Why be a Star @ GDPR?
Because if you don’t you could face fines of up to 20,000,000 Euro and/or suffer damage to your reputation/brand that could lead to the loss of customer confidence in your products/services.
Data protection laws don’t just apply to marketing and big data businesses, GDPR actually specifies that it applies to micro, small and medium-sized enterprises.
What is GDPR?
GDPR are the new data protection regulations that are being brought in to tighten up on the protection of personal data and come into force on the 25th May 2018.
They state that GDPR/data protection now needs to be implemented by design and default. This means that it needs to be at the heart of decision making processes that involve any personal data (and not an afterthought) and that such decisions need to be documented.
GDPR states that you need to implement appropriate technical and organisational measures such as pseudonymisation (i.e. information for attributing personal data to an individual is kept separate).
It is also necessary to have sufficient cybersecurity to protect an individual’s personal data.
Under GDPR, personal data now includes anything that makes an individual identifiable, so as well as the obvious things such and name and address it also includes things such as location data, IP address, cookie identifiers, photos, genetic material or cultural and social identifiers.
This means that it covers everything from email lists and CRM (Customer Relationship Management) databases to images and videos you post on social media. It also includes the systematic monitoring of a publicly accessible area such as CCTV.
What Do I need to Know about GDPR?
Personal data has to be processed lawfully, fairly and in a transparent manner.
There are 6 legal bases on which personal data can be processed:
•Necessary for the performance of a contract;
•Compliance with a legal obligation;
•Protect the vital interests of the individual;
•Performance of a task carried out in the public interest; or
GDPR emphases protecting an individual’s rights and freedoms in relation to the personal data, so in order to process personal data you must first choose one of these bases.
In addition personal data can only be collected for specified, explicit and legitimate purposes and limited to data that is adequate and necessary for the specified purpose and kept for no longer that is necessary (i.e. you can no longer just collect individuals’ personal data for the sake of it).
One of the most common bases for processing personal data is consent, however, GDPR makes it clear that consent must be via an affirmative action (e.g. ticking an opt-in button) and it must be (i) freely given; (ii) specific; (iii) informed; and (iv) unambiguous. In other words you need to tell individuals exactly what data you will be collecting and what you will do with that data (including informing individuals of the other people or companies that you will give the data to).
If you are processing data of a child (an individual that is under 16 years of age) then you need to get parental consent.
If you are processing personal data of employees then the UK government could bring in additional requirement so you may need to seek advice with regard to this.
What Rights to Individuals Have Over the Processing of Their Personal Data?
As already mentioned, individuals have enhanced rights with regard to the processing of their data ie:-
•Access their data in an easily accessible form;
•Request confirmation as to whether or not their personal data is being processed;
•Rectify any inaccurate data;
•Erasure of any of their personal data (aka the Right to be Forgotten);
•Restrict the processing of their personal data;
•Object to the processing of their data;
•Withdraw their consent to you processing their data at any time;
•Portability of their data; and
•Not have a decision made about them based solely on automated processing (aka profiling).
An individual can exercise these rights by submitting a request in writing (aka a Subject Access Request or SAR).
You have to respond to such SARs using clear and plain language without undue delay (and in any event within one month) and this now has to be done free of charge.
If you don’t comply with any of these requests an individual has the right to lodge a complaint with the Information Commissioners Office (ICO).
An individual also has the right to seek a judicial remedy (i.e. sue you/your company) separate to making a complaint to the ICO. This means that an individual can get damages (monetary compensation) from you, as well as you receiving a fine from the ICO.
What Do I Have to Do?
You need to implement appropriate technical and organisational measures in order to show compliance with GDPR and be able to demonstrate that the processing of personal data is done in accordance with GDPR.
You need to make sure that you have appropriate data protection policies in place.
You need to ensure that any third parties that process personal data on your behalf also comply with GDPR, this includes any software service provider that carries out certain functions on your behalf (e.g. payroll).
You need to notify the ICO asap in the event of a personal data breach and not later than within 72 of becoming aware of it. If the breach is likely to result in high risk to the rights and freedoms of an individual then you also have to notify them asap.
You need to carry out a Data Protection Impact Assessment if the processing is likely to result in high risk to the rights and freedoms of individuals (e.g. large scale processing, profiling, processing sensitive personal data). This must be done before the processing takes place.
You need to appoint a Data Protection Officer if you carry out regular and systematic monitoring of data subjects on a large scale or large scale processing of special categories of data.
You need to comply with additional provisions if you are going to transfer data outside of the EU/EEA. It is not clear how this will apply to the UK post Brexit.
If you have any concerns please contact me at: firstname.lastname@example.org.
This blog is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© SO Law 2018