Any business or organisation which holds or uses personal data, which means virtually every business, is subject to data protection legislation, like the GDPR.
The main pieces of legislation are the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). In this article “GDPR” is used to refer to data protection legislation generally.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a data protection law which applies to all people in the EU (whether or not they are residents or citizens of an EU member state) and regulates the collection and processing of ‘personal data’.
The GDPR regulates the collection and processing of ‘personal data’ relating to individuals. Individuals whose data is held or processed are referred to as ‘data subjects’. One important point to note is that if the data is not ‘personal’ in nature it will not be regulated by the GDPR. Storing or holding personal data counts as ‘processing’.
How do I comply with the GDPR?
What each business needs to do to comply with the GDPR will depend on the nature of the business and how it uses personal data.
In very general terms GDPR sets out seven principles which need to be followed, these are that personal data must be:
1. Processed ‘fairly and lawfully.’
2. Collected for specified, legitimate purposes.
3. Adequate, relevant and limited to what is necessary.
4. Accurate and up to date.
5. Kept for no longer than necessary.
6. Processed in a secure manner.
7. Data Controllers must be responsible and accountable.
Most businesses should not have too much difficulty complying with the GDPR and these principles if they put in place (and observe) some relatively straightforward notices, policies and procedures.
What is ‘personal data’?
‘Personal data’ means any information relating to an identified or identifiable natural person. This means any piece of information that would enable someone to directly identify a natural person such as a name, an ID number or an online identifier like an IP address or a cookie.
Information about a business or a public authority is not personal data.
In a business, personal data will usually include information about employees and contractors as well as personal information relating to customers and suppliers.
For many bricks and mortar or offline businesses the amount of personal data held about customers may be relatively limited. For online and service businesses the information held about individuals may be more extensive.
Note that information relating to someone’s role at a business or organisation does not stop the information from being personal data.
What are legitimate purposes for processing data?
There are several legal bases which may be relied on in order to process data. One of the persistent myths about GDPR is that it requires consent to process personal data. Processing of data must be done under a ‘legal basis’ and consent is just one.
The legal bases which are most commonly relied on are ‘performance of a contract’, ‘consent’ and, importantly, ‘legitimate interest’.
Performance of a contract — where processing of personal data is necessary in order to perform a contract with the data subject, then this is a permitted legal basis. Please note that the contract has to be with the person whose data you hold.
Consent — The consent of a data subject is always a permitted legal basis. Consent under the GDPR must be freely-given, specific, informed and unambiguous. This requires a positive step, so deemed consent and pre-ticked boxes are not sufficient.
Legitimate Interest — this is by far the most important legal basis and is the most widely applied.
What does ‘legitimate interest’ mean?
This means that someone has a legitimate interest in processing personal data which is not overridden by the interests of that person in the security and privacy of their data.
In plain English this really means standard types of processing which are not unusual, would not be unexpected by the data subject and do not put the data security or privacy of the data subject at risk. Where legitimate interest is not possible (for instance if the processing is of an unusual or unexpected nature) then consent may be required.
What about sensitive data?
The exception to the rule about consent not usually being required is ‘special category’ data often called ‘sensitive’ personal data. Unless one of the very few limited exceptions apply consent is required to process ‘special category’ data. This includes information about: health, racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic and biometric data; sex life or sexual orientation and criminal convictions.
Do we need to register with the Information Commissioner?
At present, data controllers are required to register with the ICO to pay an annual fee. You can register here.
What information do we need to give to data subjects?
The privacy notice will set out (among other things) the types of data collected, the legal basis relied on, how the data is used, whether it is transferred to third parties and the rights of data subjects.
A separate privacy notice will be required if there are fundamentally different types of data subjects. Accordingly most businesses will require at least two privacy notices, one for staff and contractors and one for customers, clients and third parties.
There are similarities between privacy notices and there are some standard terms which are generally included in all privacy notices, but the requirement to give specific information about the legal basis relied on, the types of data collected and how the data is used will mean that some thought needs to be given to a privacy notice.
Do we need to appoint a data protection officer?
The GDPR introduces a requirement for some organisations to appoint a Data Protection Officer (DPO). All public authorities must appoint a DPO and some other organisations must also appoint a DPO if they carry out large scale regular and systematic monitoring of individuals or large-scale processing of special categories of data.
What rights do data subjects have?
There are some exceptions to data rights but broadly each data subject has the right to request that data is not processed, for a copy of any data and for data to be corrected or updated, and for a copy of data to be transferred.
Subjects can also ask that data is not used for direct marketing or profiling purposes and can withdraw consent to process data.
How do we respond to requests to access data?
If a data subject wants to access their data, you will need to respond without undue delay and in any event within one month. In most cases you can’t charge a fee for this access.
What steps do we need to take to protect data?
The GDPR requires that anyone holding or processing personal data take both ‘technical’ and ‘organisational’ measures to ensure that personal data is secure and that data subjects’ rights are maintained.
Technical measures refer to firewalls, password protection, penetration testing etc. and anyone holding personal data on electronic systems should consult with IT professionals to ensure that adequate security measures are in place to protect data.
Organisational measures refers to internal policies, staff training etc. Ideally businesses will have both internal data protection policies and a program of staff training (often this is done online).
Do we need to keep any other records?
If you have more than 250 employees or if you are processing ‘special categories’ of data, you will be required to keep a record of your data processing activities.
How long are we allowed to keep data for?
It is a principle of the GDPR that data should not be held for longer than necessary. A privacy notice should also inform data subjects how long their data is to be held for. This means that businesses do need to decide what their data retention policy will be.
A very common “default” period for holding personal data is 6 or 7 years. This is because the time limit for legal claims is often 6 years and this period can sometimes be extended temporally.
Are we allowed to transfer data outside of Europe?
Yes, you are permitted to transfer data outside of Europe, but you will need to make sure that appropriate safeguards are in place.
Some countries have been deemed to have an adequate data protection framework (e.g. Switzerland, Canada) and data can be transferred to these territories (but note that any processors will still need to enter into a formal processing agreement as described above).
If you are transferring to a US company then they may be certified under the “Privacy Shield” framework which allows for transfers to those specific companies.
For any other transfer outside of Europe, the parties to whom the data is transferred may need to sign up to ‘model clauses’ or contracts set out by the EU commission which incorporate data protections for data subjects.
What do we do if there is a data breach?
The GDPR requires all businesses to make a report to their regulator (in the UK the Information Commissioner’s Office) within 72 hours of becoming aware of data breach that is likely to result in a risk to the rights and freedoms of individuals (e.g. a cyber-attack on your system that results in personal data and/or special categories of personal data being temporarily unavailable or released).
Where a breach results in a high risk to rights and freedoms, you will also need to tell the people who are directly concerned.
Guy Wilmot is a partner in the technology and growth team at Russell-Cooke