Guide to the GDPR for Businesses
The GDPR is an acronym for the General Data Protection Regulations. This a European-wide Regulation from the European Union and has a direct effect in every member state.
In an age of ‘big data’ and high profile data breaches, the aim is to enhance protection and control of individuals’ over their personal data, while standardising data protection practices across the EU to make trade between these countries more straightforward.
As a business owner, you need to be seen to be taking data protection seriously. A breach can not only impact your organisation’s finances, it can also do irreparable harm to your reputation.
Who does the GDPR apply to?
The GDPR applies to data controllers and data processors. Controllers determine the purpose and means of processing personal data; whereas a processor is responsible for processing personal data on behalf of the controller. For the purposes of this article, we refer generally to businesses as both data controllers and processors.
Although the GDPR places obligations on both, and if breached both could be subject to fines and censure, it is essential that you identify which category you fall in to.
The GDPR applies to processing carried out by organisations operating within the EU and those outside the EU who trade with it. It is for this reason that post-Brexit you are unlikely to see any relaxation in the rules as they apply in the UK.
It’s also important to note the GDPR applies to both automated and manually-collated information.
What is ‘personal data’?
Personal data is any information that can be used to identify an individual either directly or indirectly. Examples of such data include a person’s name, identification number, location data and online identifier.
There is a category of data to which additional safeguards must be applied by data organisations. Previously referred to as sensitive personal data, the GDPR refers to it as ‘special categories of personal data’. This can include, but is not restricted to, health information and genetic and biometric data when processed to identify an individual.
What does my business need to do to comply with the GDPR?
One of the main principles behind the GDPR is that data should be processed lawfully, fairly and transparently in relation to individuals. In short, this means that you are required to carry out a full review of the data you are collecting and processing.
Data should only be collated if necessary, stored securely, kept up-to-date and retained for a reasonable period. GDPR places an obligation on businesses to be able to demonstrate compliance in all these areas.
To do so, you must maintain written records of key details such as processing purpose, data sharing and retention. The records must be up-to-date and reflect current processing activities. These records may be requested by the Information Commissioner’s Office (ICO), independent body charged with monitoring and enforcing compliance.
The regulations are complicated, and it is recommended that you take professional advice to ensure that you are fully compliant with them. In brief, as an organisation, you should analyse and document what information you are currently obtaining from individuals, how that is used and on what basis you are processing that lawfully.
The GDPR sets out six ways in which processing data is considered lawful:
1. The data subject has given consent to the processing of their data for one or more specified purpose.
2. The processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject before entering into a contract.
3. The processing is necessary for compliance with a legal obligation to which the controller is subject.
4. The processing is necessary to protect the vital interests of the data subject or another natural person.
5. The processing is necessary for the performance of a task carried out in the public interest or the official authority vested in the controller.
6. The processing is necessary for the legitimate interests condition. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Consent has often been seen as the cover-all option for businesses, but the GDPR strengthens the requirements of what constitutes valid consent. Consent is only considered to be valid if it is:
- Actively and freely given – Pre-ticked consent boxes will no longer be permissible.
- Unambiguous– It cannot be contained in a list of other terms and conditions. You must be able to consent to individual uses separately from other contractual matters.
- Specific – It needs to be clear what you are consenting to. This may mean that you need more than one tick box for different processing uses.
- Named – The data controller must be named for consent to be valid. This means no more generic tick boxes that request consent to pass information to unknown third parties.
- Demonstrable – The consent must be documented.
- Easy to withdraw – This will generally be by the same method that you used to consent.
- No imbalance of power – For instance consent should not be the basis of lawful processing between a public body and an individual.
- Current – The consent must be up-to-date. As a default, it should be refreshed every two years, but there may be specific reasons that the consent should be refreshed more or less frequently
If, as a business, you can find a lawful basis to process the data you hold that is not based on consent, then that should be your first port of call.
For instance, many landlords ask their tenants to consent to process their information, when in fact the nature of the requirement is to process data in performance of the tenancy agreement. Equally many employers seek consent to process employee information where they may be able to rely on other conditions. Passing information to the HMRC, for instance, would count as processing for compliance with a legal obligation.
Data Protection Officers
The GDPR also creates a statutory Data Protection Officer (DPO) role. This can be an in-house role or can be outsourced to an external supplier. Either way, a DPO has to have skills and competence in date security and protection to support your organisation in meeting its duties.
The obligation to have a DPO can fall on your business whether you are a controller or a processor. It is mandatory to have one in certain circumstances relating to processing carried out by public bodies; or if you are involved in the regular and systematic monitoring of data subjects on a large scale (for instance CCTV in a city centre); or if you process, on a large scale, sensitive data and data relating to criminal convictions and offences.
The definitions surrounding these categories are still relatively wide. To find out whether you should be employing a DPO you should consult a solicitor who will be able to consider the nature of your business’ core activities.
Privacy statements and personal rights
The main focus of these regulations is on increasing individuals’ rights. These are identified as a right:
- To be informed;
- Of access;
- To rectification;
- To erasure;
- To restrict processing;
- To data portability;
- To object; and
- Relating to automated decision making including profiling.
These rights have to be brought to the attention of the data subject at the first point of communication and in your privacy statement. Most websites have privacy statements, but the GDPR sets out a strict set of conditions that require to be included to ensure compliance with the Regulation, and to ensure that the aim of individual control over their data is met.
The conditions to be set out in the privacy statement can be broken down into two sections.
The first which contains information that the ICO deems to be incredibly important and should be set out at the point that data is collected. This includes details such as the purpose and legal basis for collecting the data, along with the name and contact details of the data controller and data protection officer.
The second set, while still important could be contained in a click-through section on the website. These refer to the individual’s right to withdraw consent and how to make a complaint to the ICO.
What happens if my business doesn’t comply with GDPR?
The GDPR is a complex piece of legislation, demanding a systematic and operational change in the way that businesses approach, handle and manage data.
Failure to comply with the GDPR could result in substantial fines. The GDPR provides for fines of up to 20 million Euros or 4% of global turnover – significantly more than under previous UK requirements. To put that in context, in October 2016 Talk Talk received the biggest fine ever issued by the ICO of £400,000. Under the GDPR that fine could have been in the tens of millions.
If there has been a personal data breach, it is now mandatory that you inform the ICO within 72 hours if there is a risk to the data subject. If there is a high risk to the data subject, then you must also advise the individual – unless the information was encrypted.
The ICO has other enforcement powers over and above fines. It can stop your organisation from processing data, which could mean that your business can’t trade. The ICO office has been recruiting for hundreds of new staff to ensure that it will be able to effectively enforce the new regime.
Do I need legal advice?
The proliferation of data over the last two decades has led to an increase in data misuse, and the GDPR firmly refocuses on the individual, or ‘data subject’, and provides them with more rights to take back control of how businesses use their personal data.
Given the consequences of a failure to comply with the GDPR, it is essential that you carry out an audit of your data processing tasks within your business, and systematically document compliance with the regulations. A lawyer can assist with that process, help draft GDPR compliant processes and policies, and advise on the legal basis for processing. They can also confirm the steps that require to be taken in the event of a breach. As a business owner, the importance of ensuring compliance cannot be underestimated. Customers now expect it, and the ICO demand it. Your solicitor will help you achieve it.