With the General Data Protection Regulation just around the corner, our Head of Commercial Litigation, Philip Edmondson, takes a look at what businesses need to do to comply.
The General Data Protection Regulation (GDPR) will come into force on 25 May, increasing the regulations surrounding the collection and processing of personal data. The GDPR will also very significantly increase the potential penalties for businesses found to be in breach of its requirements. Whilst this is a complicated area of law on which bespoke advice is what you need, here are a few guidelines as to what needs to be done and unfortunately if you are not already underway with it, there is likely to be a lot to do, even for small businesses, prior to 25 May.
Data and Information Audit
Personal data is what the GDP is all about. Personal data is any information relating to an identified (or identifiable) living person. There is a need to undertake an audit of what you hold both in hard copy and electronically and then document:
- The personal information that you hold (including that of customers, employees, suppliers or anyone else with whom your business deals);
- How that personal data was collected;
- Every single third party with whom you share any of that data.
When carrying out the audit it is important to involve all key employees in your business so as to try to ensure that no data is missed.
Processing Data – do you have a lawful basis for this?
The lawful bases for processing personal data are:
- Necessary for the performance of a contract;
- Processing because you have a legal obligation to do so;
- Vital Interests (i.e. necessary to protect the data subject’s vital interests);
- Public Interest (i.e. under official authority from the state);
- Legitimate Interests (see below).
The last of these “legitimate interests” is likely to be a useful and important basis for many businesses but it should not be relied upon without careful thought and advice. Legitimate interests can include ordinary honest business practices and direct marketing but only if you have followed the other requirements of the GDPR. For example, the new law will make it much more difficult to show that you were relying upon data subject’s “consent” to processing. You should therefore obtain fresh consent from all those to whom you wish to market and get that consent BEFORE 25 May 2018 as to contact them after that date, asking for their consent may itself be a breach of the GDPR. This is what makes 25 May such an important date.
New Rights and Subject Access Requests
The GDPR enhances all of our rights as individuals. You must have a system which facilitates fast location of all personal data you hold. This is what the GDPR requires so that you can respond to a detailed subject access requests within a short timescale and if necessary to delete that data, if the person is asking for that to happen.
Write it all down
At all steps of compliance, we suggest that you document all that you are doing. When doing this show that you have had in mind that the New Data Protection Principles that you must comply with when processing ANY personal data are:
- Lawfulness & Transparency (i.e. that you have issued a privacy notice when collecting data);
- Purpose Limitation (you must not further process the data in any manner incompatible with the purpose for which you have the data);
- Minimisation (only keep what is relevant and necessary);
- Accuracy (up to date);
- Storage Limitation (only keep it for as long as truly needed);
- Integrity and confidentiality security is key.
It will be advisable to update and enhance your written privacy/data protection policies and notices on your website, email footers and contracts. For example, you need to tell everyone for whom you control or process their date, the basis on which you process personal data and for how long you intend to retain it.
Show your workings
GDPR makes it clear that you must document the decision making, policies and procedures you adopt to ensure compliance. Documenting your reasoning and keeping it up to date will assist greatly if the Information Commissioner (ICO) were ever to investigate your business.
This brings me to the topic of breaches. In short – if you become aware of a data breach you are likely to have to tell the data subject(s) (people) concerned, and your supervisory data protection authority, within very short timescales. Policies and procedures will need to be in place to ensure you can do this. You need a data breach policy which sets out what your business will do in the event of a breach. Breaches can be major (releasing data or giving access to third parties without a lawful basis listed above) and obvious. Things like your internet going down meaning you cannot access a person’s data (and so neither can they) are also breaches which might not look like a breach at first glance. If in doubt as to whether you have committed a breach and what to do about it, you will protect yourself by taking legal advice.
The more transparent and careful you are to document all of your processes, policies and procedures, the more lenient the ICO is likely to be in the event of an unfortunate breach.