DATA PROTECTION: General Data Protection Regulation (GDPR) from 25 May 2018
The European Union’s General Data Protection Regulation (GDPR) aims to protect the personal data and privacy of EU citizens. It comes into effect 25 May 2018.
The GDPR is wide-reaching in scope and brings about major changes to the way organizations record, archive and process their data. Organisations will be obliged to be more accountable for data protection and individuals will have the right to control how their personal information is collected and processed.
Who GDPR applies to
The GDPR applies to all EU organisations that collect, store or process the personal data of individuals residing in the EU.
Organisations outside the EU who offer goods and services to EU residents, process EU resident’s personal data and monitor the behaviours of EU residents will also be subject to the GDPR.
It must be noted that data processors (an organisation processing data on behalf of another organisation) will also be under the remit of the GDPR.
6 privacy principles
Compliance is not a choice. Organisations will have to demonstrate compliance with the data protection principles.
Personal data must be:
- Processed lawfully, fairly and transparently.
- Collected only for specific legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Accurate and kept up to date.
- Stored only as long as is necessary.
- Ensured to be appropriately confidential, have the appropriate security and integrity.
What GDPR applies to
The GDPR applies to personal data – any information that can identify a person (directly or indirectly). Personal data would include a person’s:
- Sexual orientation
- Health information
- Political opinions
- Memberships / Affiliations (e.g. trade union membership)
- Online behaviour
- Profiling and analytics data
- IP address
- Location data
- Biometric data
- Genetic data.
The cost of non-compliance
Organisations must be compliant by 25th May 2018 or face hefty fines of up to €20 million or 4% of the organisation’s annual turnover, whichever is higher.
The costs of non-compliance or violations go beyond hefty fines. Non-complying organizations may be exposed to compensation claims for damages suffered and risk damage to their reputation as well as losing customer’s trust.
The Information Commissioner’s Office (ICO) has confirmed that UK organisations handling personal data will need to comply with the GDPR and the GDPR will still apply post-Brexit.
Next steps that you need to take ahead of 25 May 2018
- Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact GDPR is likely to have.
- Document what personal data you hold, where it came from and who you share it with. There may be a need to carry out an information audit.
- Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Check your procedure to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
- Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents if they don’t meet the GDPR standard.
- Start thinking about whether you need to put systems in place to verify individuals’ age and to obtain parental or guardian consent for any data processing activity.
- Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments and work out how and when to implement them in your organisation.
- Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
- Determine your lead data protection supervisory authority if your organisation operates in more than one EU member state.
How we can support you
Our team can support your business in preparing for the GDPR and help your organisation meet the strict data protection principles.
Contact us today to have your agreements checked for compliance and put in place a system that meets that GDPR standard.
DATA PROTECTION: GENERAL INFORMATION
This business development briefing highlights the key legal obligations a business should consider when dealing with personal data about customers, suppliers, employees and any other individual who may be encountered during the course of business.
Penalties for failing to deal with personal data appropriately
There could be serious financial, commercial and reputational implications for a business (including possible criminal penalties and fines) if personal data is not handled properly.
Protecting and securing personal data
Personal data is any information about an individual held on computer or in organised filing systems that could identify the individual, either on its own or together with other information held by a business or a third party. Personal data needs to be protected and kept secure. This data may include:
- Email address.
- Telephone numbers.
- Date of birth.
- Notes written about someone (such as an annual performance review).
Particular care must be taken with sensitive personal data (for example, medical records) as more restrictive requirements apply to this type of data.
The individual could be a potential or actual employee, customer or supplier, or possibly someone captured on a business’ CCTV footage.
Collecting personal data
A business can only collect personal data if it has a legitimate reason for doing so (for example, because a new employee is coming to work for the business).
When a business collects data about an individual, the business will need to tell that individual what it intends to do with their data (for example, if the business is collecting a customer’s email address to confirm an order). If the purposes for which the business wants to use someone’s data changes, the individual must be informed once again.
Businesses should only collect information they require at that particular time. For example, a job applicant should not be asked for their bank details. This type of data should only be collected once the applicant has started to work for the business.
If a business wants to use someone’s data for marketing purposes, the individual must be informed. It is good practice to do this at the time the data is collected. In some cases (such as text or email marketing) a business will generally require the individual’s explicit consent.
Using data collected on individuals
A business is generally allowed to use someone’s personal data if they have given their consent. The data can also be used in other circumstances, for example, if the business:
- Needs to use the data to fulfil a contract with a customer (such as using their address to deliver goods to them).
- Has a legitimate interest in using it, although this must be balanced with the individual’s rights. For example, if a part of a business has been sold to a third party and the business needs to transfer customer data to it.
Data should only be used for the reason that it was collected (for example, if calls between staff and customers are recorded for training purposes only, they should not be used to discipline a member of staff).
If a business wants a third party to manage data (such as carrying out payroll services) it should take legal advice. The business will still be responsible for protecting the data and will need to enter into a written contract with the third party.
Businesses should take legal advice if they are considering transferring any data outside the countries in the European Economic Area. It is very easy to transfer data outside the country a business is based in (for example, by sending an email to an office outside the UK).
If the data is being used in marketing material, businesses should check that the recipient is aware that their data may be used for this reason and confirm they do not object. A business will generally need the individual’s explicit consent (opt-in) for email, fax and text marketing. If the individual is an existing customer, the business may be able to market similar products to them by these means without prior explicit consent. Businesses should take legal advice in these circumstances.
If a business is considering using sensitive personal data, it should take legal advice (for example, information about ethnic origin, trade union membership or criminal records).
Storing personal data
All data must be accurate and up to date. Databases should be regularly cleaned and out-of-date information must be deleted.
Data should only be held for as long as it is required and for the reason it was collected. For example, if personal data was collected to deliver a product a year ago and has not been used since, it should not be held on the basis that it may be needed for another reason at some time in the future.
Keeping data secure and confidential
Personal data must be kept secure at all times. For example:
- Computers and files should be password protected.
- Personal data on laptops and other portable devices should be kept to a minimum.
- Manual filing cabinets containing personal data should be locked and only accessible to authorised personnel.
- Confidential documents should not be left unattended on desks.
- Personal data should be removed promptly from fax machines, printers and photocopiers.
- Ensure staff are appropriately trained to handle personal data safely and securely.
When a business sends personal data, it must be done in a secure way (for example, confidential information should not be sent in the internal mail).
Personal data must be disposed of securely (for example, by shredding, placing in confidential waste bags, destroying or securely deleting electronic files). Confidential papers should not be put in the recycling bin.
Security breaches (such as accidentally losing personal data) should be reported to the appropriate person immediately.
Electronic documents, including calendar entries and meeting requests, should be password protected or designated private where appropriate.
Working away from the office
When working away from the office or in public areas:
- Ensure personal data stored on portable devices such as laptops, Blackberries, tablets or memory sticks is encrypted and kept secure at all times.
- Avoid leaving papers or electronic devices lying around.
- Make sure members of the public cannot see confidential documents or computer screens; and
- Avoid talking about confidential matters when members of the public may be able to hear.
Enquiries about personal data
Businesses should have a system in place to deal with individuals who request details of the personal information that the business holds on them. A business is permitted to charge an administration fee of up to £10 for responding to this type of request.
Individual employees should not deal with this type of enquiry, unless they have been given specific authorisation to do so. The request should normally be passed to the person within the business who has responsibility for data protection issues.
Personal data should not be given out to the friends or relatives of an individual without that individual’s specific consent.
PLC Business Development Briefing 1.7.16