A good place to start is with the Data Protection Act 1998, the data protection law which basically set the ground rules around the use of personal information in the U.K.
The problem is that in those days, companies were still storing records on paper in filing cabinets. A lot has changed since then, so, naturally, regulation has to change too.
The GDPR incorporates much of the same fundamentals as the Data Protection Act 1998, with a fresh coat of paint – but there a few additional responsibilities for companies too. GDPR is a single EU Regulation which covers the whole of Europe, which is effective on the 25th May 2018 at the same time as the Data Protection Act 2018.
What is the GDPR?
The definition of GDPR is the General Data Protection Regulation, and if your company collects or processes any type of customer personal data, it’s likely that you’re going to have to make some changes to the way this is carried out. Regulation like the GDPR can be confusing to those who aren’t familiar with this area, so let us break it down for you.
Who does the GDPR apply to?
Chances are you have some dealings within the EU – whether as an established company in the EU or having EU national customers either collecting or processing personal data.
In order to do business with any company or person based in the European Union (EU), you’ll have to comply with GDPR – as well as your suppliers.
Main GDPR role.
The key GDPR role are defined as follows:-
Data controller means a natural person, business, public authority, agency alone or jointly determining the purpose of the personal data.
Data processor means a natural person, business, public authority, agency which processes personal data on behalf of the controller.
Data subject means the identified or identifiable living individual to whom personal data relates.
Personal data means any information relating to an identified or identifiable natural person.
It is important to position the role and responsibility because this does vary from time to time. For example, as a company, if you collect personal data from your customers and determine its use then your role is likely to be of a controller. Equally, if you are processing personal data on behalf of your customer then your role is of a data processor.
An expert’s role would as per ICO guideline be of a data controller. The correct roles must be in contracts or any data processing agreements. Further, any whitepapers by industry as to specific roles may be considered by the company.
The purpose for processing the personal data.
This was the first data protection principle ‘fair and lawful’ processing in the Data Protection Act 1998, which is expanded in Article 5 of the GDPR. As a company you may well be tempted to just put a single basis of legitimate interest for data processing activity as a single basis for processing personal data. The GDPR has a around 6 purposes which can be adopted by you.
The ICO mentions that no single basis is ‘better’ or more important so you should consider which basis is the most appropriate to include in your data map. Along with this consider any additional other privacy legislation lawful purposes which may be required for example where special category personal data is going to be processed. This type of personal data is sensitive in nature requires more protection. Whilst certain other purposes could also carry additional tests.
This is also linked to other areas of the GDPR where a company acting as the data controller or data processor is going have to demonstrate categories of processing as per Article 28 and 30 GDPR and asses the adequate levels of security measures adopted.
Ensure the accuracy of the personal data.
The personal data collected or processed will be ‘accurate and, where necessary, kept up to date’ in line with data protection principle pursuant to Article 5(1)d of GDPR. The data controller will take steps to ensure that incorrect personal data requested is updated to its current accurate state. If there are any inaccuracies use reasonable endeavours to either erase or rectify without delay; making it complete and reliable instead of inaccurate, incomplete, or not up to date. Your company may keep records of mistakes so long as such mistakes are corrected. The data subject can exercise the right to rectify personal data if it’s inaccurate.
What are the data subject rights?
There is a right to access from the controller, personal data being processed and any supporting information can be provided by your suppliers. Where personal data is incorrect, right to rectification this is discussed further down. There may be times where a data subject withdraws consent, or the purpose does not exist for this then the data subject has the right of erasure. If a data subject moves from one provider to the next (e.g. a dentist) they may ask for their personal data and request this to be transmitted to another controller with right of portability. The data subject may object depending on the situation to the processing of their personal data.
Using other suppliers.
If your company is using suppliers processing personal data on your behalf you need to ensure that they have instruction and authority to process the personal data. When technical and security measures of Article 32 either at the pre-contract checks are carried out or during renewals or audit to get confirmation that they meet GDPR requirements and even include in the contract. If you’re using offshore business processing further information can be found here.
Ensure that there is contract documentation in place which clearly outlines the purpose, duration, deletion along with processing activities. There is a commitment from the supplier to assist you during investigations and data breaches.
How long can personal data be kept for?
The personal data or sensitive data collected by a business should be kept in line with the data protection principle, data should not be kept for any longer than necessary and for a legitimate purpose. This can be as per the periods outlined in a retention policy. There may be other reasons for e.g. accounting it may be kept for periods in line with the Company’s Act or for any legal actions.
Any agreements with the data processor will provide provisions to the data controller to either return or destroy the personal data except for any retention periods.
Cookies and consent related to cookies.
This area is governed under ePECR and also appears in the GDPR. If your website is using cookies, then a simple website acceptance of cookies when a visitor enters your website was the norm previously. The explicit consent mechanism is as per the GDPR “data subject means any freely given” with an affirmative action where there is a processing of personal data and the data controller can demonstrate this. Detailed opt-in is required including any opt-ins into analytics cookies for a visitor to select. Whilst there are several cookie bots out there make sure the one you adopt meets the Commissioner’s guidelines.
Role of a data protection Officer (DPO).
The GDPR data protection officer, will assist the business in deploying, monitoring and dealing with GDPR or privacy matters as and when they arise subject to Article 39, GDPR. They will act in an independent manner representing your company either for a data controller or data processor. If you are a public body or a data controller processes large amounts of data with systematic monitoring of personal data of data subject or, as a data controller or data processor, processing large amounts of special categories personal data then a data protection officer should be appointed. In certain European countries, this is further extended by the number of employee’s threshold, if a company has met this then they may be required to have a DPO in line with the local legislation.
As part of the processing activities, the DPO contact details must appear if personal data have not been collected from the data subject. The contact details allow the data subject but also the regulator to deal with DPO as a point of contact.
The data protection officer will be engaged in personal data breach reviews and will not have a conflict of interest. The Belgian Data Protection Authority found in their inspection report on responsibility in the event of data leaks and position data protection officer that the DPO was not independent as they were not involved in personal data breach reviews and with the role of audit/risk also not sufficiently free from conflict of interest.
A key question that keeps recurring from customers is on Brexit does your company have details of an European DPO contact. Most companies with a global presence will have coverage. In the absence of one an EU representative is an alternative option. A DPO for your company is the go-to subject matter expert on data protection.
Is ICO registration in the UK required?
In short, yes as a data controller. This is usually the data controller who will need to register with the ICO, regulator in the UK and they will need to supply supporting information unless they are exempt. The registration is governed by The Data Protection (Charges and Information) Regulations 2018. There are various different charges depending on the size of your company.
But Brexit- EU regulations don’t apply?
Even though the UK is exiting the EU at the end of 2020, the GDPR will continue to apply including any amendments into U.K. law after the U.K. leaves the EU. Prior to this, the new Data Protection Act 2018 Part 2 of this Act has a pointer right back to the GDPR and the rest introduces new areas which are not in the GDPR.
The GDPR is referenced in the UK’s Data Protection Act 2018 and is referred to in the EU’s Brexit Withdrawal Bill, so most of its principles will remain. The EU’s Justice commissioner wants to ensure that proper GDPR rules are applied between EU and UK on exit. If you have European customers and you’re continuing doing business with them it’s unlikely they will sign up for anything less than the GDPR.
Privacy Shield – Schrems II
In the USA the compliance with data protection by companies relied on using Privacy Shield framework. However, in July 2020, the European Court of Justice (ECJ) (Schrems II case) declared the U.S. Privacy Shield invalid on the basis that USA law need to offer the same level of protection as the E.U. law for protecting personal data. The mechanism to use standard contractual clauses remained valid allowing personal data to be received from the EU if necessary with putting any additional measures to include in the standard contractual clauses.
Don’t comply, enforcement or GDPR fine?
If personal data is leaked due to a data breach and insufficient technical or security measures which are not in place, then a company could be fined for failing to comply.
The Supervisory Authority or the Commissioner may issue a GDPR fines for breaching GDPR regulations of either:
(i) €10 million or 2% annual global turnover
(ii) €20 million or 4% annual global turnover, whichever is higher.
There is provision under the GDPR regulation for compensation claims made by the data subject. Also, as part of enforcement the Supervisory Authority has powers to remove equipment.
Steps to take.
To stay clear of any enforcement or fines and stay on top with GDPR:
- Its lengthy but understand the GDPR.
- Map personal data collected and processed.
- Apply correct role and lawful purpose.
- Capture categories of processing and check security measures.
- Put in correct contract and standard contractual clauses.
Find out how we helped one client with their GDPR compliance requirements with the implemetnation of data protection agreements.Download Our Case Study
Your business may have support requirement in one or more area why not talk to us and see if can assist with your data protection or the GDPR compliance with our consultancy data protection services by emailing firstname.lastname@example.org or request a proposal from us.Get Your Free Consultation