What Is GDPR? Including Best Practice
What Is GDPR?
The General Data Protection Regulation is new EU wide legislation which aims to put the control of personal data back into the hands of the individual. New rules and regulations on data collection and data processing will allow individuals enhanced rights to access or withdraw their data.
This new legislation will replace the existing Data Protection Act (1998) for companies based within the United Kingdom. However, the GDPR applies to all companies worldwide that process personal data, or monitor behaviour, of data subjects who reside in the EU.
GDPR was agreed upon by the European Parliament in April 2016, starting the countdown to enforcement from May 25th 2018. Companies that fail to reach compliance by this date will be subject to potentially large fines and penalties of up to €20m or 4% of global annual turnover, whichever is greater. The GDPR goes further than previous legislation, enabling consumers to claim compensation from data controllers or processors who infringe the regulation for the damage they have suffered.
We, as a data processor, are committed to supporting our customers as we all navigate the necessary changes and enhancements to our processes and business practices in preparation for the enforcement date. This initial guide lays out key information about GDPR, including links to useful resources to assist you in preparing your organisation for compliance.
Please note: whilst we will support you by presenting the key concepts within GDPR, this page and any other relating to GDPR created by Esteiro Business Solutions Ltd is only intended to provide general guidance. Please contact a legal representative for any formal legal advice.
Who Does GDPR Apply To?The new regulation applies to ‘controllers’ and ‘processors’, meaning a business is a data controller which has control of how and why personal data is processed. A processor is a third party who processes that data on the controller’s behalf. If you process any form of personal data either in the EU, or of data subjects who are in the EU (even if only temporarily), then the GDPR applies. There are a small number of exemptions for specific activities, such as processing covered by the Law Enforcement Directive, processing for national security or processing carried out by individuals purely for personal (not business related) reasons. The legislation technically does not apply to some businesses with less than 250 employees. However, it is stipulated that it will apply to small businesses if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in Article 9. When you consider how often you deal with personal data, which includes present and past employees, then most organisations will be affected. For help with GDPR see ‘Making data protection your business self assessment‘.
What Is Personal Data?Almost every organisation, whether B2B or B2C, will process personal data under the new regulations. If the Data Protection Act currently applies to your business, you can safely assume GDPR will too. Under GDPR’s definition, personal data is essentially any information that could be related to an identifiable and living human being. The official definition from Article 4.1 describes personal data as: ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This can include obvious details such as name or address, but also online identifiers such as an IP address.
What Do I Need To Do For GDPR?The GDPR has similar principles to the current Data Protection Act (DPA), so current compliance with the DPA will provide a firm foundation. However, there are significant enhancements and additional requirements under GDPR which you will need to review and bring in to your existing data protection framework within your organisation. The most useful resource, alongside the actual GDPR itself, will be the Information Commissioner’s Office (ICO) website. The ICO will be responsible for regulating GDPR in the UK, and they will also be ensuring compliance. They have a useful livechat feature which can be helpful to check if an assumption you are making is compliant. If you do not currently have a GDPR plan in place, the ICO’s Getting Ready for the GDPR will help you to create a quick assessment of your current position. The Information Commissioner’s office have a suggested list of processes to run through to become GDPR compliant. We’ve summarised the key points as general guidance, refer to the Preparing for the General Data Protection Regulation PDF for more information.
- Raise awareness in your business and get key stakeholders involved. Start a risk register to record any areas that could cause compliance issues. Use the ICO’s website and a copy of the GDPR to start recording your plan.
- Organise an information audit across your business to identify what personal data you hold, where it comes from and anywhere you share that information. You must have some form of information audit trail to be GDPR compliant.
- Review your privacy notices with plenty of time to update them before the May 2018 deadline. There is a need for privacy policies to contain additional information, but also for this information to be provided in clear, concise and easy to interpret language.
- Check your procedures against the 8 rights individuals have within the GDP
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making including profiling
- Identifying any areas to improve on is a good starting point to identify the changes that need to be made within your organisation. Generally, the GDPR rights are an enhancement to the current rights of individuals within the Data Protection Act, but with some additions. For example, the right to data portability is a new requirement.
- The requirements for Subject Access Requests (SAR) are changing considerably. The standard charge is being removed which is leading many to speculate that the number of SAR’s made will increase. SAR’s must be complied with in a month, so it is recommended that you prepare a procedure and order of responsibility to process these efficiently.
- It’s worth familiarising yourself with the various lawful basis available for processing personal data. You will need to identify which lawful basis is appropriate for the various types of personal data you process, document it and ensure you follow the necessary procedures to meet the requirements of GDPR for each type. For example, there are significant additions to the requirements for any consent-based legal basis for processing personal data over and above the current data protection act.
- The Information Commissioner’s office are specifically addressing consent as a legal basis with their detailed guide to consent. If you currently hold personal information under consent, you will need to review this information and determine if your current consent meets with the additional requirements of the GDPR. For example, pre-ticked boxes cannot be used as a basis of consent.
- Consent for marketing calls, messages, website cookies or other online tracking methods is detailed in the current Privacy and Electronics Communications Regulations 2003 (PECR). However, there will be a new ePrivacy Regulation due to come into force alongside the GDPR in May 2018. This new EU wide legislation is currently in development, with a deadline of December 2017 for the new legislation to be finalised. As yet the ICO are not releasing guidance as the legislation is not yet available to review.
- It is worth familiarising yourself with the six legal basis for processing personal data under the GDPR. After your data audit, you will need to document which legal basis each group of data is processed under. Consent is one option out of six, and is likely to be the most difficult to comply with.
- If you process personal data belonging to children, you will need to ensure you are ready to meet the extra requirements for handling this type of sensitive information. This especially impacts consent and online commercial services aimed at children.
- There are enhanced requirements for data breaches under the GDPR. You will need to have procedures in place to detect, report and investigate a data breach, including notifying the Information Commissioner’s Office under certain circumstances. It is recommended that you have a full breach plan in place before May 2018.
- Data Protection Impact Assessments (DPIA) will become mandatory for certain circumstances. Privacy impact assessments can become part of your existing risk or project management workflow. Further information is available in the ICO’s guide to conducting Privacy Impact Assessments
- You may be required by the GDPR to appoint a Data Protection Officer if you do not already have one. Not all organisations will be required, however it may be worth considering to assist you in becoming compliant.
- If your business is operating out of more than one EU member state you will need to identity which is the main establishment and identify this to the relevant supervisory authority.
For further information on GDPR please visit the ICO website directly or speak with your internal DPO in your business.