GDPR Compliance

GDPR

So you are all aware of this new GDPR coming into force on the 25th May 2018, how is this going to affect you? Well simple if you deal with customers and collect there details then you have to comply with GDPR.

I have done a search for UK legislation and can only find a Bill from the ISO web site, the address is : https://publications.parliament.uk/pa/bills/cbill/2017-2019/0190/18190.pdf

A really good web site I found on the GDPR that breaks the articles down is https://gdpr-info.eu, I would advice on looking at this site when trying to break down the requirements.

Lets start off with some definitions, these are some basic ones you need to know :

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Starting the GDPR for your business is not really hard, sit down and make an action plan of what is required of you and your company, I have placed a few pointers below :

1) Management and all members of staff within your company that control data should be made aware that the new GDPR laws are coming into effect on the 25th May 2018.  This should educate all members within your organisation what is required of them and the company.  I understand many organisations are educating staff members and making them sit small tests.

2) Personal data you hold on individuals and organisations across the whole of your company needs to be documented and recorded. Recording all data captured and auditing will allow you to capture incorrect data and comply with data protection principles (Chapter 2, data protection bill HL) i.e. having polices and procedures in place.

3) Our privacy notices have to be updated to include :

  • Lawful basis for processing the data
  • Your retention period (holding data time line Principle 5 – Retention)
  • Individuals rights to complain to the ICO

Articles 12, 13 & 14 of the GDPR deal with how you should handle our privacy notices.  The privacy statement should be placed on your company web site for all to read.

4) Procedures must include the rights individuals have :

  • the right to be informed
  • the right to access
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object; and
  • the right not to be subjected to automated decision-making including profiling

5) You should make procures and plan for Subject access requests This right, commonly referred to as subject access, is created by section 7 of the Data Protection Act. It is most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this, and an individual who makes a written request and pays a fee is entitled to be:

  • told whether any personal data is being processed;
  • given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
  • given a copy of the information comprising the data; and given details of the source of the data (where this is available).

An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret). Other rights relating to these types of decisions are dealt with in more detail in Automated decision taking.

In most cases you must respond to a subject access request promptly and in any event within 40 calendar days of receiving it. However, some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request.

6) You must have a valid lawful basis in order to process personal data.

There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.

Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.    You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason.

Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.

If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).

If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.

If you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.

There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.

Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.

You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason.

Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.

If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).

If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.

If you are processing criminal conviction data or data about offenses you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.

All this must be documented in our privacy notice!!!!

Defining the Lawful Basis :

Processing shall be lawful only if and to the extent that at least one of the following applies:

    1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    3. processing is necessary for compliance with a legal obligation to which the controller is subject;
    4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
    5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

7) Consent, you need to record and manage this section and implement new GDPR rules.

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

  1. 1If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. 2Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
  2. 1The data subject shall have the right to withdraw his or her consent at any time. 2The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 3Prior to giving consent, the data subject shall be informed thereof. 4It shall be as easy to withdraw as to give consent.
  3. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

8)  Data Breaches, you need procedures in place for the detection, Investigation and report of a breach. Article 33 and 34 of the GDPR cover this section.. And Read https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf

9) Data Protection Officer – most companies do not need one, here are the rules

Under the GDPR, you must appoint a DPO if:

  • you are a public authority (except for courts acting in their judicial capacity);
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or
  • your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

For more on this section please read : https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/

Are Business and Personal email addresses covered?

The answer to this is YES, take my email address simon@stone-emc.co.uk.  This email address states my name and my place of work which quite clearly identifies me so is classified as personal data.

Now generic email addresses such and info@stone-emc.co.uk or enquiry@ are NOT classed as personal data as I can NOT tie them to a specific person or individual.

When it comes to using a business email address for marketing purposes, it is the Privacy and Electronic Communications Regulations (PECR) that sit alongside current data protection legislation, which govern how an organisation can use email addresses for marketing by email, telephone, text or fax.
GDPR will apply to how personal data, including email addresses, is processed, while PECR gives further guidance on how that data can be used for electronic and telephone marketing purposes.

In short, PECR states that you must not send electronic mail marketing to individuals unless:
• they have specifically consented, preferably via an opt-in, or
• they are an existing customer who has bought a similar product or service from you in the past, and you give them a simple way to opt out of receiving your electronic marketing in every message you send. You must not disguise or conceal your identify and must provide a valid contact address so recipients can opt out or unsubscribe.