General Data Protection Regulation (GDPR): What Do You Need to Do
GDPR: What do you need to do?
GDPR is a massive subject.
Because of this, this post will be split into five sections.
These are essentially five separate blogs – all in the same place.
The first part is available now, and the rest will be added soon.
Combined, these will help you understand the five things you need to know to help you become compliant before the 25th of May this year.
Disclaimer: The content of this post is not legal advice and should not be received as such. Compliance to the GDPR requires comprehensive legal advice that relates to your specific circumstances. This post provides general information about GDPR, but not in a way that is specific enough to individuals to be construed as legal advice. We strongly encourage readers of this post to seek tailored legal advice to ensure they comply with GDPR.
Part 1: Introduction, Getting to Grips with Your Data
GDPR is a mammoth transformation to data protection law.
It’s big because of:
1. the amount of changes it introduces
2. the impact it will have on businesses worldwide
3. and; the fines people might have to pay for non-compliance
Whether you’re a sole trader, or a multinational corporation; being ready for GDPR on May the 25th should be top of your list of priorities for 2018.
But what do you actually have to do?
In this post, Virtuoso Legal look at the key changes and explain what GDPR means for businesses in practical terms.
Why is GDPR happening?
GDPR is an change to data protection law that was last updated in the 1990s.
Since the 90s, there have been big changes in how people’s data is collected and processed.
The internet and digital technology has led to new ways to find out about people from things they do online.
This has led to concern from governments. They think that citizen’s data is being mishandled, and its use by businesses is becoming more and more unfair.
It had become normal for many companies to ask for info from a person for one thing – and then keep it and use it in many other ways without permission.
Companies also had more powerful tools to use personal data to find out things about people. This was be used to sell people things they think they want, or profile them for other things.
It also became normal to hear about companies losing people’s information. Large scale incidents like the Equifax breach in the US were happening more and more often.
These trends were set to continue. This would continue to increase the power companies have over people. Because this relationship with personal data was becoming more and more one-sided.
This is why European legislators decided to intervene.
What is GDPR?
GDPR is an EU law that puts normal people back in the driving seat when it comes to their data.
It comes into force on the 25th of May this year. It has also been ratified by the UK government, so as it stands it will be enforced regardless of Brexit.
It places a lot more responsibility on businesses to handle people’s data fairly – and let people know what’s going on.
This means a lot of changes to how most businesses operate on a day-to-day basis when it comes to people’s personal data.
It may surprise you how much personal data you collect and process. The more you do, the more you things you will probably have to do to comply with GDPR.
GDPR: What do you need to do? Start by Getting to Grips with Your Data
The first thing that you might find helpful to do is to get a solid idea of all of the information your business collects and processes about people.
Personal data includes things like:
- A person’s name
- Email address
- Postal address
- Purchasing history
- Payment information
- Health information
Certain types of information are more sensitive than others. Financial, criminal and medical information is considered “special” and should be treated with extra care.
In addition, any information collected about children is considered “special” and is subject to a higher standard of care.
It is important to get to grips with the kinds of information you’re collecting, and how it needs to be protected.
The best way to get an idea of what you’re collecting is a “data protection audit” – mapping out all of the ways information comes in and out of your business.
The kinds of questions you should ask are:
What am I collecting?
What is the lawful basis for me holding and processing this information?
Where does it go and what happens to it?
Who am I sharing this information with – do they have good data protection measures (are they GDPR compliant?)
Is this information being shared outside the UK? Does the country it is going have legal rules in place to comply?
What is this information going to be used for?
What do I tell the person when I collect this information?
How have they actively shown that they agree to this?
How long do I need to keep this information for?
Why do I need to keep it this long?
Then in each case of answering these questions:
Do I need to do anything to comply in these instances?
You might not know the answer to that last question now.
But a comprehensive “map” of the flow of personal information in and out of your company is the best starting point for your “compliance journey”.
(“Compliance journey” is a nice way to think about it I’m sure you’ll agree!)
What do I need to comply to?
Once you have got a hold on the kinds of information that goes in and out of your business – you need to understand your new responsibilities.
Summary of responsibilities
When it comes down to the crunch you need to:
- process data lawfully, fairly and transparently
- collect data for specific, explicit and legitimate purposes – and not do anything beyond those stated purposes
- make sure that data you collect is relevant and limited to what is necessary
- ensure that your data is keep up to date – and that old data is erased or updated as soon as possible
- keep data in a form that allows you to identify people for longer than necessary
Under each of these points, there is a lot of further detail which we will go in the following sections.
Part 2: Lawful Processing and Consent
GDPR requires businesses who collect and process personal data to determine and document their lawful basis for doing so.
Lawful Premises for Data Collection and Processing
There are many different lawful premises that data controllers can rely on for data collection and processing
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary for the performance of task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where are overridden by the interests, rights or freedoms of the data subject.
- Necessary for the purposes of vital interests of a data subject or another person (e.g. life and death scenarios)
There are further conditions for the collection of special categories of data – which are more stringent.
It is noted that: “if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted”. What is seen to be effective consent is also something that has been revised within GDPR (see below).
Consent Under GDPR
A key area that is addressed within the GDPR is consent.
Thematically, GDPR sets out to place more power into data subjects’ hands by ensuring that consent is given for each distinct instance of collection and use of data.
Prior to the GDPR, looser rules had allowed for businesses to effectively bury information within rarely read agreements or legalese. Furthermore, this grey area allowed for personal data to be collected for one reason and utilised freely thereafter. GDPR addresses this head on – with a set of definitive tasks for data controllers.
Consent under GDPR requires a high standard. As such, if other legal premises are possible, they may be more useful to base collection and processing activity on.
The premises for consent under GDPR are:
“Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.”
Data subjects must complete a verification action to issue consent. Automatic or implicit forms of consent are not acceptable under GDPR.
“Explicit consent requires a very clear and specific statement of consent”
Data subjects must be provided with a clear declaration detailing what they are consenting to.
“Keep your consent requests separate from other terms and conditions”
Consent can no longer be placed within other legal agreements. Instead they must be prominent. This stops critical consent agreements being ignored by users.
“Be specific and granular so separate consent is granted for separate things. Vague or blanket consent is not enough.”
Each separate type of data collection and processing should be delineated and agreed to separately.
“Be clear and concise”
Clarity is key. Consent agreements should be written in a way that a lay person understands, and without being overly long.
“Name any third-party controllers who will rely on the consent”
If anyone else (persons or companies) is going to be involved in data collection or processing, they should be explicitly named.
“Make it easy for people to withdraw consent and tell them how”
Explain to data subjects that they can withdraw their consent at any time, provide them the means to do so and instructions.
“Keep evidence of consent – who, when, how and what you told people”
Keep detailed records of consent including who consented, when, how it was actioned and the material that was presented to individuals.
“Keep consent under review, and refresh it if anything changes”
Keep your consent forms under review and update them if you change the nature of your collection or processing.
“Public authorities and employers will need to take particular care to ensure that consent is freely given, and should avoid over-reliance on consent”
Public authorities and employers are placed under higher scrutiny regarding consent. This is likely because they hold a position of authority over data subjects.
Because of this, if a public authority or employer – you should seek other legal premises for consent.
The following sections of this guide will follow in the coming weeks.
Virtuoso Legal are also preparing an assistance package for companies looking to get a headstart in their compliance journey.
If this is something that interests you please email Martin, by clicking the button below.
Please subscribe to our newsletter below to receive updates from our IP experts straight to your inbox.
To speak to any of our IP experts about GDPR, call:
📞 0113 237 9900
General Data Protection Regulation (GDPR): What Do You Need to Do was written by Dr. Martin Douglas Hendry