The European General Data Protection Regulation (GDPR) will apply in the UK regardless of Brexit. The deadline for compliance (25 May 2018) has come and gone but I know there are business owners out there still wondering what all the fuss is about. So here’s my advice if you have yet to get started on making your business ready for the GDPR.
What is the GDPR?
In a nutshell, the GDPR is intended to give individuals more control over how their personal details are stored and used by commercial business, charities or public authorities. Many such organisations routinely collect and process the names, addresses, contact details, credit scores, web surfing habits, and other sensitive personal data of individuals, and that kind of information might endanger or leave them vulnerable to identity theft or reputational damage if it were mismanaged or lost or stolen.
Under the GDPR, any information in any format that can directly or indirectly identify a living person is ‘personal data’ and must be:
- processed lawfully, fairly, transparently;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant, limited to what is necessary;
- accurate and up to date;
- kept for no longer than is necessary;
- processed appropriately in a manner that ensures its security, integrity, and confidentiality.
Obvious examples of processed personal data are:
- employees’ salary and pension information stored electronically or on paper;
- employees’ training and other personnel records stored electronically or on paper;
- customers’ contact details and personal information recorded in emails and stored electronically or on paper.
Lawful bases for processing
The lawful bases for processing personal data are:
- clear and direct consent from the individual;
- necessity to fulfil a contract with the individual;
- necessity to comply with a legal obligation (excluding contractual obligations);
- necessity to protect someone’s life or vital interest;
- necessity to perform a public task (‘in the exercise of official authority’ or ‘in the public interest’);
- necessity for legitimate interests.
Data protection rights
The data protection rights of individuals under the GDPR are:
- the right to be informed;
- the right of access to their personal data and supplementary information;
- the right to correct inaccuracies;
- the right in certain cases to have their personal data erased;
- the right to restrict processing under certain circumstances;
- the right to move their personal data from one service provider to another (data portability);
- the right to object;
- rights related to automated decision making (including profiling).
These data protection rights depend upon the lawful basis used for processing, and some rights may not be applicable to individuals in certain situations. For example, employees have no right to erasure or data portability or the right to object when their personal data is being processed on the lawful basis of legal obligation for payroll purposes.
Data controlers and data processors
The GDPR applies to ‘controllers’ and ‘processors’. As defined by the Data Protection Act (DPA):
- A controller determines the purposes and means of processing personal data (e.g. HMRC).
- A processor is responsible for processing personal data on behalf of the controller (e.g. Employer).
A processor is normally required to maintain records of personal data and processing activities and will have legal liability if responsible for a breach. The GDPR places further obligations on controllers. A company may be a controller and a processor. It depends on the nature of the personal data, how it is acquired, and the reasons for keeping it.
Data protection fee
The Data Protection (Charges and Information) Regulations 2018 requires every organisation or sole trader who processes personal information to notify the Information Commissioner’s Office (ICO) and pay a data protection fee, unless they are exempt. If you’re not exempt and you haven’t registered you’re comitting the criminal offence of processing without notification. You can use the ICO online self-assessment to see if you must register. The annual registration fee is currently between £40 and £2,900, depending on how many people your business employs and your annual turnover.
Documenting data processing activities
The GDPR contains explicit provisions about documenting processing activities. A record of the nature and purpose of data processing, data sharing and data retention must be kept up to date and must be made available to the ICO on request. In particular, business owners should:
- document and justify their safeguarding of personal data against inaccuracies or loss or theft;
- be able to respond quickly and appropriately in the event of a data breach and report to the appropriate authorities and individuals within specified time limits;
- be able to respond in a timely manner to legitimate requests from individuals and organisations regarding stored personal data.
Businesses with 250 or more employees must document all of their processing activities. However, small to medium-sized organisations with less than 250 employees need only document processing activities that are not occasional, or may pose a risk to the rights and freedoms of individuals, or involve special categories of data or criminal conviction and offence data.
Penalties for non-compliance
The potential costs of non-compliance are:
- fines of up to €20 million or 4% of global turnover;
- compensation claims for damages suffered;
- reputational damage and loss of trust.
Recommendations for business owners
- Appoint a responsible person to manage your GDPR compliance
- Document your data processing activities
- Write your data protection policy and data privacy notices
- Communicate your data protection policy and privacy notices to staff, customers, suppliers, and anyone else who needs to know
Appointing your responsible person
For anyone yet to get started on compliance the priority must be to designate someone with ongoing responsibility for data protection compliance, in accordance with the ICO recommendations.
Under the GDPR, a business need only appoint a Data Protection Officer (DPO) if:
- it is a ‘public authority’;
- it is engaged in large scale, regular and systematic monitoring of individuals; or
- it is engaged in large scale processing of special categories of data or data relating to criminal convictions and offences.
The GDPR doesn’t specify the precise credentials that DPOs are expected to have. A very brief person specification might include:
- knowledge of national and European data protection laws and practices;
- understanding of the GDPR;
- familiarity with data processing operations and data security;
- appreciation of the business sectors relevant to the organisation;
- good communication skills;
- ability to promote a data protection culture within the organisation.
If you’re a company director or a sole trader with no legal obligation to appoint a DPO you are nevertheless still ultimately responsible for any personal data processing resulting from your business activities. It would be sensible to voluntarily appoint someone autonomous to manage compliance on your behalf in order to avoid a conflict of interest with the GDPR’s data protection principles, though do bear in mind that the ICO will hold that person to the same performance standards that are applicable to a mandatory DPO under Article 39. Being part-time is no excuse for performing the role to a lesser degree.
You should decide who is best placed to carry out the data protection role and give them appropriate support. Your decision-making process and justifications will need to be documented. However, if you decide that you don’t need to appoint a DPO you should still record this decision to help demonstrate your compliance with the accountability principle.
Documenting your data processing activities
Documentation is the next priority. Start by performing a data audit. Note all the different types of personal data you currently have on record, where it is kept, what you are using it for, and who has access to it. Identify your lawful basis for processing. Grab a controller template and processor template from the ICO website and use them to document your data processing activities.
Writing, implementing and communicating your data protection policy and privacy notices
Search the internet to find templates you can use to write a data protection policy that outlines a governance structure with roles and responsibilities.
All data processing operations and documentation should be computerised and centralised with appropriate safeguards (e.g. limited access, passwords, data encryption). If you must keep paper records, keep them securely under lock and key and restrict access to named persons only.
There must be a written plan for handling legitimate requests and providing information within the new timescales. The right procedures must be in place to detect, report and investigate a personal data breach. As a matter of good practice you should restrict processing when the accuracy of the data or the legitimate grounds for processing are doubtful. You should have the capacity to make any questionable personal data temporarily unavailable to users (by moving the data to another processing system and removing any published data from a website, for example).
You can also find templates to help you write privacy notices that explain in plain language how and why you collect and use the personal data of employees, job applicants, customers and suppliers. Provide this information in a variety of formats (booklet, poster, website, email, etc.) so it can be accessed easily by those who need to be informed. You should also check out the privacy page on this website.
Don’t treat the GDPR as a box-ticking exercise that can be forgotten once completed. Managing compliance is an ongoing task. You need to be able to demonstrate your total commitment to preventing a data breach.
Your data processing procedures must be reviewed periodically to ensure they cover all rights that individuals have under the GDPR. Your aim should be to create a culture of data protection in the workplace.
Many people who are running small to medium-sized business, or are currently employed by one, will no doubt view the GDPR as a sledgehammer to crack a nut. But I’m more inclined to see it how blogger and entrepreneur, Seth Godin, does:
Realize that the GDPR is a net positive for people with something to say, something to sell or something to change. Because the noise will go down and trust will go up…Talk to people who want to be talked to. Market to people who want to be marketed to. Because anticipated, personal and relevant messages will always outperform spam… The EU is responding to consumers who feel ripped off. They’re tired of having their data stripmined and their attention stolen.
© 2018 Paul J Lockey
Download your free GDPR Checklist without any obligation. (No need to subscribe or provide an email address.)