Understanding the basics of General Data Protection Regulations (‘GDPR’)

5 Oct, 2017

We all need to be aware that compliance with GDPR is not optional.  Whilst it is more relevant to some businesses than others (marketing, PR, HR and recruitment to name a few), all businesses need to take on board what GDPR is and what they need to do to comply.  In this article we have tried to condense a meaty topic down in to the basics

• Who does it apply to?

GDPR applies to both “controllers” and “processors” of data.  The definitions for these are broadly the same as the Data Protection Act (‘DPA’).  A controller says how and why personal data is processed and a processor acts on the controllers behalf (think of a business and its outsourced IT – the business is the controller but the IT company processes the data by holding it on their servers).

GDPR places specific legal obligations on processors including more legal liability if you are responsible for a breach.  Controllers will need to ensure they contract with processors that are compliant with GDPR.

• What information does GDPR apply to?

Personal data

GDPR applies to personal data. Be careful not to be too narrow with your definition of personal data. This is much more detailed and wider than DPA to reflect technological changes and the way that organisations collect data, for example a work e-mail address can now be construed as personal data.   Anything that previously fell under DPA will fall under GDPR including HR records, consumer lists and contact details.  It applies to:

• Automated personal data
• Manual filing systems where data is accessible according to specific criteria

This is wider than under DPA.

Coded personal data could be caught by GDPR if it can be attributed to a particular individual.

Sensitive data

This is “special categories” of personal data and whilst similar to DPA now includes genetic data and biometric data where it is processed to uniquely identify an individual.

Personal data relating to criminal convictions and offences are not included within this category but safeguards do apply to its processing.

Key areas to consider:

Lawful processing

You must have a lawful basis before you can process personal data.  You must determine this at the outset and document it.  Lawful reasons for processing data include:

• Consent of the data subject
• Processing is necessary for the performance of a contract
• Processing is necessary for compliance with a legal obligation
• Processing is necessary to protect the vital interests of the data subject or another person
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Necessary for the purpose of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

Consent

Consent is now a key area for businesses to consider.  Consent must be:

• Freely given
• Specific
• Informed
• Unambiguous

Consent requires an affirmative action – a positive opt in.

The request for consent must be separate from other terms and conditions, so no sneaky clauses at the bottom of your T&Cs to allow marketing!

Individuals must be able to withdraw consent.

Children’s personal data

There are new provisions to enhance the protection of children’s personal data but we won’t go in to this in any depth here.

New rights for individuals

GDPR creates some new rights for individuals but also strengthens some that are already in existence under the DPA.  For further information on the new rights for individuals see our previous article here

Accountability and Governance

Key to GDPR is accountability and transparency which was previously only implicit in data protection law.  Comprehensive but proportionate measures should be put in place and you should be able to demonstrate that you comply with the principles.  But how?

• You could have technical and organisational measures in place for example policies, staff training, internal audits and reviewing internal HR polices.
• Maintain documentation on processing activities.
• Appoint a Data Processing Officer (if appropriate).
• Implement measures that by default or design result in compliance e.g data minimisation
• Implement Codes of Conduct or certifications such as Cyber Essentials, IASME or ISO 27001

Breach notification

All organisations must report certain types of data breaches under GDPR.   These must be reported to the relevant supervisory authority and in some cases to the individual affected.

Relevant breaches for notification to a supervisory body are those which are likely to result in a risk to the rights and freedoms of individuals.

Individuals must be notified where a breach is likely to result in a high risk to the rights and freedoms of individuals.   This is therefore a higher threshold than for notification to the relevant supervisory authority.

Under GDPR breaches must be notified within 72 hours of awareness by the organisation.

Transfer of personal data

GDPR now imposes restrictions on the transfer of personal data outside of the EU.  This is to ensure that GDPR provisions are not undermined.

It is important to remember that if you are complying properly with the DPA then this compliance will remain valid under GDPR and can be a good starting point to build from.  However, the above sets out some key differences and some things will have to be done differently to ensure compliance.

For more information in the above please see the ICO website.  The ICO continues to issue new guidance on GDPR compliance.  We will update you as we receive this guidance.  In the meantime, we are running a practical 1 day training course in association with Risk Evolves.  We have two places remaining on our course in October.  For more details including how to book click here.