What is GDPR?
The General Data Protection Regulations replace the Data Protection Act 1998 on the 25th May 2018. GDPR gives people more control over how organisations use their data and consequently imposes a burden on all organisations who control and process data.
What steps should I take in order to be compliant with GDPR?
Make key people in your organisation aware that the law is changing surrounding the retention and processing of personal data. They need to assess the impact of the new law and identify areas where compliance problems may arise.
You should consider how data is handled in your organisation and answer the following questions:
- What data do you hold and why?
- How do you collect the data?
- How and where is the data stored?
- What do you do with the data?
- Who owns and controls the personal data?
- How long is data retained?
- When and by what means is deleted?
- Who is responsible for the data and processors associated with data?
- Do you have adequate technology/process to adequately manage data processing?
What documents do I need to review or create?
When you collect personal data, the law as it stands requires you to give people certain information which is usually done via a privacy notice. The GDPR requires that additional information is provided, such as explaining the lawful basis for processing the data, the period you retain data for and that an individual may complain to the ICO if they believe there is a problem in the way you are handling their data.
You should initially create an internal policy document setting out how you will comply with the GDPR and base all other documents on these policies. You should review your contracts with your suppliers who are data processors to ensure they fulfil their obligations under the GDPR.
You will also need to update your website privacy policies, cookie policies and privacy notices for employees/workers where applicable.
What do I need to detail in my updated privacy notice?
Remember, you need to ensure the information is concise, transparent and easily accessible; written in clear plain language; and available free of charge. This information should be provided at the time the data is obtained.
You must set out:
- Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer.
- Purpose of the processing and the legal basis for the processing.
- The legitimate interests of the controller or third party, where applicable.
- Categories of personal data.
- Any recipient or categories of recipients of the personal data.
- Details of transfers to third country and safeguards.
- Retention period or criteria used to determine the retention period.
- The existence of each of data subject’s rights.
- The right to withdraw consent at any time, where relevant.
- The right to lodge a complaint with a supervisory authority.
- Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data.
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.
Bear in mind that the privacy notice may come in several forms for each kind of interaction (to employees, to clients etc).
What rights do I need to provide for?
The GDPR confers the following rights on individuals:
- The right to be informed.
- The right of access.
- The right of rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- The right not to be subject to automated decision-making including profiling.
These rights represent an enhancement of the rights to individuals under current legislation. It is important to consider your procedures and evaluate whether you can fulfil the rights above given the systems and processes you currently use. Changes should be made to ensure these rights are able to be actioned by individuals.
What do I need to consider regarding subject access requests?
Any requests that are made by individuals must now be free of charge in most cases and the period for compliance is now one month, rather than the existing 40 days. Any request that is refused (such as for being manifestly unfounded or excessive) must be accompanied by reasons and state their right to complain to the supervisory authority and to a judicial remedy. This must be done as a matter of priority and within one month.
What is the basis for my processing activity?
Under the GDPR, you must identify the lawful basis for processing activity and document this in your privacy notices. You should review your processing activities and identify your lawful basis for doing so.
The lawful bases are as follows:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
You should consider which of the lawful bases best fits the circumstances and set this out in your privacy notice. Bear in mind that this depends on the specific purposes and the context of the processing. You need to keep a record of which basis you are relying on for each processing purpose, and a justification for why you believe it applies.
Why do I need to think about consent?
The GDPR sets a new, high standard for consent which involves an unambiguous and clear, affirmative action. For example, there is a specific ban on pre-ticked opt-in boxes. You will need to review your consent mechanisms to ensure they meet GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn. The key points are as follows:
- Unbundled – consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt in – pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (eg a binary choice given equal prominence).
- Granular – give granular options to consent separately to different types of processing wherever appropriate.
- Named – name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Documented – keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
- Easy to withdraw – tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
- No imbalance in the relationship – consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.
There is not a requirement to refresh all existing consents for the GDPR implementation, but it is important to review these to ensure they meet the GDPR standard. Where there is non-compliance, it is imperative to seek fresh GDPR compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.
Do I need to consider preparing for data breaches?
Yes, you should ensure that the right procedures are in place to detect, report and investigate a personal data breach. The GDPR imposes a duty on all organisations to report certain types of data breach to the Information Commissioner’s Office and sometimes to individuals. You only need to report to the ICO where it is likely to result in a risk to the rights and freedoms of individuals. Procedures should be put in place to respond to such breaches.
Do I need to appoint a data protection officer?
Not necessarily. You only need to designate a DPO if you are carrying out regular and systematic monitoring of individuals on a large scale, a public authority or an organisation that carries out the large scale processing of special categories of data, such as health records. You should however designate someone in your organisation to take responsibility for data protection compliance.
What if I am operating internationally?
If your organisation operates in more than one EU member state or you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states, then you should determine your lead data protection supervisory authority. This is the location of the authority where your central administration is undertaken. You should map out where the organisation makes its most significant decisions to determine your main establishment to then lead supervisory authority.