The EU General Data Protection Regulation (GDPR) is set to become effective throughout the European Union from 25 May 2018. It has been described as “the biggest change to data protection law for a generation” by Information Commissioner, Elizabeth Denham.
But what are the main practical points a company needs to understand and take action on?
Are you affected? Every organisation processes personal data to some degree, so the short answer is “yes”.
What is personal data? Personal data is any information that can be used to identify an individual. There is also a separate category of “special category” personal data, which includes the more sensitive stuff (eg, racial or ethnic origin, data relation to health or biometric data).
What is the downside of non-compliance? Failure to comply could mean fines of up to €20 million, or 4 per cent of global annual turnover if that is higher. Although fines near this amount may be rare, penalties will be priced to have an impact and this is one unwelcome way to trim your bottom line.
OK, you got my attention, where do I start?
Formulate a plan.
A new “Accountability Principle” underpinning the regime requires a data controller (that’s you) to “be responsible for, and demonstrate, compliance with the [Data Protection Principles.]” GDPR compliance is a big project and needs to be led from the top.
The 6 key principles of GDPR
- Processing: lawful, fair & transparent
- Collection: specific, explicit and legitimate purposes
- Limited: adequate, relevant and necessary
- Accurate: kept up to date
- Retention: only as long as necessary
- Secure: governance and technology (it is only here it becomes about your IT)
Under Principle 1 you must demonstrate that any personal data processing is lawful, fair and transparent. There are fixed “lawful grounds” for processing, and you must analyse and document which of those applies in advance of processing.
To get you started:
- Take a look at where and what type of data comes into your organisation.
- Confirm the reasons you are collecting that data – for what purpose(s)? What is the end game?
- Compile the information, look at the lawful grounds, and record which of them you plan to rely on for each processing activity. Are you “missing” any? Do the grounds that you have identified “fit”?
Informed by the above, you must check that you are providing the right information to individuals about what personal data you process, why and how. You must ensure that you have an adequate and up-to-date privacy notice for this purpose (eg, attached to your website).
Armed with this detail, you need to look at your wider compliance. Do you collect “extra” information unnecessarily? Are your records accurate? What security measures are in place to protect the data held?
But that’s a lot of work
Becoming compliant with GDPR is a sizeable task, but GDPR is about ensuring the continued security and proper use of everyone’s data, including your own. Loss or theft of data can result in financial and reputational damage to data controllers (you), as well as impacting on individuals including your employees, customers and suppliers. If you don’t treat personal data properly, those you hold data on may be able to claim against you for damages – even where they have only suffered distress rather than financial loss.
So what are the lawful grounds for processing people’s data?
There are six grounds where the data is not “special category” data:
Conditions for processing (non-sensitive) personal data
- The individual has given consent to the processing of his or her personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary in order to protect the vital interests of the individual or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal data, in particular where the individual is a child.
If you are dealing with special category data, you need one of the above grounds plus a special category ground. Those are listed in the GDPR, and if none fit the situation at hand, you will need to obtain explicit consent.
Being transparent and providing accessible information to individuals about how you will use their data is key under GDPR. The most common way to provide this information is in a privacy notice, which should be made available to individuals at the point you collect their data.
Privacy notices must be:
- Concise, transparent, intelligible and easily accessible
- Written in clear and plain language (particularly if addressed to a child)
- Free of charge.
Practical steps to take now
Look at your existing privacy notices and make any updates needed. If your previous notices were hidden away in footers, longer T&Cs, or high level, they will need a refresh.
About those rights you mentioned?
Individuals already have rights under existing law, but these rights are renewed, updated and augmented by GDPR. Eg, as an individual your existing right of access through a “Subject Access Request” (SAR) has been altered: personal data must usually be provided free of charge and within a shorter timeframe.
There are additional data subject rights of right to information, right to object to processing, right to rectification, right to erasure, right to restrict processing, right to data portability and rights around automated decision making. You should think about how you would respond to the exercise of these rights – are your processes and systems able to cope?
Can I get some help with all this?
Of course. Mills & Reeve has specialist Cyber and Information law practitioners who can help you bring your compliance up to speed, respond to SARs, and manage your response to data breaches and subsequent litigation. If you need understandable, practical solutions please get in touch.