What is GDPR?
The General Data Protection Regulation (GDPR) is a European law replacing the Data Protection Act (DPA) in the United Kingdom from May 2018.
Almost all organisations store and process personal and often sensitive information and the danger is that this information could get into the wrong hands and used inappropriately. The Information Commissioner’s Office (ICO) is the independent authority upholding GDPR and an organisation’s failure to comply could lead to substantial fines and penalties.
Personal information of customers and staff is widely stored in databases, accessible via networks and online. The risk of data access has increased as it is more immediately available than ever before. In addition, who has access to this information and how accurate is the information stored? And should data be stored and/or used without the person’s knowledge or permission?
The European Union is streamlining data protection enforcement, updating rules and simplifying personal rights. The intention is to give back control of personal data to citizens rather than behind a wall of corporate legal jargon.
Principles of accountability
GDPR sets out six principles of accountability, which are the fundamental building blocks for good data protection practice and the key to compliance.
In short, the personal data held by a company should be:
- Processed lawfully, fairly and in a transparent manner.
- Collected for specified, explicit and legitimate purpose.
- Adequate, relevant and limited to what is necessary.
- Accurate and kept up to date.
- Kept for no longer than necessary.
- Processed in a manner that ensures appropriate security.
Lawful, fair and transparent
Organisations must be clear about how they use information. A privacy notice must inform subjects about all personal information collected. Subjects must opt-in to any communications sent from the organisation. Any consent notices must be unambiguous.
Collected for specified, explicit and legitimate purpose
Any personal data collected must be for specified, explicit and legitimate purposes. Personal data cannot be processed in a manner that is not compatible with those purposes.
Adequate, relevant and limited
Data collected must be no more information than is necessary to conduct the specified business. The information must be ‘just right’, not too much that it is an invasion of privacy, not too little that it could cause poor decision making or profiling. Collection of data must be justified. No data should be collected ‘just in case’. Data must not be held or used for other purposes in future unless stated in advance. Data must be securely deleted when no longer required.
Accurate and kept up to date
Data must be accurate and up to date. Every reasonable step must be taken to ensure that inaccurate personal data, is corrected or deleted without undue delay.
Kept for no longer than necessary
Data must only be kept as long as needed to fulfil specified business activities. A retention policy outlining data expiry and deletion should be published. Processes must be put in place to comply with data deletion requests.
The organisation is accountable for all personal data stored. They must protect against unauthorised processing, accidental loss and damage, throughout all stages of processing lifecycle - from collection to deletion. The organisation must choose technical processing methods. Furthermore, organisations should pursue certified basic steps to demonstrate compliance to protect against cyber attack (Cyber Essentials or ISO27001.
Individual rights of ‘Data Subjects’
Organisations must prepare for the increase of individual’s rights and subject access requests (SAR).
Individuals rights now include the right to be:
- Informed - What is data used for? How can individuals exercise their rights? Individuals must be contacted if the use of personal data changes.
- Access - Individuals can ask if an organisation is holding and/or processing personal data. They can request a copy of all their data via a subject access request (SAR). Guidance to individuals must be outlined in privacy notice on the organisation website, for instance.
- Rectification - Incorrect or incomplete date must be fixed without delay. Notification of the process must be available to individuals.
- Erasure - Individuals have a ‘right to be forgotten’, they can withdraw consent to use their data.
- Restrict Processing - Individuals can object to the processing of data e.g. for marketing.
- Data Portability - A copy of information must be provided is usable format on request.
- Object - Individuals can object to processing and have the absolute right to object to marketing.
- Automated decision making and profiling - Individuals can object to the way in which their data is used to create automated decisions and profiles.
All customers, staff etc must be notified of all their rights and SAR processes via a privacy notice on the organisation website. This must be in clear language and easily accessible.
Subject access requests must be fulfilled free of charge within 1 month and information provided directly and securely in a common format (e.g. PDF) and only to the requester.
A proactive attitude towards compliance
Organisations are encouraged to adopt a proactive attitude towards GDPR, demonstrating compliance and establishing ongoing review and updates.
An organisation’s compliance evaluation should include:
- Assessing current data privacy practices
- Creating personal data inventory
- Updating privacy notices (e.g. website link)
- Obtaining consent from existing and future subjects
- Putting organisational and technical measures in place
- Assessing privacy impact
- Developing a data breach reporting process
They should also raise Internal awareness with staff:
- Data protection policy and review
- Internal policies and staff training
- GDPR awareness and obligations
- Maintain documentation on processing activity
ICO proposes ‘Privacy by design’ and ‘Privacy by default’:
We’ve updated our website, what now?
It’s likely that most organisations will rush to publish updated cookie and privacy policies on their website, tighten up website security with SSL and frantically seek data capture and marketing consent from existing clients in time for the 28th May deadline. What’s next?
Organisations should consider creating a GDPR project team, with the assistance of trusted technology partners. This team would have the function of:
- Risk assessment and processing
- Training staff
- Gap analysis
- Privacy development
- Lawful processing
- Data breach report process
- SAR implementation
ICO 12 Steps - Preparing for GDPR (PDF):