General Data Protection Regulation (GDPR): What Do You Need to Do
GDPR: What do you need to do?
GDPR is a massive subject.
Because of this, this post will be split into five sections.
These are essentially five separate blogs – all in the same place.
The first part is available now, and the rest will be added soon.
Combined, these will help you understand the five things you need to know to help you become compliant before the 25th of May this year.
Disclaimer: The content of this post is not legal advice and should not be received as such. Compliance to the GDPR requires comprehensive legal advice that relates to your specific circumstances. This post provides general information about GDPR, but not in a way that is specific enough to individuals to be construed as legal advice. We strongly encourage readers of this post to seek tailored legal advice to ensure they comply with GDPR.
Part 1: Introduction, Getting to Grips with Your Data
GDPR is a mammoth transformation to data protection law.
It’s big because of:
1. the amount of changes it introduces
2. the impact it will have on businesses worldwide
3. and; the fines people might have to pay for non-compliance
Whether you’re a sole trader, or a multinational corporation; being ready for GDPR on May the 25th should be top of your list of priorities for 2018.
But what do you actually have to do?
In this post, Virtuoso Legal look at the key changes and explain what GDPR means for businesses in practical terms.
Why is GDPR happening?
GDPR is an change to data protection law that was last updated in the 1990s.
Since the 90s, there have been big changes in how people’s data is collected and processed.
The internet and digital technology has led to new ways to find out about people from things they do online.
This has led to concern from governments. They think that citizen’s data is being mishandled, and its use by businesses is becoming more and more unfair.
It had become normal for many companies to ask for info from a person for one thing – and then keep it and use it in many other ways without permission.
Companies also had more powerful tools to use personal data to find out things about people. This was be used to sell people things they think they want, or profile them for other things.
It also became normal to hear about companies losing people’s information. Large scale incidents like the Equifax breach in the US were happening more and more often.
These trends were set to continue. This would continue to increase the power companies have over people. Because this relationship with personal data was becoming more and more one-sided.
This is why European legislators decided to intervene.
What is GDPR?
GDPR is an EU law that puts normal people back in the driving seat when it comes to their data.
It comes into force on the 25th of May this year. It has also been ratified by the UK government, so as it stands it will be enforced regardless of Brexit.
It places a lot more responsibility on businesses to handle people’s data fairly – and let people know what’s going on.
This means a lot of changes to how most businesses operate on a day-to-day basis when it comes to people’s personal data.
It may surprise you how much personal data you collect and process. The more you do, the more you things you will probably have to do to comply with GDPR.
GDPR: What do you need to do? Start by Getting to Grips with Your Data
The first thing that you might find helpful to do is to get a solid idea of all of the information your business collects and processes about people.
Personal data includes things like:
- A person’s name
- Email address
- Postal address
- Purchasing history
- Payment information
- Health information
Certain types of information are more sensitive than others. Financial, criminal and medical information is considered “special” and should be treated with extra care.
In addition, any information collected about children is considered “special” and is subject to a higher standard of care.
It is important to get to grips with the kinds of information you’re collecting, and how it needs to be protected.
The best way to get an idea of what you’re collecting is a “data protection audit” – mapping out all of the ways information comes in and out of your business.
The kinds of questions you should ask are:
What am I collecting?
What is the lawful basis for me holding and processing this information?
Where does it go and what happens to it?
Who am I sharing this information with – do they have good data protection measures (are they GDPR compliant?)
Is this information being shared outside the UK? Does the country it is going have legal rules in place to comply?
What is this information going to be used for?
What do I tell the person when I collect this information?
How have they actively shown that they agree to this?
How long do I need to keep this information for?
Why do I need to keep it this long?
Then in each case of answering these questions:
Do I need to do anything to comply in these instances?
You might not know the answer to that last question now.
But a comprehensive “map” of the flow of personal information in and out of your company is the best starting point for your “compliance journey”.
(“Compliance journey” is a nice way to think about it I’m sure you’ll agree!)
What do I need to comply to?
Once you have got a hold on the kinds of information that goes in and out of your business – you need to understand your new responsibilities.
Summary of responsibilities
When it comes down to the crunch you need to:
- process data lawfully, fairly and transparently
- collect data for specific, explicit and legitimate purposes – and not do anything beyond those stated purposes
- make sure that data you collect is relevant and limited to what is necessary
- ensure that your data is keep up to date – and that old data is erased or updated as soon as possible
- keep data in a form that allows you to identify people for longer than necessary
Under each of these points, there is a lot of further detail which we will go in the following sections.
Part 2: Lawful Processing and Consent
GDPR requires businesses who collect and process personal data to determine and document their lawful basis for doing so.
Lawful Premises for Data Collection and Processing
There are many different lawful premises that data controllers can rely on for data collection and processing
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary for the performance of task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where are overridden by the interests, rights or freedoms of the data subject.
- Necessary for the purposes of vital interests of a data subject or another person (e.g. life and death scenarios)
There are further conditions for the collection of special categories of data – which are more stringent.
It is noted that: “if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted”. What is seen to be effective consent is also something that has been revised within GDPR (see below).
Consent Under GDPR
A key area that is addressed within the GDPR is consent.
Thematically, GDPR sets out to place more power into data subjects’ hands by ensuring that consent is given for each distinct instance of collection and use of data.
Prior to the GDPR, looser rules had allowed for businesses to effectively bury information within rarely read agreements or legalese. Furthermore, this grey area allowed for personal data to be collected for one reason and utilised freely thereafter. GDPR addresses this head on – with a set of definitive tasks for data controllers.
Consent under GDPR requires a high standard. As such, if other legal premises are possible, they may be more useful to base collection and processing activity on.
The premises for consent under GDPR are:
“Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.”
Data subjects must complete a verification action to issue consent. Automatic or implicit forms of consent are not acceptable under GDPR.
“Explicit consent requires a very clear and specific statement of consent”
Data subjects must be provided with a clear declaration detailing what they are consenting to.
“Keep your consent requests separate from other terms and conditions”
Consent can no longer be placed within other legal agreements. Instead they must be prominent. This stops critical consent agreements being ignored by users.
“Be specific and granular so separate consent is granted for separate things. Vague or blanket consent is not enough.”
Each separate type of data collection and processing should be delineated and agreed to separately.
“Be clear and concise”
Clarity is key. Consent agreements should be written in a way that a lay person understands, and without being overly long.
“Name any third-party controllers who will rely on the consent”
If anyone else (persons or companies) is going to be involved in data collection or processing, they should be explicitly named.
“Make it easy for people to withdraw consent and tell them how”
Explain to data subjects that they can withdraw their consent at any time, provide them the means to do so and instructions.
“Keep evidence of consent – who, when, how and what you told people”
Keep detailed records of consent including who consented, when, how it was actioned and the material that was presented to individuals.
“Keep consent under review, and refresh it if anything changes”
Keep your consent forms under review and update them if you change the nature of your collection or processing.
“Public authorities and employers will need to take particular care to ensure that consent is freely given, and should avoid over-reliance on consent”
Public authorities and employers are placed under higher scrutiny regarding consent. This is likely because they hold a position of authority over data subjects.
Because of this, if a public authority or employer – you should seek other legal premises for consent.
Part 3: The Rights of Individuals
One of the most significant areas in the GDPR is the reassertion of data subjects rights.
Many of these are similar to those under existing legislation such as the Data Protection Act.
However there a number of new and strengthened rights, and also a requirement to make sure that people are always aware of their rights and empowered to assert them during all data collecting and processing activity.
What follows is a list of the rights, and how they function under GDPR.
The Right to be Informed
First and foremost, people need to be informed about the nature of data collecting and processing involving them.
The information you supply data subjects depends on whether you collected personal data directly or indirectly from individuals.
Broadly speaking, the information you should supply remains consistent with existing obligations under the Data Protection Act.
Despite this, there are some differences to note.
Information provided to data subjects must be:
- Concise, transparent, intelligible and easily accessible
- Written in clear and plain language
- Free of charge (this is new, although you are allowed to charge for repeated requests).
What do I have to tell data subjects?
GDPR states that you must provide the following information:
1. Identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer
Your information, and if you have a data protection officer within your organization – their contact information
2. Purpose of the process and the lawful basis for the processing
Why you are collecting information, and the lawful basis for doing so (e.g. fulfilment of contract, consent etc.)
3. The legitimate interests of the controller or third party, where applicable
A statement of what you intend to do with the data, and if a third party is involved what they will do with the information (and why).
4. Categories of personal data (only when not collected directly from the subject)
What categories of information you are have collected about someone, if you haven’t collected this information from them directly.
5. Any recipient or categories of recipients for this information
Who else may be in receipt of this information, and the category of recipient.
6. Details of transfers to third country and safeguards put in place
Whether the information is going to be made available outside the country in which it was collected and processed, why – and how this will be treated and safeguarded. Note: extra care or even stoppage should be undertaken if information is being transferred to a country where inadequate safeguards are in place.
7. Retention period of criteria used to determine retention period
How long you will be keeping this information, and how you have determined this is a legitimate amount of time to do so.
8. The existence of each of the data subject’s rights
A clear statement detailing each of the data subject’s rights in language that is easy to understand.
9. The right to withdraw consent at any time where relevant
Statement detailing their people’s right to withdraw consent for data collection and processing at any time.
10. The right to lodge a complaint with a supervisory authority
Statement of their right to complain if they feel they are being treated unfairly, and details of the supervisory body they can complain to.
11. The source the personal data originates from and whether it came from publicly accessible sources (only when data not obtained directly from the subject)
Where the data has been obtained from (if you have not collected from the data subject themselves).
12. Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide personal data
Whether the collection, retention and processing of data is undertaken as part of the contract – and if this is the case, what happens in relation to this contract if people do not allow their data to be used.
13. The consequences if this data is not collected, retained and processed.
14. The existence of automated decision making, including profiling and information about how decisions are made, the significance of this and associated consequences
If and where automatic decisions take place (e.g. profiling and intelligent processing) – the significance of these decisions and consequences .
When should data subjects be notified of the above?
Information should be provided at the time it’s collected if it is collected from the data subject directly.
If information is collected indirectly, data subjects should be provided with the above information within a month, or the first time that it is used or the first time you contact the person.
If disclosure to another recipient is envisaged it should be shared, at the latest, before this happens.
The Right to Access
Under the GDPR data subjects have the right to obtain:
- Confirmation that their data is being processed
- Access to their personal data; and
- Relevant supplementary information
This right is enforced to make sure that data subjects are aware of, and can confirm, the lawfulness of data collection and processing.
You are not allowed to charge a fee – which is a significant change from existing rules under the DPA.
A fee is only applicable if a request is unfounded or excessive (e.g. repetitive). Fees may also be charged for further copies of the same information. This has to be based on the admin cost of retrieving this information.
How long do I have to comply?
Information must be provided as soon as possible, and at the latest, within one month of receipt of a request.
Compliance can be extended where requests are complex or numerous by 2 months. If this happens you must let data subjects know within one months and explain the reason behind the extension.
If the request is unfounded or excessive you can refuse to respond, but you must explain why, provide information about: their right to complain, and who they can complain to.
How should the information be provided?
There are a couple of important points around the provision of this information to data subjects:
- You must verify the identity of the person making the request via “reasonable means”
- If the request is made electronically, you should provide the info in a commonly used electronic format
- Best practice is to provide a secure “self-service” system; allowing subjects to access their data freely (though such a system should not risk the rights and freedoms of others).
If the request is for a large amount of data, GDPR allows the controller to ask what the information relates to – which allows the controller to decide whether this is unfounded / excessive.
The Right to Rectification
If data is kept that is inaccurate or incomplete; subjects have the right to demand it is updated.
Indeed, there is a responsibility for data controllers to keep records up to date; where possible.
If inaccurate information has been provided to third parties – the data controller must inform these third parties and let them know that this must be rectified.
Because of this it is important to keep an audit trail in cases where information had been distributed to others.
You must comply to a request for rectification within one month (extended to two months where the request is complex).
As with the right to access, if you refuse to rectify the information – you must provide the subject with the given reason and let them know: their right to complain, and the relevant supervisory authority and judicial memory.
The Right to Erasure
Infamously known as the “right to be forgotten”. Data subjects have a right to have personal data erased or to prevent processing under specific circumstances.
- Where personal data is no longer necessary in relation to the purpose it was originally collected and processed
- When the individual withdraws consent
- When the individual objects to the processing and there is no legitimate interest for continuing the processing
- The personal data was unlawfully processed
- The personal data needs to be erased to comply with a legal obligation
- The personal data is processed in relation to the offer of information society services to a child
In comparison, under the DPA, the right to erasure was limited to processing that causes unwarranted and substantial damage or distress.
You can refuse to erase data:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation or of the performance of a public interest task or exercise of official authority
- For public health purposes in the public interest
- Archiving purposes in the public interest, scientific research, historical research or statistical purposes
- The exercise or defence of legal claims
As with rectification, you must inform 3rd parties of erasure unless impossible or disproportionate effort is required.
If online, controllers should alert organisations to erase: links to, copies of, or replication of personal data.
Thus, if you collect, process and distribute personal information online; you should make yourself acutely aware of this responsibility before doing so.
The Right to Restrict Processing
Data subjects have the right to “block” or suppress the processing of their personal data. When this occurs, you are permitted to continue to store the personal data, but not further process it.
When does this apply?
You will be required to restrict the processing of personal data:
- Where an individual contests the accuracy of the data; processing is then stopped until this has been resolved
- Where an individual has objected to the processing (and where it was necessary for the performance of a public interest task or legitimate interest) and you are considering whether you have legitimate grounds to override their request
- When processing is unlawful, and the individual opposes erasure, so requests restriction instead
- If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim
As with the above, you must inform third parties to any relevant change.
You must also inform individuals when you decide to lift a restriction on processing.
The Right to Data Portability
Data subjects have the right to obtain and transfer personal data that has been collected and processed to different services.
When does the right to data portability apply?
- To personal data an individual has provided to a controller
- Where the processing is based on the individual’s consent or the performance of a contract
- When processing is carried out by automated means
How do I comply with this right?
You must provide personal data in a: structured, commonly used and machine-readable form e.g. a CSV file.
This information must be provided free of charge.
How long do I have to comply?
Without undue delay and within a month. (2 months if complex, but as above you must inform the individual and specify your reason for the delay). As above, you can deny this right, but you must provide adequate reason, and information about their right to complain with the relevant information.
The Right to Object
Within the GDPR, individuals also have the right to object to several different forms of processing:
- Processing based on legitimate interests or the performance of a task in the public interest / exercise of official authority (including profiling)
- Direct marketing (including profiling); and
- Processing for the purposes of scientific, historical research and statistics
Here, even though there are grounds for overriding a complaint – it remains that data subjects retain the right to register an objection.
How do I comply if I process personal data for the performance of a legal task or my organisations legitimate interests?
Individuals must be able to object on “grounds relating to his or her particular situation”.
You must stop processing unless:
- You can demonstrate compelling legitimate grounds for the processing, which override the necessary freedoms of the individual; or
- The processing is for the establishment, exercise or defence of legal claims.
How do I comply with the right to object if I process personal data for marketing?
You must stop processing personal data for direct marketing as soon as you receive an objection. There are no grounds for refusal and this must be undertaken free of charge.
How do I comply if I process personal data for research purposes?
Individuals must be able to object on “grounds relating to his or her particular situation”.
In all the above cases: you must inform individuals of their right to object “at the point of communication” and within your privacy notice.
This should be brought clearly to the attention of the data subject and separately from other information.
Rights Related to Automated Decision Making (including Profiling)
One of the big challenges that GDPR sets out to tackle are issues associated with automatic decision-making and profiling.
Companies with access to advanced software and machine learning have become able to extrapolate further information about data subjects from information they have provided.
The accuracy of information that is being produced through these means (whether automatic, or via human profiling) is becoming increasingly accurate – and is used by businesses in service customisation and monetization (e.g. through personalised advertising).
As such, the capacity for companies to achieve more insight about data subjects from less information is increasing exponentially (e.g. Facebook and Google). The heightened availability of this information alongside the tools to interpret data greatly increases the risk to data subjects from potential breaches.
Therefore, the GDPR sets out separate provisions relating to all kinds of data processing.
There are two distinct types of data processing that are subject to this:
Automated individual decision-making
Deciding based on automated means without any human involvement
Automated processing of personal data to evaluate certain things about an individual. Profiling can form part of an automated decision-making process.
Automated individual decision making, and profiling can only take place if:
- It is necessary for the entry into or performance of a contract;
- It’s authorised by Union or Member state law applicable to the controller; or
- It is based on the individual’s explicit consent
There are additional rules if solely automated decision making has a legal or similarly significant effect on individuals
- Individuals must be given additional information about the processing
- They must be given simply ways to request human intervention or challenge a decision
- You must carry out regular checks to make sure that your system is working as intended
(An example of this might be automated credit checks – wherein processing is completed entirely by systems of data processing).
So, what do I need to do when it comes to automated decision-making and profiling?
In the case of all decision-making and profiling:
- Have and inform data subjects of the lawful basis for processing and document this in the data protection policy.
- Provide a link to a privacy statement when personal data has been obtained indirectly
- Explain how people can access details of the data used to create their profile
- Let data subjects know how they can object to profiling – including for marketing purposes
- Have a procedure to allow data subjects to: access, review their personal data
- Only collect the data that you need to fulfil the stated purpose
In the case of solely automated individual decision-marking with legal or similarly significant effects:
- Carry out a data protection impact assessment (DPIA) to identify risks to individuals, steps put in place to meet GDPR requirements and how risks would be dealt with should they come to pass.
- Avoid use of special category data in automated decision-making – unless you have a lawful basis to do so and can demonstrate what that basis is. (Any special category data that is accidentally created – should be deleted).
- Explain use of automated decision-making processes, including profiling. Explaining what information is used, why it is used in such a manner and what the effects are.
- Provide a simple way for data subjects to reconsider an automated decision
- Have a staff member who is responsible for carrying out reviews and amending automated outcomes
- Regularly check systems for accuracy and biases.
- Best practice: use visual explanation to show what is collected and why this is relevant to the process/
- Best practice: subscribe to and display a set of ethical principles to build trust – available on website and paper.
Part 4: Contracts, Documentation and Accountability
Now that we’re past the broad premises of GDPR – we reach an important section detailing what needs to be done within a business to build a compliance structure into the fabric of day-to-day work.
Broadly speaking this is covered in guidance concerning: contracts, documentation and accountability.
One of the key areas addressed with GDPR concerns how businesses share personal data with other businesses.
Many businesses do this in order to fulfil the obligations of a sale or to provide their services.
GDPR sets out to make arrangements between a company and its partners much more explicit and accountable.
The company which collects the data in the first instance is deemed the “data controller”.
Any companies that the data controller then transmits this information to is known as a “data processor”.
Controllers are liable for compliance with GDPR – and as such must ensure that any data processors information is shared with are capable of compliance.
As such, if a breach occurs originating from a processor, it is not only the processor that is “on the hook” as it were – but also the controller.
Because of this, robust contracts must be in place between data controllers and processors that ensure that compliance follows down the chain of accountability.
What needs to be in these contracts?
When it comes to personal data, processors must only act on the documented instructions of a controller (unless required by law to act without these instructions) – these come in the form of a contract.
These contracts must include:
- “the subject matter and duration of processing”
- “the nature and purpose of the processing”
- “the type of personal data and categories of data subject; and,”
- “the obligations and rights of the controller”
This results in a number of obligations for the data processor:
- “ensure that people processing the data are subject to a duty of confidence”
- “take appropriate measures to ensure the security of the processing”
- “only engage a sub-processor with the prior consent of the data controller and a written contract”
- “assist the data controller in providing subject access and allowing data subjects to exercise their rights under GDPR”
- “assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessements”
- “must delete or return all personal data to the controller as requested at the end of the contract; and”
- “submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state”
As a result, businesses that operate as processors, and whom sub-contract data processing, for controllers – now have a many more obligations to adhere to moving forward.
It’s not just the data processors who have much to do.
Successful compliance with GDPR requires also developing an evidencing structure within the business – that can prove compliance should a data protection event occur.
One does not simply comply with GDPR! You have to record your compliance effectively too.
The extent to which you must document your activities depends on the size of your business.
For small and medium-sized businesses your obligations are not too onerous. In fact documentation is limited to only a certain number of processing activities.
Specifically, small and medium-sized organisations must record processing that is:
- “not occasional”
- “could result in a risk to the rights and freedoms of individuals”
- “involve the processing of special categories of data or criminal conviction and offence data”
However, if you have 250 or more employees you must produce documentation of all of your processing activities. Whether they fall into the above criteria or not.
Documentation about collection and processing should include:
- name and contact details of your organisation (including other controllers, your representative and data protection officer)
- processing purpose
- descriptions of categories of individuals and categories of personal data
- categories of recipients of personal data
- details of transfers to third countries (and documentation of safeguards in place)
- schedule of retention
- technical and organisational security measures in place relating to these records
Best practices also suggest that you might record:
- relevant information for privacy notices, including:
- the lawful basis for processing
- legitimate interests for processing
- individuals’ rights
- automated decision making where applicable
- where the data was sourced from
- Records of consents
- Contracts between controllers and processors
- Location of personal data
- DPIAs (data impact protection assessments)
- Records pertaining to breaches
- Information required for processing special category data:
- Condition for processing
- Lawful basis for processing special category data
- Retention and erasure policies for special category data.
Crucially, this should be enforced by an accountability structure within your business – involving GDPR and “data protection by design” into day-to-day business activities.
This may include documented actions such as:
- Staff training on GDPR relating to general changes as well as the detailed changes to people’s actiivities
- Routine and incrementally improving reviews of data collection and processing activities
- DPIAs and reviews of new technologies being introduced into the business
- Proportionate documentation of data collection and processing activities
- The employment of a Data Protection Officer, should the organisation be large enough to warrant it
- The deployment of “data protection by design principles such as:
- Data minimization (only storing what is needed)
- Transparency (letting people know what is held and processed)
- Allowing data subjects to monitor processing
- Creating and improving security on an ongoing basis
- Adherence to approved codes of conduct and certification schemes as they emerge.
Subsequent sections of this guide will follow in the coming weeks.
Virtuoso Legal are also preparing an assistance package for companies looking to get a headstart in their compliance journey.
If this is something that interests you please email Martin, by clicking the button below.
Please subscribe to our newsletter below to receive updates from our IP experts straight to your inbox.
To speak to any of our IP experts about GDPR, call:
📞 0113 237 9900
General Data Protection Regulation (GDPR): What Do You Need to Do was written by Dr. Martin Douglas Hendry