On the 25th May 2018, the General Data Protection Regulation (GDPR) will come into law.
What will the changes really mean for businesses that collect, hold and use data?
Superfast Business Wales recently teamed up with the Information Commissioner’s Office, the UK's independent body set up to uphold information rights, for a series of events to give businesses across Wales the opportunity to explore and ask questions of how the GDPR will impact them.
If you are uncertain about the realities of GDPR for small and medium sized businesses or the type of changes you should be preparing for, read our Q+A to understand some of the real questions asked by businesses across Wales at our GDPR events regarding how new data regulations will change how their business manages data.
Does Brexit mean that the U.K. won’t be impacted by the GDPR in May? Will it change the laws in the future?
As of May 25 2018, the UK will still be a member of the European Union and as such GDPR will be the law in force that the ICO will be regulating.
The ICO state that the “GDPR has direct effect across all EU member states and has already been passed. This means organisations will have to comply with this regulation and will have to look to the GDPR for most legal obligations.”
“However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the Data Protection Bill is the details of these. It is therefore important the GDPR and the Bill are read side by side.”
Find out more about the Data Protection Bill here.
Do all businesses need to have a data protection policy – and how can small businesses manage this in comparison to a large organisation?
The ICO state that “the accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles [of the General Data Protection Regulation] and states explicitly that this is your responsibility.”
Policies will be a key part of demonstrating accountability, and the nature of the detail required in a policy will be proportionate to the type of personal data held by any given organisation. Smaller organisations will find useful guidance here.
Can you assume the consent of your existing marketing list or data already collected when the GDPR comes into practice?
Any consent for marketing under GDPR will need to meet the higher standard set out here.
The ICO state that the “GDPR is clearer that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires individual (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.”
It is also important to note that “you must keep clear records to demonstrate consent” and “the GDPR gives a specific right to withdraw consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.”
Do you need the consent of every single person that you hold data on?
In order to process personal data, consent is just one of 6 legal bases available in Article 6 of the GDPR. The ICO states that the “lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)”
Following the lawful bases, you may not require consent to hold personal data as you may process their data one or more of the other conditions. In order to decide which lawful basis applies, the ICO says: “You should consider which lawful basis best fits the circumstances. You might consider that more than one basis applies, in which case you should identify and document all of them from the start.
You must not adopt a one-size-fits-all approach. No one basis should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the GDPR.”
How does the retention of data for ‘as long as necessary’ apply to back-up retention?
For example, how does GDPR apply if the HR department delete a person’s data but the IT department have it on back up for another 12 months for recovery purposes?
The ICO state that “For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. It is important that you determine your lawful basis for processing personal data and document this.”
The retention of data for HR purposes may be different to retention of the same data for back up purposes. However, it’s important to recognise that if you’re processing data then GDPR will still apply and you’ll need to identify a lawful basis. Documenting and demonstrating your retention policies, even for different departments of the business, will help you ensure you’re only holding data legally and for as long as necessary.
What’s the difference between a data controller and data processor?
It’s essential that any business involved in processing personal data can determine whether they are acting as the data controller or the data processor as “the GDPR applies to controllers and processors”.
According to the ICO, “a controller determines the purposes and means of processing personal data” whereas a “processor is responsible for processing personal data on behalf of a controller”.
As a data processor, do I need a contract with every client or customer? If I didn't have a contract would the responsibility fall solely on the data controller?
The ICO highlight that “if you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities.” Under the GDPR, “you will have legal liability if you are responsible for a breach”.
However, that doesn’t mean processors are exempt from responsibility.
“If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.”
The ICO’s draft Contracts and Liabilities guidance provides useful advice on this subject.
If a data breach or issue occurs under the GDPR, are you obliged to tell the ICO? When should inform the ICO and what happens when you do?
The GDPR will introduce a duty for all organisations to report certain types of data breach to the relevant supervisory authority. In some cases, organisations will also have to report certain types of data breach to the individuals affected.
The ICO advise that “you only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.”
You can find out more information about reporting a data breach here.
If you are looking for more advice and support on data protection and cyber security, visit our Information Hub for more helpful blogs.
To access clear guidance on all matters relating to the General Data Protection, please refer to the Information Commissioner’s Officer website.