The GDPR came into force on 25 May 2018 and, for the most part, replaces the existing Data Protection Act 1998 (DPA).
Here, we have addressed some common questions our clients ask about the changes. The answers are high level and intended help organisations obtain a clearer understanding of what it means in practice and what is required to achieve compliance. The changes are significant, and will impact all types of business, regardless of size or sector.
Use and collection of data
What is personal data?
How do I know how big the impact will be on me?
Is my use of personal data lawful?
How do I get consent for using data?
What about sharing data?
What if I didn’t obtain the information directly from the individual?
How long can I keep information for?
The GDPR applies to all use (or ‘processing’) of personal data, which includes collection, storage, transmission and deletion. There are no universal exceptions for small organisations or employee data. So if you hold personal data, the GDPR will apply to you.
The GDPR will come into force before Brexit, and the UK government has made clear that it intends to keep pace with EU data protection law, so it is likely the GDPR (with slight amendments) will continue to apply to UK organisations after Brexit.
Even if that isn’t the case, if you offer goods or services in the EU or monitor behavior in the EU, the GDPR will apply to you, regardless of where you are based. For more information, see “Impact of Brexit”.
As well as investigation, ‘naming and shaming’ and bad publicity, the maximum fines under the GDPR are €20,000,000 (or, if higher) 4% of global turnover, up from £500,000 under the DPA. For more information, see “Penalties for non-compliance”.
The GDPR also requires you to potentially report data breaches to the Information Commissioner’s Office (ICO) and (in some circumstances) individuals themselves. Having a clear process for identifying and evaluating data breaches, and reporting them, is key to managing risk and reputational damage. For more information, see “Handling a data breach”.
Use and collection of data
‘Personal data’ includes any information relating to an identified, or identifiable person (including employees and people acting in a business capacity). Almost every organisation, no matter how small, will hold personal data. For more information, see our “Jargon Buster”. Businesses should review their methods for obtaining consent to their use of data, or consider what other legal basis they have for their use (as consent is not the only legal basis for using personal data). For more information, see “Lawful basis for data capture / processing”.
The best way to determine this is to review and understand all of the types of data you collect, the ways in which you collect them, and the ways in which you use them.
This can be a huge exercise, depending on the size of your organisation. The more structured your processes are, and the more disciplined you are about them, the easier it will be.
This ‘data-mapping’ exercise is key to ensuring you can assess your compliance with the GDPR, address deficiencies, and remain ‘data-aware’ going forward. It needs engagement at all levels of your organisation, to understand how and why data is held and used in all areas.
Use should be compatible with the purpose for which the data was collected.
All uses of personal data must be on a lawful basis. You must be able to:
- Obtain the consent of the individual; or
- Justify using the personal data as necessary in order for
– Enter into or perform your contract with the user
– Comply with a legal obligation
– Protect the vital interests of the user or another person
– Perform a task in the public interest or exercise official authority vested in you
– Pursue your or a third party’s legitimate interests, as long as these are not outweighed by the individual’s interests.
You will need to consider, for each type of data you collect, and each use of it, whether it is covered by one of the points above.
An informal principle you can use to make a quick initial assessment of how you use data is ‘No surprises’ – ask yourself, ‘would the individual reasonably expect me to collect and use the data in this way?’. If you’re unsure, or think they wouldn’t, those uses are most likely to be GDPR non-compliant. For more information, see “Lawful basis for data capture / processing”.
If you need to obtain individuals’ consent in relation to your use of their data, you should record that you are relying on consent for your processing and keep a record of the consent you obtain.
Be careful of the way in which you obtain consent. Under the
GDPR their consent must now be:
- Freely given (for instance, not mandatory for employees)
- Informed (so you should set out the types of information you are collecting and how they will be used)
- Specific (not a general consent for all processing)
- Unambiguous (not implied, so pre-ticked consent boxes are not enough)
For more information, see “Consent”.
If you aren’t relying on consent, you should record the basis on which you use that data.
As with any other use, you must be able to justify sharing data. For more information, see “Who can you share data with?”.
If you are sharing data with a third party which processes the data for you, you will also need certain contractual clauses in place with them. For more information, see “Contracts with third parties”.
The same obligations apply to you regardless of whether you obtained the information directly from the individual or through a third party. In particular, you will need to provide certain information to the individual. For more information, see “Privacy Policies / information notices”.
Depending on the circumstances, you may also need to obtain certain guarantees from whoever is providing you with the data, and conduct due diligence to ensure that they have collected and shared the data in a way which is compliant with data protection law.
Information must only be kept for as long as is necessary for the purposes for which it is used.
While there is no strict requirement to have a written policy on data retention, having a clear policy (which you actively comply with) will be key to ensuring and demonstrating compliance in this area.
Employee data is still personal data, and so you will also need to provide information to them about how their data is used. You may want to include this in an employee handbook or internal policy, rather than in your outward facing policy. For more information, see “Privacy policies / information notices”.
The information you must provide to individuals includes:
- The data you collect, how you collect and use it, how long you hold it for, and on what lawful basis you do this
- Individuals’ rights under the GDPR
- If you don’t collect the data from them, where you obtain it from
- Circumstances where they are required to provide data, and what happens if they don’t
- Any automated decision-making processes you have which use their personal data
For more information, see “Privacy policies / information notices”.
The GDPR requires the above information to be provided at the time when data is obtained, or (if you didn’t obtain the data directly from the individual) within a reasonable period of obtaining it, or at the very latest, when you first communicate with them.
You may be able to achieve this by placing it on your website and linking to it, or for employees, by making it available on your intranet.
For more information, see “Privacy policies / information notices”.
When assessing the appropriate level of security, you must take account of the risks to the individuals whose data you hold. More sensitive, or larger collections of information will need greater security.
Security includes all aspects of your data storage (physical and virtual) as well as your service providers.
Secure systems are only as strong as their weakest link. Individuals can lose data (the most common type of data breach is misplaced USB keys and laptops) or misuse it (using or sharing it when you do not have a lawful basis to do so) which means awareness of data protection needs to extend to all areas of your organisation. For more information, see “Information security”.
Not all organisations will need a Data Protection Officer, but those which regularly and systematically monitor individuals on a large scale (for instance, banks or insurance companies), or process sensitive personal data on a large scale (such as hospitals) will need to. If you don’t think you need one, you should record the basis on which you have come to that conclusion. For more information, see “Data Protection Officers (DPO)”.
The GDPR emphasises ‘privacy by design’. This means organisations should build in protection for privacy before new measures are implemented, not tack them on as an afterthought. For more information, see “Privacy by design”.
Pseudonymising data (using it in a manner which means the individual cannot be identified without further information) is encouraged under the GDPR, and can reduce the restrictions on its use and the scope for data breaches.
Individuals also now have enhanced rights to make requests in relation to their data (including regarding access, deletion, rectification or portability). Having processes in place for how those requests are dealt with should ensure you do not waste time and effort when one is received, and that you are able to comply with any time limits. For more information, see “Overview of the rights of individuals”.
Organisations with 250 or more employees, or which process sensitive data, or which process data that is likely to result in a risk to individuals’ rights and freedoms (and is more than occasional), will need to keep records for inspection. These are similar to the notifications provided to the ICO under the DPA, but are more detailed. For more information, see “Record keeping and accountability”.
Any third parties who process personal data for you must be subject to written contracts with certain detailed information and obligations. This applies from 25 May 2018, so contracts which are still in place on that date may need to be reviewed. For more information, see “Contracts with third parties”.
In addition to the GDPR, there are plans to replace the current Privacy and Electronic Communications Regulations (PECR) which govern direct electronic marketing and cookie usage, with new stricter requirements.
In the meantime, you will still need to comply with current PECR requirements around consent and making opt-outs available. For more information, see “Marketing and cookies”.
Current rules on the level of consent necessary to sell marketing lists are already restrictive. The GDPR will only make this more difficult. If you buy in personal data you will need robust protections in your contract with the seller, and should conduct reasonable due diligence to ensure that they have complied with their obligations.