GDPR is coming, whether you’re ready or not. We asked Samantha Oakley from SO Law to write a blog that cuts through the jargon and explains what’s happening, and how PLATF9RM members can ensure they’re compliant by 25 May.
*Samantha is giving a talk called ‘Be A Star @ GDPR’ on 14 March at PLATF9RM Tower Point. It’s sure to be an educational morning and we suggest you attend, whatever the size of your business.
Why be a Star @ GDPR?
It’s pretty simple. Failure to comply with GDPR could see you facing fines of up to €20 million, whilst suffering damage to your company’s reputation that could lead to the loss of customer confidence in your products and services.
Data protection laws don’t just apply to marketing and big data businesses; GDPR actually specifies that it applies to micro, small and medium-sized enterprises.
What is GDPR?
GDPR are the new data protection regulations that are being implemented to tighten up the protection of personal data. They come into force on the 25th May 2018.
They state that data protection now needs to be implemented by design and default. This means that it needs to be at the heart of decision-making processes that involve any personal data and that such decisions need to be documented.
GDPR states that you need to implement appropriate technical and organisational measures such as pseudonymisation (i.e. ensuring that information for attributing personal data to an individual is kept separate).
It is also necessary to have sufficient cybersecurity to protect an individual’s personal data.
Under GDPR, personal data now includes anything that makes an individual identifiable. So, as well as the obvious things likes name and address it also includes things such as location data, IP address, cookie identifiers, photos, genetic material or cultural and social identifiers.
This covers everything from email lists and CRM (Customer Relationship Management) databases to images and videos you post on social media. It also includes the systematic monitoring of a publicly accessible area such as CCTV.
And yes, I know that’s a lot!
What Do I Need To Know About GDPR?
There are 6 legal bases on which personal data can be processed:
- Necessary for the performance of a contract;
- Complience with a legal obligation;
- Protect the vital interests of the individual;
- Performance of a task carried out in the public interest; or
- Legitimate interests.
GDPR emphases protecting an individual’s rights and freedoms in relation to the personal data, so in order to process personal data you must first choose one of these bases.
In addition, personal data can only be collected for specified and legitimate purposes and limited to data that is adequate and necessary for the specified purpose. You also can’t keep it for longer than necessary. In layman’s terms: this means you can’t just collect and keep individuals’ personal data on the off-chance it will be useful in the future.
One of the most common bases for processing personal data is consent, however GDPR makes it clear that consent must be via an affirmative action (e.g. ticking an opt-in button) and it must be (i) freely given; (ii) specific; (iii) informed; and (iv) unambiguous. In other words you need to tell individuals exactly what data you will be collecting and what you will do with that data. This includes informing individuals about any other companies that you will give the data to.
If you are processing data of a child (anyone under 16 years of age) then you need to get parental consent.
If you are processing personal data of employees, then the UK government could bring in additional requirement so you may need to seek advice with regard to this.
What Rights Do Individuals Have Over the Processing of Their Personal Data?
As already mentioned, individuals have enhanced rights with regard to the processing of their data ie:-
- Access their data in an easily accessible form;
- Request confirmation as to wether or not their personal data is being processed;
- Rectify any inaccurate data;
- Erasure of any of their personal data (aka the Right to be Forgotten);
- Restrict the processing of their personal data;
- Object to the processing of their data;
- Withdraw their consent to you processing their data at any time;
- Portability of their data; and
- Not have a decision made about them based solely on automated processing (aka profiling).
An individual can exercise these rights by submitting a request in writing (aka a Subject Access Request or SAR).
You have to respond to such SARs using clear and plain language without undue delay (and in any event within one month) and this now has to be done free of charge.
If you don’t comply with any of these requests an individual has the right to lodge a complaint with the Information Commissioners Office (ICO).
An individual also has the right to seek a judicial remedy (i.e. sue your company) separate to making a complaint to the ICO. This means that an individual can get damages (monetary compensation) from you, as well as you receiving a fine from the ICO.
What Do I Have To Do?
You need to implement appropriate technical and organisational measures in order to show compliance with GDPR and be able to demonstrate that the processing of personal data is done in accordance with GDPR.
You need to make sure that you have appropriate data protection policies in place.
You need to ensure that any third parties that process personal data on your behalf also comply with GDPR. This includes any software service provider that carries out certain functions on your behalf (e.g. payroll).
You need to notify the ICO asap in the event of a personal data breach and not later than within 72 of becoming aware of it. If the breach is likely to result in high risk to the rights and freedoms of an individual then you also have to notify them asap.
You need to carry out a Data Protection Impact Assessment if the processing is likely to result in high risk to the rights and freedoms of individuals (e.g. large scale processing, profiling, processing sensitive personal data). This must be done before the processing takes place.
You need to appoint a Data Protection Officer if you carry out regular and systematic monitoring of data subjects on a large scale, or large scale processing of special categories of data.
You need to comply with additional provisions if you are going to transfer data outside of the EU/EEA. It is not clear how this will apply to the UK post Brexit.
Still confused? Don’t worry, it’s not too late! If you want to learn more about GDPR come to our talk on 14th March.