The General Data Protection Regulation (GDPR) will come into force on 25 May 2018. The regulation is intended to update the Data Protection Act (1998) and to supply greater protection for individuals regarding the personal data that is collected, stored, managed and processed in relation to them.
And it’s causing chaos.
I’ve lost count of the number of conversations I’ve had about GDPR over the last couple of months and everyone, everyone, has a different take on it. Something that they have been told that is absolutely, positively, true and will mean that if they so much as dare to email a customer or client an Information Commissioner’s SWAT team will come crashing through the window.
So perhaps its time to take a deep breath, discount all of the people who are trying to make GDPR into a money spinner and take a calm look at what GDPR actually is.
What is GDPR and why is it happening??
GDPR is widely considered to be a response to the growing amounts of data automatically collected and used through electronic mediums such as websites and social media platforms as well as an attempt to regulate how businesses make use of customer and employee data.
It’s designed to give individuals back control over their personal data and protect them from businesses that improperly share, sell, process or transfer their personal data.
And that’s not you, is it? Unless you are in the business of buying contact databases and then spamming the people on it, unless you collect and process large amounts of personal data and then fail to secure it, unless you leave your employee’s personal data lying around on the photocopier. Which I’m guessing you don’t. So, the GDPR isn’t designed to stop you from running your business, it’s designed to protect you and your data.
But if I get it wrong I’ll be fined!!
Yes, the regulations introduce new powers for the Information Commission to penalise businesses that breach data protection rules, allowing for fines of up to 4% of annual turnover to be imposed. Which if you have a healthy turnover could be a big hit. But read that again, business that breach the data protection rules. So, if you don’t breach them there is no issue.
Also, consider for a moment the number of private businesses based in the UK, according to a 2016 BEIS report that would be about 5.5million. Then turn your thoughts to the relative size and resource capacity of the Information Commissioner’s Office (the body tasked with implementing and policing the GDPR). I make you no promises, but they are unlikely to be hunting down small businesses and sole traders for accidental breaches of limited impact.
Ok, so what data are we talking about?
The regulations cover Personal data, which is defined as any information which can be used to identify an individual.
So yes, if you have a client list, a customer database, employee records, or other lists of data about other people that means they could be individually identified then they come under the classification of Personal Data.
There is a further class of data, Personal Sensitive Data, which covers data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
So, if you work in a therapeutic business and you keep notes about your clients, or if you collect data for analysis on your employees e.g. for equality monitoring purposes, pay modelling etc. then this classes as personal sensitive data.
The GDPR does not say that you can’t have this data, it does say that how you collect, process, use and store it needs to be in line with the principles of the regulations.
Woah there Nelly! Principles? What Principles?
In brief the principles state that data must be:
- collected, stored and processed in a fair, transparent and lawful manner
- collected, stored and processed for a relevant and necessary purpose
- stored in an accurate, up to date and secure manner
- stored for no longer than is necessary
Key to the new regulations is a shift from ‘opt out’ to ‘opt in’. This means that individuals must give explicit consent before data can be collected and retain the right to remove their data at any point. Consent must be freely given, specific, informed and unambiguous. Records of consent must be kept.
So, that means when you are collecting data that you think meets the Personal Data or Personal Sensitive Data definitions you need to use a privacy notice which:
- Tells the individual why you are collecting it and what you will use it for
- Is explicit about the lawful basis you are relying on in order to collect the data
- Gains their explicit consent for the data to be used in this way, make sure this is separate from your general T&Cs and that you don’t use it as a requirement to do business.
- Confirms how you will be keeping it and how long you will be keeping it for
- Explains how they can request for their data to be removed should they wish to do so at a future date.
Hold up! Lawful Basis? What’s that??
There are six lawful basis for processing (that includes collecting) Personal Data set out in Article 6 of the GDPR. At least one must apply whenever you process personal data. They are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Unless the nature of your business requires something different, most of you will be operating under the consent and contract lawful basis.
The only thing to be careful of is whether it’s a genuine situation of consent, so relying on consent in an employment contract is dodgy, because, really, how is your employee going to withhold consent without jeopardising their job?
However, if they fancy being paid you are going to have to process their data, so you would instead rely on contract, legal obligation and legitimate interest (most of us do have a legitimate interest in pay day after all).
So, I’ve got the data, I’ve got a lawful grounds, so I can keep it now?
Well yes and no. Data must not be kept for longer than is ‘necessary’ to the original purpose for which is was collected. There are no hard and fast rules about this (helpful isn’t it?) but it comes down to what you are keeping it for.
If it’s an employee you need to keep it while they are working for you and for about 6 years afterwards to allow you to deal with tax issues, tribunal claims etc. But not all data relating to the employee needs to be kept for that length of time e.g. maternity pay records (If you want a list, give me a shout).
If it’s customer data you need to keep it while they are a customer and could legitimately keep it for a period after they have ceased doing business with you (up to 2 years is considered a reasonable ask).
If it’s potential customers then it’s a bit trickier, how do you determine whether they are still interested and therefore still legitimately on your list? Well, the lowest risk option is to ask them. It will take time, but it’s the best way of ensuring that the customer/client lists you’re holding are compliant and that you contacting them about your offer won’t be a breach.
Get the laptop out, make sure you’ve got a large brew on the go and do this:
- Clean up your lists, remove duplicates, remove anyone who’s already opted out.
- Put a big fat tick next to anyone who you already have clear consent from
- Those you’ve got a signed consent/privacy notice from
- Active clients who you’re in contract with
- Prepare a ‘repermissioning’ email/letter. Do a different one for your main customers, you know them and they deserve something a bit better than an automated email.
- Make sure they understand how to opt out and that they can say yes now and opt out at a future date.
- Do not, for the love of God, send your cheery ‘do you want to stay on my list’ email to anyone who’s already said no, or who opted out or unsubscribed. That’s an offence under the existing DPA, never mind the GDPR.
- If you can’t get a response via email, or you want to grow your customer base you can still currently make contact (Business to Business) by post without committing an offense. Good news for the post office, bad news for your stationary budget.
- Keep a record of when and how you get consent going forward. Record all your ‘repermissioning’ consents as they come in, delete anyone who says ‘no’ immediately. In the unlikely event that there’s an issue you’ll need to demonstrate this.
- If you can’t get clear consent, delete.
Yes, your database may well be smaller by the end, BUT it will be filled with people who genuinely want to do business with you and who now know that you take this stuff seriously.
So, I’ve been told that I need a Data Processing Officer (DPO)?
Nope. Not unless you are:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
I’ve had people tell me that even if they are a sole trader they need to be a DPO, you don’t. If you run your own business you’re automatically the person responsible for making sure your business is GDPR compliant.
If you have staff, and there’s someone who you reckon will be better at it than you, then you can give them responsibility for compliance, but ultimately the buck stops with you. You can’t make someone external to your business responsible for compliance, you can get them in to do audits etc.
Though if you want to add DPO to your list of jobs, feel free, you just aren’t required to unless you’re big into data.
Ok, so what if there is a problem?
The main issues you’re likely to be dealing with are: Breaches, Data Access Requests, and Opt Outs.
Let’s deal with the scary one first. Data Breaches. So, what is that?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
Personal data breaches can include:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data.
If the data breach is significant, if it is likely to cause a risk to people’s rights and freedoms then you need to inform the ICO and the data subject. This should be done within 72hrs or as soon as practicable.
Chances are though that the data you hold isn’t likely to be the subject of a hack, and that the data you hold is unlikely to represent a significant breach if lost. And I’m pretty sure the ICO don’t want a call every time someone loses a phone or a laptop.
Security is your friend here, put passwords on your devices, change them regularly, don’t use the same one for everything, password protect or encrypt data, use secure storage other than just your pc/laptop so that data can be recovered.
If you do think there’s been a breach but you’re not sure if it needs reporting then ring the ICO, they’re not monsters.
Subject Access Requests are where data subjects (individuals on whom data had been kept) have the right to request access to all data pertaining to them kept by a business or employer.
If this happens to you then your response is simple, give them everything you hold on them within one month (you can extend by a further two months if the requests are numerous or complex).
You must provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
Under the GDPR data subjects have the additional rights to object to processing and to remove consent to processing and data storage (Opt Outs)
This means that an individual can remove their consent to a business holding their data and request that it is deleted (Right to be Forgotten). There are certain circumstances where the business has a right to decline this request, normally only when there is a legal obligation to collect and process the data, or where removal of the data would make it impossible for the business to fulfil a contractual obligation to the data subject (e.g. payroll)
Again, the response is simple, unless there is a legal reason not to do so, delete and remove the subject’s data and confirm that you have done so when it’s complete.
And that’s it folks….
You can still advertise publicly, you can include a ‘do you want to join my mailing list?’ as long as you then get a full consent before adding them, you can still email your existing customers, you can send flyers and paper mail to people you’d like to do business with in the future, you can keep records on patients and therapeutic clients, you can hold employee records.
You can probably do most everything you were doing before providing that you operate in an up front and transparent manner and remember it’s their data, they’re just letting you mind it for your mutual benefit. Look after it like you look after your bank card and you’ll be just fine.
If you’ve got any questions I haven’t answered here or want to have a specific conversation about GDPR or HR Issues contact me here.