On the 25th May 2018 the UK Data Protection Act (1998) will be superseded by the EU General Data Protection Regulation, or GDPR for short.
This is not to be ignored; it is going to be big. The impact will affect all of us, both in our professional capacities and as consumers.
Here are a few things you should know about GDPR.
What is it & why is it being introduced?
With so many businesses working across geographical borders, international consistency regarding the use and processing of data is imperative, both for businesses and consumers.
Therefore, there is a need for legislation that is relevant and up to date for the modern, digital age.
GDPR is just that – ‘Streamlined’ legislation that covers use of digital information, at home or whenever a country transacts business with an EU country. It is even going to take on the rise in the use of biometric data.
So put simply, GDPR will increase consumer protection and rights concerning the use of their personal data across EU countries and will extend to any country who transacts business or targets consumers within an EU country.
Oh yes, and for anyone who thinks that they won’t have to do anything because ‘Brexit’ will mean this will never come into force… Please think again; the government has confirmed that ‘Brexit’ will not impact upon the adoption of GDPR.
Who does it apply to?
As already mentioned, if you collect, store or use personal data from European Citizens it applies to you.
Particular roles are identified, including:
- Controllers – These individuals dictate how the data is processed
- Processors – These individuals act upon the instructions of the Controller
Both of these roles carry increased responsibilities, but, in particular, there is more detailed expectations for ‘Processors’ – This is one of the main changes with GDPR.
Each firm principal will serve as data ‘Controller’ for their business and will therefore have the responsibility of ensuring that they conform to legislation. Additionally, some individual advisers may also have some obligations as ‘Controllers’ depending on the structure of each firm.
As you would expect, we will provide guidance and assistance where possible, but ultimate responsibility lies with you. Therefore, please ensure that you are fully familiar with GDPR requirements and visit the ICO guide here regularly as the requirements of GDPR are constantly evolving.
It is also noteworthy that you could be both a controller and a processor.
What information does it affect?
- Personal Data – This now carries a more expansive and detailed definition. Even online ‘identifiers’ such as an IP address will be covered. Effectively, if you hold data which falls under current data protection regulation, it will continue to be so. As before, automated and manual filing systems are included, but ‘key coded’ data will now fall under the scope as well.
- Sensitive Personal Data: Broadly this includes the same categories as currently but with some minor additions, such as adding specific categories for Biometric and Genetic data.
What are the highlights?
- Accountability – You must be able to show how you comply with the principles (oh yes, there are new principles – six of them). The key to this is documenting processes.
- Principles – There are six – Personal data shall be:
- Processed lawfully, fairly and transparently;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary in relation to the stated purpose;
- Accurate and kept up to date (where necessary);
- Kept in a form which permits identification of data subjects, but not for longer than is necessary;
- Processed securely.
- Basis for Processing – There needs to be an established lawful basis for processing and storing data. You will need to determine this basis and document how it complies with GDPR.
There are six lawful processing conditions:
- Consent of the Data Subject;
- Processing is necessary for the performance of a contract;
- Processing is necessary for compliance with a legal obligation;
- Processing is necessary to protect the vital interests of the data subject or another person;
- Processing is necessary to carry out a task that is in the public interest;
- Where it is necessary for the purposes of legitimate interests pursued by the controller or the third party.
Needless to say, it is not as simple as picking the one you like! There are conditions and criteria to follow with each of these. The most straightforward of these processing conditions to comply with is ‘consent’.
In addition, there are further conditions for ‘special categories of data’.
- Consent – Consent must be freely given, specific, informed and an unambiguous expression of the individuals wishes. Consent must, therefore, clearly state how the client’s information will be stored/used and for how long. Additionally, consent must be separate from any other disclosures and must have a simple means of the consent being withdrawn.
Consent must be verifiable, therefore it would be wise to obtain this in a durable medium.
The question arises, then, can I use existing consents? The short answer is, yes. However, you must ensure that your existing consents meet the revised GDPR standards (specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn).
You can see why it is that so many firms have chosen to get their customers to reconsent.
By the way, please don’t think that you can ignore the guidance on consent, or can chose to misinterpret… the fines that follow will show you the risk of not making suitable endeavours to comply.
- Children’s Personal Data – Where services are offered directly to a child, you must ensure that notices are able to be read and understood by them.
What rights does an individual have?
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object;
- Rights in relation to automated decision making and profiling.
Needless to say, there is again significant detail that sits behind each of these rights, which you should review.
What are some of your responsibilities?
Access – It is important to remember that customers, both past and present, have access rights regarding their data; it is possible that customers will request comprehensive access to the data that you hold on them. Although our current data request processes are robust it is worth remembering that under GDPR the timeframes are reduced.
Client Contact – In order to ‘market’ a customer, you must be able to evidence that your client has given detailed express consent to being contacted.
Data Accuracy – All data that you hold on a data subject must be accurate; it is not acceptable to retain inaccurate or out of date information on a client. You also have a responsibility to keep all data that you hold up to date, and to ensure it remains accurate. Now is the time to begin considering how you will ensure that the data you hold remains accurate.
Why comply?
- Accountability & Responsibility – It is your responsibility to ensure that your business complies with the latest GDPR regulation. We, of course, will share with you all guidance and documentation that we have, but it is incumbent upon you to ensure that your business has adopted GDPR and has the necessary processes in place.
GDPR has also introduced a new accountability principle which requires you to demonstrate that you comply with the principles outlined and that you state explicitly that you understand that this is your responsibility. Full details of this requirement are available on the ICO website.
- Breach – A personal data breach is defined as a breach of security that leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is about much more than loss of data.
You must notify breaches where there is likely to be a risk to the rights and freedoms of individuals; this includes the risk of financial loss and loss of confidentiality.
The breach recording procedure requires you to notify the ICO of these significant breaches and the data subject affected as well.
The ICO provides specific guidance regarding reporting a breach, but the stand out point is that it should be notified within 72 hours of the organisation becoming aware of it. Your responsibility is to report it to us in good time in advance of this 72 hour period concluding.
- Fines – Failure to notify a breach when required can result in a fine of up to €10 million or 2% of your global turnover. Failure to implement can result in a fine of up to €20 million or 4% of your global turnover.
In our next communication we will start to detail what actions you should be taking in preparation for GDPR. Subsequent communications will also go into more detail concerning specific areas of GDPR.
For ease, we have added a GDPR Hub to our members’ website which can be accessed here and which will be updated over the coming weeks.