What does the GDPR mean for me?
In summary the GDPR states that personal data should be:
- a) processed lawfully, fairly and in a transparent manner;
- b) collected for specified, explicit and legitimate purposes; which essentially means that data cannot be used later for different purposes such as marketing;
- c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- d) accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that inaccurate data is erased or rectified without delay;
- e) kept in a form which allows identification of data subjects for no longer than is necessary for the purposes for which the personal data is being processed; personal data may be stored for longer periods if it being processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals); and
- f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
What are the main changes?
The most significant change is that you must now have at least one lawful basis for processing the data. The concept of a “lawful basis” replaces the previous requirement to satisfy a condition for processing.
Processing will have a lawful basis in the following circumstances, of which there are 6:
- Consent: this means you have clear, unambiguous consent from an individual to process their personal data for a specific purpose. Consent is now given by affirmative action by the individual.
- Contract: this means that it is necessary to the contract you have with an individual to process their personal data in order to carry out contractual obligations to them.
- Legal obligation: this means that it is necessary to process an individual’s personal data in order to comply with the law.
- Vital interests: this means that it is necessary to process an individual’s personal data to protect someone’s life.
- Public task: this means that it is necessary to process an individual’s personal data in order to perform a task in the public interest or for official functions; and the task or function has a clear basis in law.
- Legitimate interests: this means that it is necessary to process an individual’s personal data for legitimate interests or the legitimate interests of a third party. However, where there is good reason to protect the individual’s personal data, this will override those legitimate interests.A lawful basis for processing data should be determined from the start, before the data is processed, and you should not be changing the basis for processing the data at will. The lawful basis is determined by the reason for collecting the data, and if you can achieve your aim through other means the lawful basis will be invalid. If the lawful basis legitimately changes after you have collected the personal data, an individual must be notified and the document recording consent must be changed.There is not a set format for recording consent and the lawful basis on which you are processing the personal data, but you should ensure that your business’ policies and procedures are up to date and contain all the relevant information to show that the Regulations are being complied with.The GDPR also enhances an individual’s right:
- to be informed about what data is being processed;
- to access the information (subject data access requests);
- to rectify inaccurate or incomplete data;
- to request the removal or deletion of data;
- to block the processing of data;
- to move and reuse their data across different services (portability); and
- to object to the processing of the data for different purposes, including direct marketing, research or statistical purposes and to prevent automated decision making and profiling.
A data protection breach includes the destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Any breach must be reported to the relevant supervisory body within 72 hours of being detected if it could result in a risk to the rights of the individual. Failure to report a breach is a breach of the GDPR in itself and any delay reporting the breach must be justified. A GDPR breach can result in a fine of up to 4% of annual worldwide turnover or 20 million euros.
Data Protection Impact Assessment
Where activities are likely to cause a high risk to an individual’s rights and freedoms, you must complete a Data Protection Impact Assessment. If the assessment reveals a high risk, permission must be sort from the relevant regulator before proceeding.
It is essential to have a privacy statement setting out your approach to the collection of data and how you will process this. The Information Commissioner’s Office, the regulator in the UK, advises that a privacy notice should tell individuals:
- who you are;
- what you are going to do with their information; and
- who it will be shared with.
The statement should also include any other relevant information.
Failing to disclose relevant information could make the processing of the data unfair.
Subject Access Requests (‘SAR’)
The rules for dealing with SAR will change under GDPR. You will no longer be able to charge for complying with a SAR and the request must be complied with within a month instead of the current 40 days. This is a significant change to the position under the DPA.
Unfounded or excessive requests may be rejected, in order to assist in defending your position in the event of a complaint, we would advise having a clear policy in place setting out the grounds on which a request may be refused.
Children’s personal data will require a parent or guardian’s consent before it can be processed lawfully.
At this stage our advice is to undertake a review of the data you hold, check it is up to date, accurate and being held for the relevant purpose for which it was collected. This review should also include a check that the correct consents are in place, as well as monitoring the policies and procedures (including all privacy statements) used to record this.
If personal data is outsourced to a third party you must ensure that the third party is also compliant with GDPR and that your agreement with the third party covers their requirement to comply.
If your business does not already have a Data Protection Officer in place then now is a good time to appoint a designated officer. Ensure that those involved in the processing of data or dealing with any requests for data or complaints about breaches are fully trained and aware of the provisions of GDPR.