We have created this summary document for our clients as an informative exercise only, using the resources mentioned below.
In no way does it constitute legal advice.
We urge anyone who has any questions, concerns or an unusual business model to take professional legal advice and to not rely solely on this document.
What is GDPR?
GDPR is a piece of EU legislation that came into effect from May 25th 2018. It is similar to the Data Protection Act (DPA), though with extra bells on it. In a nutshell, the legislation is designed to enhance and protect the privacy of EU individuals. This is to be done by giving EU individuals better access to, and understanding of, what data is held, and why it is held, on them by any entity that holds their personal data.
These entities can be EU based or anywhere in the world. They can be large corporations, government departments, your local GP surgery, small ‘one-man band’ businesses or book clubs even. To use anyone in the EU’s personal data they must follow the GDPR. *This article was originally published in 2018.
What is Personal Data?
GDPR defines personal data as “any information relating to an identified or identifiable natural person.” For example:
- Their name
- Their address
- Their email addresses
- Their financial information
- Their contact information
- Their identification numbers, etc
- Their IP addresses
- Their Geolocation
- Their browsing history
- Your website cookies
- Any other digital identifiers
- Their physical, mental, social, economic or cultural identities
- Their gender
- Their date of birth
It also pays to be aware of the cumulative effect of the data. Someone’s name is relatively easy to get. A date of birth on its own is fairly useless.
But combine the two with an address and postcode and you have the answers to most of the security questions one is asked when phoning a large company. Personal data can be online personal data, automated personal data and paper documents kept in manual filing systems.
Who Handles the Personal Data?
GDPR describes two roles that will handle data; the ‘data controller’ and the ‘data processor’. Although they may sound very similar they are not. The data controllers decide what the purposes, conditions and means of the use of personal data will be.
The data processors on the other hand, act on the instructions of the controllers and process personal data on their behalf. Both controllers and processors must adhere to the organisation’s GDPR policy.
From an individual’s perspective the GDPR is very good news indeed. It will mean that no one should cold call, send us marketing emails or store our data for any purpose unless we have given our explicit consent. Or they have ‘Legitimate interests’. The GDPR includes the following rights for individuals:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object; and
- the right not to be subject to automated decision-making including profiling
Hopefully this will mean a huge reduction in spam emails and firms cold calling us to sell us double glazing!
From a business owner’s point of view, the GDPR may at first glance appear to be a red-tape nightmare. We are now responsible for “ complying with all data protection principles” and we are also responsible for “ demonstrating compliance”. Therefore, even as legitimate, privacy conscious businesses there is still work to do. We have to make ourselves ready to be able to protect, and act on, any of the rights mentioned above. It is most likely that we are already complying to a point. What we need to do now is review our data processing and privacy activities. Once they are enhanced, altered or corrected to comply with GDPR we should be good to go.
Whereas before we worked as responsible personal data users, we now have to prove that we are doing so. And in writing too, either manually or digitally. The GDPR states that an organisation shall “ …maintain a record of processing activities under its responsibility.” These records must all be in place by May 25th 2018. So, what does ‘documenting of your processing activities’ look like? First of all, it is very good practice to carry out a Data Protection Impact Assessment (DPIA). Although it is not legally required in many cases, it is a great starting point for writing your GDPR policy. In simple terms this means working out what personal data:
- you keep
- why you keep it
- what you intend to do with it
- who do you or might you share it with
- whether the entities you share it with are GDPR compliant
- how long will you keep it for
- what the legal basis for your use of the data is
- whether you will transfer the data outside of the EU
Yes, this will not be the greatest task you have ever had to undertake or delegate, but it will make writing the policy a lot easier if you do an assessment. We have created a GDPR Policy template for you to use if you wish, link is below. Depending on your business model it may also be wise to practice ‘privacy by design’. This is not a legal requirement but can help prevent issues appearing after time. The principle is to build data protection and privacy into any project you begin. Rather than creating something and then worrying whether it is GDPR compliant later on. And remember, it is not just the public’s personal data you need to protect. The GDPR covers anyone you keep data on, including your staff, contractors etc.
Some More Good
In that case, you need only document processing activities that:
- are not occasional (e.g., are more than just a one-off occurrence or something you do rarely); or
- are likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals); or
- involve special category data or criminal conviction and offence data (as defined by Articles 9 and 10 of the GDPR).
In practice this means that most of us will not need as much documentation and work as larger organisations. If you do employ more than 250 people, we urge you to take legal advice on this matter.
Data Protection Officers
Under the GDPR there is now a duty to appoint a Data Protection Officer (DPO) in certain circumstances. DPOs must be appointed in the case of:
- public authorities
- organisations that engage in large scale systematic monitoring
- organisations that engage in large scale processing of sensitive personal data (Art. 37)
In practice this means that keeping customers’ details to be able to fulfil orders or supply services to them will not need a DPO. If you are in the data business itself, then you would need one.
To collect and use personal data from anyone you will now need explicit consent. Explicit consent means that customers have opted in themselves. It will no longer be legal for companies to ask customers to untick a box, they will have to tick a box to show consent. There can be no more implied consent either. For example, if we sell someone something online then we cannot assume that their details can be used for marketing purposes. You will need their explicit consent for each reason you may want to use their personal information for.
N.B. You do not have to ask for consent again if you already have received it in the past from your customers or clients.
You now need to have a valid ‘lawful basis’ in order to process personal data. Simply put, this means you cannot process any personal data unless your reason to do so is lawful. And to be lawful it must fall under one of the following: “(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).(d) Vital interests: the processing is necessary to protect someone’s life.(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)”
A personal data breach is largely defined as “a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.” When a security incident arises, you must determine very quickly whether or not a personal data breach has occurred. If it has, you must rectify the situation immediately and carry out any notifications. If a personal data breach has happened, you need to determine the “likelihood and severity of the resulting risk to people’s rights and freedoms.” If it is possible that there would be a risk, then you have to notify the Information Commissioner’s Office (ICO). If it is established that there would be no risk, then you do not have to notify the ICO. However, you should make a record of your decision not to report and also your justification reasons. The important thing to consider is the “potential negative consequences for individuals”.
The GDPR is largely an exercise in paperwork. Under Article 30 of the GDPR you must keep a written/digital record of the following:
- The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).The purposes of your processing.
- A description of the categories of individuals and categories of personal data.
- The categories of recipients of personal data.
- Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
- Retention schedules.
- A description of your technical and organisational security measures.
Other documents you may want to create and keep are as follows:
- information required for privacy notices, such as:
- the lawful basis for the processing
- the legitimate interests for the processing
- individuals’ rights
- the existence of automated decision-making, including profiling
- the source of the personal data;
- records of consent;
- controller-processor contracts;
- the location of personal data;
- Data Protection Impact Assessment reports;
- records of personal data breaches;
- information required for processing special category data or criminal conviction and offence data under the Data Protection Bill, covering:
- the condition for processing in the Data Protection Bill
- the lawful basis for the processing in the GDPR
- your retention and erasure policy document.
The purpose of all this documentation is mainly to ensure that you are GDPR compliant. However, this information has other benefits for you:
- Customers and potential customers will understand what happens with their personal information and can make informed choices about dealing with you
- You will easily be able to respond to any data access requests
- You will be able to see if there are any changes or improvements you can make to your data handling
- Being aware of the data you need and use can help you cultivate more efficient business processes
Things to Avoid If Possible
It goes without saying that you should not collect, store and process and personal data you do not need. And, if at all possible, avoid the most sensitive types of data:
- Information on children
- Information on someone’s race
- Information on someone’s sexuality
- Information on someone’s health
- Information on someone’s criminal history
- Information on someone’s religious beliefs
Resources & Further Reading
- The Information Commissioner’s Office (ICO): https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- The GDPR Portal: https://www.eugdpr.org/
- The European Commission: https://ec.europa.eu/info/law/law-topic/data-protection_en
- The Saas CTO Security Checklist: https://cto-security
- FSB: https://www.fsb.org.uk/standing-up-for-you/our-campaigns/fsbedataready/campaign-news-and-blogs
- Check whether you need to register with the ICO under the Data Protection Act: https://ico.org.uk/for-organisations/register/self-assessment/
- Our Free GDPR Policy Template: https://webdesignuk.agency/wp-content/uploads/2020/01/wduk-gdpr-policy-document-client-TEMPLATE.docx
- Free Documentation Templates For Controllers and Processors : https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/
- Add UK GDPR policies to your website: https://webdesignuk.agency/product/gdpr-page/