February 23, 2018
Data Protection Law

GDPR Guide Introduction

I am EM Law’s lead adviser on data protection compliance.

We all know that the GDPR has been coming for some time, but few businesses are properly prepared for it. Most businesses know that they should be doing something but, because the GDPR is complicated, they have not got around to understanding what it is they need to be doing. Some managers I have spoken to think that the effect of the GDPR is being overstated by lawyers and other professionals trying to cash in on the unwarranted panic they are causing. I have some sympathy for this attitude – especially having seen some of the very heavy guides out there!

Unfortunately, though, while there is no need for the vast majority of businesses to panic, all businesses, large or small, have work to do to make sure that from 25 May they will be complying with the new law.

This GDPR guide is aimed at you, the director of a small/medium-sized business, who does not know much about data protection. You know that data protection laws exist. You know that your business has a responsibility to keep data secure and that if data gets lost your business can get sued. Your business probably has a privacy policy published somewhere – perhaps on your website – that you do not pay much attention to. Your contracts contain data protection clauses somewhere towards the back of them – you’ve relied on your lawyer making sure that these are correct.

This GDPR guide will hopefully give you a good overview of what the GDPR is about and what you need to do to make sure that your business will be compliant come 25 May. You will certainly not know all there is to know by the end of reading this GDPR guide but it will give you a platform to enable you to find out more or to seek help in an informed way.

This GDPR guide is applicable to the majority of UK based businesses. It does not apply to:

  • Public authorities.
  • Organisations that are established outside the UK.
  • Organisations that sell products or services to children.
  • Organisations that handle information relating to criminal convictions and offences.

GDPR Guide Quick Q&A

Q: Does the GDPR apply to your business?
A: As your business is established in the UK then, yes, it does and it will apply to data that your business collects both inside and outside the EU.

Q: What is it the GDPR about?
A: It is a set of rules that govern how your business may process “personal data” and the systems that your business must put in place in connection with that processing.

Q: What is personal data?
A: Information that relates to an identified or identifiable living individual e.g. personal details, medical details, financial details, employment details, lifestyle details, IP address.

Q: The GDPR applies to “the processing of personal data”. What does “processing” mean?
A: “Processing” is described so widely (e.g. it includes “collection”, “storage” and “use”) that we do not see how you could not be “processing” personal data. So, any activity involving personal data falls within the scope of the GDPR.

Q: Who is a “data controller”?
A: A data controller is the person responsible for deciding how and for what reason personal data is processed. Your business, as an employer, will be the data controller in relation to personal data processed about your employees. Your business, as a supplier, will be the data controller in relation to personal data processed about its customers.

Q: Who is a “data processor”?
A: A data processor is the person who processes data on behalf of a data controller. Your business, as a supplier, will be a data processor in relation to personal data that your business customer (the data controller) has given you about its employees or clients.

GDPR Guide: Data Protection Principles

Data controllers and data processors must comply with all of the following principles when dealing with personal data:

Lawfulness, Fairness and Transparency

Your business must give individuals whose personal data it collects certain information about who your business is and what it does with their data.

Your business can only process personal data on the basis of one or more of the following grounds:

The individual has given their consent

If your business is relying on obtaining an individual’s consent to process their personal data then that individual must have understood clearly what they were consenting to and they must have given their consent by some positive action and without being under any pressure to do so. An individual signing a stand-alone document that clearly sets out how your business will process their data is a good way of obtaining consent. Burying a consent clause in the back pages of a contract will not be acceptable. Individuals must also be informed of their right to withdraw their consent at any time.

It is necessary for entering into or performing a contract with the individual

For example, your business will need to store an employee’s financial details so that your business can pay them.

It is necessary for compliance with a legal obligation

For example, your business will need to disclose employee salary details to HMRC.

It is necessary to protect the vital interests of the individual

This ground usually only applies in life or death situations. If, for example, an employee is seriously injured at work your business may need to disclose that employee’s medical history to the medics.

It is necessary for the performance of a task carried out in the public interest

This is relevant to public authorities or private businesses acting under the control of public authorities.

It is necessary for the purposes of legitimate interests pursued by you or by a third party

(as long as your interests are not overridden by the fundamental rights of the individual). For example, for direct marketing purposes or preventing fraud, for internal administrative purposes between group companies, for reporting possible criminal acts.

NB if your business processes “special categories” of personal data i.e. data that reveals: racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, sex life and sexual orientation then the grounds upon which your business is allowed to process that data are more restrictive than the ones set out above.

Purpose limitation

Your business can only collect personal data for specified, explicit and legitimate purposes that it makes known.

Data minimisation

Collection of personal data must be limited to what is necessary for the purposes your business collects it.

Accuracy

The personal data your business collects must be accurate.

Storage Limitation

Your business must not store personal data for longer than necessary.

Integrity and Confidentiality

Personal data must be held securely.

Accountability

Your business must be able to demonstrate compliance with its data protection obligations.

GDPR Guide: Right of Individuals

Individuals may:

  • Withdraw their consent at any time (in which case your business would need to rely on another lawful ground to enable it to process their personal data).
  • Require data controllers to tell them what information they are holding about them, what for, how long for etc.
  • Require data controllers to correct inaccuracies in their data.
  • Require data controllers to erase information held about them.
  • Require data controllers to provide them with a copy of all personal data held on them.
  • Object to the processing of their data.

GDPR Guide: Obligations of Data Controllers and Data Processors

If a data controller appoints a data processor then certain clauses must be contained in the written contract between them.

Your business must appoint a data protection officer if either (a) its core activities require regular and systematic monitoring of individuals or (b) its core activities consist of processing “special categories” of data (see above definition) on a large scale. The majority of businesses will not need to appoint a data protection officer.

Data controllers must maintain records of the processing activities under their control which include at least the following:

  • The name and contact details of the controller.
  • The name and contact details of the data processing officer (if there is one).
  • The purposes of the processing.
  • A description of categories of data subjects and of the categories of personal data relating to them.
  • The recipients of the personal data.
  • Where applicable, transfers of data to a third country or an international organisation.
  • Where possible, a general indication of the time limits for erasure of the different categories of data.
  • The description of the technical and organisational security mechanisms the data controller employs.

Data processors must maintain records of all categories of processing activities carried out on behalf of a controller. This includes the following information:

  • The name and contact details of the processor and of each controller.
  • The name and contact details of the processor’s data protection officer (if there is one).
  • The categories of processing carried out on behalf of each controller.

Data Controllers must conduct an impact assessment if they are involved in “profiling” or processing “special categories” of data (see above definition) on a large scale or if they are systematically monitoring publicly accessible data on a large scale. The majority of businesses will not be involved in these activities.

Your business must implement appropriate measures to keep personal data secure e.g. data encryption, disaster recovery, security testing, staff training.

The Data Controller must flag up any data security breaches.

GDPR Guide: Cross-border Data Transfers

Your business must not transfer personal data outside of the European Economic Area (EEA) unless:

  • It is to a country that the EU Commission has said it is ok to transfer the data to.
  • Your business puts in place appropriate safeguards (for example the contract with the person who your business transfers the data to contains certain clauses that the EU Commission has approved); or
  • An exemption applies (for example the individuals whose data is being transferred have given their consent having been informed of the possible risks of such transfer).

Please bear in mind that your business will be transferring personal data outside of the EEA if, for example, its IT system is cloud-based and the data centre where that data is stored is outside the EEA.

Please also bear in mind that the US is not on the Commission’s approved list of countries where personal data can be sent to. Instead, the EU Commission and the US Government have agreed an arrangement called the EU- US Privacy Shield. Basically, it is ok for your business to transfer personal data to a US company whose name is on the EU-US Privacy Shield list (this list is managed by the US Department of Commerce). At least for now. This arrangement is subject to review.

GDPR Guide: Sanctions for breach of the GDPR

Organisations that breach the GDPR may be hit with administrative fines of up to EUR20 million or up to 4% of their total worldwide annual turnover of the preceding financial year, whichever is higher. If an individual, for example, an employee in your business, suffers damage because your business has breached its obligations under the GDPR, that individual can claim compensation, not just for any financial loss they have incurred but for any distress they have suffered as well. We believe that there will be a significant increase in claims being brought by individuals against businesses following the GDPR coming into force.

GDPR Guide: What should I do now to prepare my business for the GDPR?

First of all don’t panic! Yes, there is work to do but EM Law can do the heavy lifting for you. Here is what needs to be done:

  • Designate someone in the business to be the lead on GDPR matters.
  • Consider whether your business needs to appoint a Data Protection Officer.
  • Audit and map all data processing activities.
  • Assess all data processing activities to see how they align with GDPR principles and requirements and perform a gap assessment. Create an action plan and then implement procedures to implement changes to align activities with GDPR. Review and document the legal basis for GDPR-covered processing activities.
  • Update privacy policies / notices.
  • Update consent mechanisms i.e. check to what extent your business relies on consent from individuals to process their data and then consider whether your business can rely on another lawful ground to process data or what changes need to take place around obtaining consent in compliance with GDPR requirements.
  • Review supplier and customer contracts to ensure that they address GDPR requirements.
  • Prepare for new documentation (record keeping) requirements. It is important to understand that GDPR requires your business to demonstrate how it complies with GDPR.
  • Review personal data protection and security measures – is the personal data that your business processes stored securely enough?
  • Review any cross-border transfers of personal data that your business makes.

This GDPR Guide is very much an overview. If you need any help interpreting the GDPR or implementing its requirements just let us know. We can help you with advice, training, documentation to help you with your data processing assessments, standard form documentation such as privacy policies and GDPR tailored clauses to include in your contracts.