All businesses have paper and/or digital records of data relating to their customers and employees: names, addresses, emails and other personal information.
On 25 May 2018, the General Data Protection Regulation (GDPR) becomes law. The GDPR sets new standards for data protection and its enforcement. It restates what is meant by data and how that data should be collected, managed, stored and secured.
While GDPR consolidates existing data protection principles, it significantly strengthens the rights of individuals (data subjects) in relation to data held about them including how they can access, rectify and have that data erased (“the right to be forgotten”).
A key decision for any business planning for GDPR will be to identify the lawful basis upon which they are going to process personal data. Much of the hype surrounding GDPR relates to “consent” which we will turn to shortly. However, consent is just one of a number of lawful grounds for which GDPR permits the processing of data. Other legitimate grounds are:
- Contract – for performance of a contract with a data subject or to take steps to enter into a contract
- Compliance – for compliance with legal obligations
- Vital interests e.g. where necessary to protect a person’s interests or life
- Public task – for the protection of public interests or in the exercise of official authority
- Legitimate interests – to fulfil the legitimate interests of the data controller except where those are overridden by the interests of the data subject
Except for direct or indirect marketing then, the received wisdom is that consent should only be used as a condition for processing personal data where none of the other above grounds apply.
Consent already exists as a concept under the current data protection regime and GDPR actually makes it more difficult to obtain consent to the processing of data. Whereas organisations already need to obtain consent before sending marketing communications (e.g. the pre-ticked box), GDPR requires that consent is be freely given, specific, informed, properly documented and easy for people to withdraw. The use of pre-ticked, opt-out boxes will no longer be permitted as a method of obtaining consent to receive marketing material.
Even where a lawful basis for processing has been identified, you still need to audit the information held to ensure its accuracy. Internal procedures should be reviewed to ensure that there are the correct resources to manage and protect the information on a continuing basis. There should also be a very clear privacy policy in place.
For the first time, GDPR also introduces the requirement to report data breaches. A data controller has 72 hours from becoming aware of a loss of customer details which could leave that individual open to identity theft to report that loss to both the individual and to the Information Commissioners Office (ICO).
Another fundamental difference between the current regime and GDPR is enforcement. Pre-GDPR, the maximum fine which the ICO could impose for a data breach is £500,000. Under GDPR, the maximum fine will be €20Million or 4% of turnover, whichever is greater.
Undoubtedly, GDPR brings in significantly more robust data protection rules and will require all businesses to review and develop their existing data protection policies and procedures. But remember that the core purpose of GDPR is to ensure that all businesses adhere to what should already be best practice.
The ICO’s website contains a lot of essential information about GDPR and will be an invaluable resource for anyone tasked with ensuring that their business is GDPR-ready in time for 25 May 2018.
The content of this blog is for information only and should not be construed as legal advice or treated as a substitute for specific advice given by Mitchells Roberton.
