You may by now have heard that existing data protection law is set to be replaced by the EU General Data Protection Regulation (GDPR) on 28 May 2018, and on 14th September the Government published the new Data Protection Bill, to make GDPR law, irrespective of Brexit. The ultimate aim of the new Regulations is to provide individuals with much more say and authority about how their data is used, as well as punish companies that mishandle personal data.
The regulations will have far reaching implications on all types of businesses, not only in the obvious areas such as direct marketing, but also on internal processes too. We have summarised below what the main changes are as a starting point for organisations, and we would recommend that organisations keep themselves up to date thereafter with ongoing developments where the regulations are concerned; and how they will impact upon key operational areas such as HR, IT, Payroll and Marketing. The Information Commissioner’s Office is an excellent source of information: www.ico.org.uk.
The days of pre-filled tick boxes on websites and emails are numbered. Instead, individuals must take a positive action in order to signify consent for an organisation to be able to contact them, this consent must be with ‘freely given, specific, informed and unambiguous indication of the individual’s wishes’. Moving forward, organisations must be able to show how they obtained an individual’s consent.
Lawful processing of an individual’s data must satisfy a condition for processing. First and foremost, organisations must have consent to use the data for the purpose for which they intend it to be used (see above). Additional bases for lawful processing include; in order to satisfy a contract with the individual (i.e. a client-accountant relationship), to comply with a legal obligation (i.e. required as evidence in litigation proceedings), or it is in the public interest (i.e. journalism).
There are additional conditions for special categories of data. Those in the medical, local government, not for profit sectors and those who process children’s data should acquaint themselves with the special categories of data.
Accountability and Governance
GDPR elevates the importance of the accountability and governance provisions within the existing data protection legislation and organisations should put into place comprehensive governance measures proportionate to the business. This will include things such as data privacy impact assessments (DPIA) when adopting new technologies, privacy by design, the appointment of Data Protection Officers (if a large organisation), identify data controllers and data processors within the business i.e. who controls the data in your organisation and who processes it? It is a requirement of GDPR that these roles are defined and documented and roles in processing data set out accordingly. Organisations will have to expand their existing data protection policies and processes to accommodate these provisions.
New Individual’s Rights
Amongst others, the regulations furnish individuals with enhanced rights including…
The right to be informed and the right to access: Upon request organisations must be able to provide fair processing information (i.e. how they are using an individual’s data) and a complete record of the personal data that an organisation holds on an individual.
The right to erasure: Individuals can request that the data an organisation holds be deleted. This is subject to certain exemptions i.e. it is required to be retained to comply with a legal obligation.
The right to object to processing of their data: This can include processing of data for direct marketing purposes in which case
organisations must halt the processing of data straight away.
A personal data breach means a breach of an organisation’s security leading to the destruction, loss, alteration, unauthorised disclosure of or access to personal data. Organisations must notify the relevant supervisory authority within 72 hours of a breach where it is likely to result in a risk to the rights and freedoms of individuals i.e. identity theft. Additionally, organisations must notify the individuals themselves if there is a ‘high’ risk (i.e. the theft or loss of unencrypted data) to those individuals’ rights and freedoms.
Penalties for non-compliance
Organisations falling foul of the regulations face hefty penalties, which could be as much as £17m or 4% of an organisation’s annual turnover – not an insubstantial figure!
Is there any data that is exempt?
GDPR concerns itself with ‘unique identifiers’ that allows organisations to identify a person through particular features i.e. email address. With that in mind, generic catchall email addresses i.e. info@, enquiries@, accounts@ fall outside the scope of the regulations, however bear in mind that if these email addresses are contained within a record (for example, on a CRM system) that does bear unique identifiers i.e. a person’s name, then this individual too must give consent.
As mentioned above further clarification is awaited from the ICO regarding GDPR and we anticipate that will include clarity regarding social media and the capacity to send direct messages via this medium.
A quick GDPR Checklist
Whilst not an exhaustive list, as a starting point, organisations should consider the following:
1. Updating internet privacy policies, terms and conditions and cookie policies
2. Audit existing individual’s data to ensure sufficient consent to process is available and recorded.
3. Update website contact forms to seek the most appropriate consent
4. Remove pre-filled tick boxes from the company website
5. Define processes and procedures to establish who has access to what data within the organisation to minimise unnecessary exposure to sensitive data
6. If a large organisation, assess whether a Data Protection Officer is required
7. Implement a monitoring and control system to regularly review data, and its valid retention
8. Update any software such as CRM to record consent
9. Create a system for dealing with the enhanced requests that individuals can now make in terms of access to records, data portability, right to be forgotten, etc.
10. Prepare for the worst case scenario in the event of a data breach. Mitchell Charlesworth Insurance Solutions offer cyber protection insurance which we would recommend that you seriously consider – this will cover you for the cost of dealing with mandatory data breach notifications, incident response, investigation and restoration, compensation awards and fines.
Mitchell Charlesworth Insurance Solutions Limited is authorised and regulated by the Financial Conduct Authority. Whilst the information is believed to be true, the communication may not be comprehensive and recipients should not act upon it without seeking professional advice.