We’ve not been able to escape the phrase ‘GDPR’ recently, so our business expert Adam Bernstein shared his guide to everything you need to know about GDPR with us.
GDPR came into effect in the UK on 25th May 2018. It stands for General Data Protection Regulation and the aim of it is to establish a single set of data protection rules across Europe. Those outside of the EU will be subject to GDPR when collecting data on individuals – this is why the UK is keeping it on after Brexit.
Personal data is defined as anything – any information – relating to a person who can be identified, either directly or indirectly. It is irrelevant how the information is gathered: private, public or work roles are all covered by GDPR.
Numerous surveys over the past couple of years have suggested that firms need to make significant changes to how they operate in order to comply with GDPR rules.
It makes no odds how small a business is or how much data it holds; so long as that data can identify an individual, GDPR applies. The rules – under the present Data Protection Act and GDPR – also apply to structured paper records.
If the records are searchable, they’re caught by the legislation. So client names, addresses, email addresses and phone numbers, as well as payment information is caught. Also caught would be similar information on staff and suppliers.
GDPR markedly changes the enforcement and penalty landscape. The Information Commissioner’s Office (ICO) can present levy fines of up to £500,000 under the Data Protection Act. GDPR raises that to a maximum of 4% of global turnover or 20m euros – whichever is higher.
You will need to ensure your data is kept securely, and that staff are briefed on the law. More importantly, holders of personal data will have to design safeguards into their systems which need to be appropriate and in proportion to the degree of risk associated with the data held.
Technically speaking, this could involve the encryption of personal data; ensuring the ‘ongoing confidentiality, integrity, availability and resilience of company systems’ and having the capability to quickly restore any data. Interestingly, accidental deletion of data counts as a reportable event.
The fundamental tenet of GDPR revolves around the need to require consent to be given by individuals whose data is held. Consent is specifically defined by GDPR and means ‘any freely given, specific, informed and unambiguous indication of his or her wishes, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.’
This means firms need to be able to show how and when consent was obtained – from clients, staff and anyone else they hold data for. It cannot be obtained through pre-ticked boxes (on paper or online), and nor can it be bundled with other matters such as a contract – employment, purchase or sale.
Any data obtained must be for specific, explicit and legitimate purposes. Importantly, firms need to recognise that individuals can withdraw their consent at any time and have a right to be forgotten: if their data is no longer required for the reasons for which it was collected, or an individual makes a request, it must be erased.
Critically, if data is used for marketing, individuals cannot be contacted where consent hasn’t been given and/or the systems don’t meet the needs of GDPR.
When collecting data, it’s a requirement of GDPR that the individual must be told about:
Importantly, GDPR demands that individuals must be told how their data is processed in a clear and understandable way.
Individuals can make requests to see their data and these must be fulfilled ‘without undue delay and at the latest within one month of receipt of the request.’
Another change brought in by GDPR requires companies to report any breaches of security ‘leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Where the breach involves personal data, companies must notify the appropriate authority, most likely the ICO, ‘without undue delay and, where feasible, not later than 72 hours after having become aware of it’ if the breach is likely to ‘result in a risk for the rights and freedoms of individuals.’ This could mean working through a weekend or bank holiday.
GDPR isn’t going anywhere and Brexit won’t save firms from having to comply. The penalties are much harsher and the ICO will be looking to make examples of businesses who break the rules. Visit ico.org.uk for more information.