Objection To Processing Data – If an individual wants to object to the processing of their data, you must stop unless there is a legal or contractual obligation to do so. You should agree a time period for how long the processing should stop for and if required, pass this onto any third parties the data has been shared with.
A final point on the GDPR and your responsibility to remain compliant are data breaches. If unauthorised personnel, leaks or potential leaks of data are discovered by anyone within your business, then you have a data breach (or potential one). This should be logged and relevant action should be taken to protect an individual’s data and to ensure this type of breach doesn’t reoccur. Individuals are entitled to know about breaches and the relevant action taken to protect their data as soon as a breach is discovered. You should then decide whether or not to report this to the ICO.
It’s a lot to take in and this only touches the surface. The GDPR is designed to protect an individual’s personal data. The potential fines of non-compliance are big (up to €20 million or 4% of your annual turnover; worst case scenario) but for those who make a genuine attempt towards compliance it is more likely any failure to comply will be met with advice, rather than fines. If you would like a chat about GDPR please feel free to get in touch.
Disclaimer: This summary of the GDPR is based on our own research and guidelines presented by the ICO. To find out how the GDPR is going to affect you and your business, you should seek professional legal advice.