The General Data Protection Regulation (GDPR), an EU Directive that was incorporated into UK law in May 2018, has changed the data protection landscape in subtle but important ways. This guide explains the implications of GDPR for your business, how the new law fits in with other data protection legislation, and what you need to do to stay compliant.
- The GDPR applies to all organisations in the public and private sectors.
- GDPR rules apply equally to personal data held on either electronic or paper records.
In other words, every UK business that stores or processes personal data – whether on customers, suppliers or employees – is affected by GDPR. This has prompted several worried questions:
- Can I still contact customers and prospects for marketing purposes?
- Is my current database/CRM still legally compliant?
- How much will it cost me to become GDPR-compliant?
- What additional data protection obligations must I account for?
Fortunately, most GDPR worries are based on a misunderstanding of how the law works. With the right knowledge and solutions in place, GDPR compliance is easy, often needing few, if any, changes to your current data architecture.
In many ways, GDPR makes data protection easier (and cheaper) than it was previously, by clarifying ambiguities and setting up a clear data security framework based on a few simple principles.
At Clearview Systems we provide consultancy, training and software solutions that help you:
- Classify and monitor data affected by GDPR.
- Set up efficient data access and protection controls.
- Develop a GDPR-compliant data security policy.
Let’s start the guide with some basic definitions. If you are already familiar with data protection legislation you can skip this part and move straight on to the Responsibilities of a data controller under GDPR section that follows.
Data protection legislation regulates how information about living, identifiable individuals is used by organisations (including businesses, schools, charities, private clubs and public institutions).
The purpose is to safeguard individuals from inappropriate use of their personal information and give them some consent and control over how that data is used. It also gives people peace of mind that the data they entrust to organisations is securely stored and handled – reducing the risk of data breaches and identity fraud.
For the past 20 years, UK data protection legislation has been defined by the Data Protection Act (DPA) 1998.
This was updated last year by the GDPR and a revised Data Protection Act (2018). These two pieces of legislation supersede the DPA 1998 and the various guidelines based on it.
Data protection legislation does not stop organisations storing and using information about people. It just sets up rules they have to follow.
These rules are monitored and enforced by the Information Commissioner’s Office, an independent regulator which reports directly to Parliament.
Each EU member state had its own set of data protection rules prior to GDPR. These were broadly similar and were partially harmonised by the EU’s Data Protection Directive (DPD).
However, there were still variations in how businesses conducted IT procedures, data security risk assessments and data handling between the EU countries.
The GDPR was introduced to fully harmonise legislation throughout the EU, making it easier for companies to do business across the union. GDPR was automatically incorporated into law in all EU member states on 25th May 2018, taking priority over existing local data protection laws.
GDPR will continue to be part of UK law after Brexit until revoked by Parliament. Even if this happens, UK organisations that do business with European customers will still need to be GDPR compliant for their operations in the EU.
Why the need for a new DPA as well as the GDPR? Recognising that each member state has specific data protection needs that won’t be covered by an EU-wide law, some areas have been excluded from the GDPR and left to the discretion of local laws. Examples are how data protection laws apply to law enforcement and immigration services, and how concepts like ‘public services’ are defined for data protection purposes. How data protection laws are enforced also varies from country to country.
We’ve kept the use of jargon to a bare minimum in this guide to keep things straightforward, but it helps to be familiar with the main data protection terminology used in the GDPR:
Processing – The use and handling of information about people (personal data) by organisations.
Data subject – A living, identifiable individual on whom personal data is held.
Data controller – An organisation that stores or holds personal data.
Data processor – An organisation or individual who uses the personal data held by a data controller. The data processor and data controller may be the same business, or the processor may be a third party working on behalf of the data controller (for example a cloud hosting service or credit control company).
Data Protection Officer (DPO) – A job role that oversees data security and legal compliance in an organisation. Some organisations are legally obliged to appoint a DPO.
Personal data – Any information about a living person that allows an individual to be directly or indirectly identified. This could be a person’s name, their address, email, personal website or IP address. The definition includes pseudonymous and anonymous personal information if the person can be identified from it. Note: deceased individuals are not covered by GDPR.
Sensitive personal data – The GDPR creates a new special category of personal data relating to sensitive information. This includes:
- Political affiliations
- Racial/demographic data
- Sexual orientation
- Relationship status
- Financial information (bank details, income, investments etc.)
- Group memberships
- Private activities
- Religious belief
Unauthorised access – When a person obtains access to an individual’s personal data (sensitive or otherwise) without that individual’s consent.
Consent - Permission granted by an individual to use specific personal data for a specific purpose. See the section on acquiring consent below
Central to the GDPR is the concept of privacy:
- The right of individuals to enjoy lives in privacy without unwanted intrusion by organisations, and
- The responsibility of organisations to whom information is entrusted to safeguard that data and use it appropriately, in accordance with the individual’s wishes.
Ownership of an individual’s personal data remains with the person concerned. This has important implications for how your organisation collects and handles personal data.
The following two sections will look in greater detail at the responsibilities of data controllers and the rights of individuals over their personal data.
Individuals have various rights under the GDPR, all flowing from the guiding principle of the right to privacy. All must be respected for compliance purposes, although some are given more weight than others.
A key part of compliance is being open with people about how their personal data will be used, and sticking only to that use. Individuals have a right to be informed. This openness is the basis of the informed consent necessary for an organisation to legally process personal data. This information can be supplied to people by means of privacy policies, data protection notices and other statements of intent.
Individuals can request that their personal data is not used for specified purposes, for example direct marketing, or for research purposes which run counter to their principles.
A person can request access to their personal data at any time by submitting a Subject Access Request (SAR):
- An SAR can be made by phone or in writing and is usually directed to an organisation’s DPO, if they have one.
- You have one month to respond to an SAR and submit the data requested
- No charges can be made for an individual to access their personal data.
Exceptions to right of access:
- Access to personal data may be legitimately denied if it could prejudice the detection or prevention of a crime.
- Personal data may be withheld that could be used by a person to identify another individual without their consent – unless that consent can reasonably be obtained.
People should be able to receive copies of their personal data in a commonly used and machinereadable format.
This should be done in a timely manner, as per Subject Access Requests.
Organisations should restrict or suspend access to an individual’s personal data pending it being corrected and verified.
A key individual right contained in the GDPR is the right to have personal data erased from an organisation’s records. Legally this is withdrawal of consent by the data subject and should be acted on as quickly as possible.
It is the responsibility of the data controller to remove all affected personal data, even when this has been made public to 3rd parties.
For example, a marketing agency would need not only to remove personal data from their CRM, but also from any social media platforms, cloud storage solutions and other websites they may have shared the information with on the person’s behalf.
This can be a complex and time-consuming process unless the right GDPR-compliant data infrastructure is in place.
Exceptions are where this deletion could prejudice an ongoing criminal or tax investigation.
An individual should not be subject to a decision made solely on their personal data, especially where automated decision-making processes are employed. This has implications for many organisations that use profiling software for marketing and recruitment purposes.
The individual rights we looked at in the last section imply certain responsibilities on the part of data controllers. Best practices for organisations fall into two categories:
- Legal conditions for processing and storing personal data, and;
- Organisational best practices to ensure compliance with the guiding spirit of the GDPR.
Let’s look at each in turn.
To hold or process data you must be able to prove one or more of the following:
A person must provide active consent for their personal data to be used for a specific purpose. It is no longer sufficient to assume consent from a person not having opted out of a particular service. Consent forms and opt-ins must be documented.
There are many different ways to acquire consent, including website content forms, hardcopy information slips and emails. For it to be valid, a statement of consent must:
- Be given in the context of a written declaration
- Be written in clear, plain language
- Be in an easily accessible form – e.g. Word documents, emails, electronic forms, paper documents
A person has the right to withdraw his or her consent at any time. See Subject Access Requests and the right to be forgotten.
Where it is necessary to hold personal data for an organisation to perform contractual responsibilities to which a person has agreed.
Where data processing is necessary to comply with a legal obligation to which the organisation is subject.
An organisation may need to process personal data to fulfil one of three interests:
1) Vital interests – Data is processed to safeguard the vital interests of a data subject or another person.
2) Public interest – Data processing is deemed legitimate to carry out an action in the public interest, i.e. when an action has the backing of official authority.
3) Legitimate interest – Personal data can be processed where a legitimate interest by the controller or a third party can be proven, except when these conflict with the individual rights of the person concerned.
Cases of vital, public and legitimate interest must be provable by documentary evidence, and accompanied by consent forms or written contracts where appropriate.
A data controller is legally accountable for compliance with the GDPR. As well as proving a sound legal basis for acquiring data, organisations must also demonstrate a responsible duty of care for the data they hold.
These responsibilities are summed up in the following code of conduct.
1) Data must be collected and processed in a lawful manner, in a way that is fair and transparent to the data subject.
2) Data can only be processed for a specific purpose, for which the individual has provided consent
3) The information held must be strictly relevant to the required purpose, and not include excessive or irrelevant data – the legal principle of data minimisation.
4) Likewise, data should not be kept for longer than necessary to fulfil the agreed purpose – the principle of storage limitation. Personal data should be deleted when it is no longer needed. Exceptions to this are when personal data is acquired for the purpose of long-term scientific research, archiving or statistics.
5) Care must be taken to keep personal data records accurate and up-to-date, and to correct inaccuracies in a timely manner.
6) Personal data must be kept in a secure storage system – whether the records are electronic or on paper. Safeguards must be established against accidental damage, loss, unauthorised access and theft. Information must be treated as confidential, with only appropriate individuals being granted authorised access.
No best practice guide is complete without an overview of the penalties for non-compliance and data breaches. As a data controller, the personal data you hold is your responsibility – you may be legally liable even if a data breach occurs through the actions of a malicious or negligent third party. Data security should therefore be taken very seriously, and you should be aware of the penalties for non-compliance.
Fortunately, the risk of a data breach can be minimised by establishing secure data solutions and taking common sense precautions with data-holding devices.
High profile data breaches are usually the result of orchestrated malware attacks by sophisticated hackers. These are actually comparatively rare. Most incidences of personal data falling into the wrong hands result from worryingly easy acts of negligence, as these scenarios show:
- An old company laptop is given to a free IT recycling company, who refurbish and sell the laptop without adequately cleansing the HDD of personal data.
- A new employee writes a system username and password on the back of a business card, then loses it in a coffee shop.
- A letter containing sensitive personal data is accidentally posted to the wrong recipient
- Personal customer email addresses are accidentally disclosed by using CC instead of BCC.
- While remote working an employee sends emails using their own insecure personal laptop, which is hacked, resulting in personal data being stolen.
- A notepad with customer names and phone numbers is left open and unattended on a desk while the employee takes a lunch break.
- Employees discuss sensitive personal data of named service users during a work meeting in a public place
- Paper records containing personal data are disposed of in an open recycle bin without first being shredded.
- An unsecured company smart phone containing customer bank account details is lost or stolen on the train.
The list could go on and on. Some of these scenarios are IT security incidents, but may not necessarily lead to a personal data breach. Likewise, not all data breaches result from IT security failures.
A data security monitoring framework should be established that reports and ranks all potential security issues in terms of risk.
If a data storage system is hacked or a data breach is suspected, you may need to log a GDPR breach notification report with the Information Commissioner’s Office (ICO) and inform the data subject(s). The notification should include the following:
- The categories of data affected
- Details of the records affected (e.g. emails, bank statements, customer contracts)
- Details of how the incident took place
- Approximately how many data subjects are affected
The company’s DPO should report known data breaches within 72 hours. Information should be in as much detail as possible.
Stiff financial penalties are in place for proven cases of negligence and non-compliance.
- For not having records in order
- For not notifying the ICO and data subject about a data breach
- When a breach arises from not carrying out the appropriate impact assessments
- For serious violations of data security principles resulting from misconduct or negligence
- For acquiring personal data without consent from the data subject
- For using personal data for purposes other than those specified in the consent agreement
- For serious infringements of the right to privacy of a data subject (the legal principle of privacy by design central to the GDPR)
Individuals and organisations can be prosecuted under the GDPR if personal data is disclosed without consent – or if data is used inappropriately.
Accidental data breaches are as liable for prosecution as deliberate misuses of data.
Setting out a straightforward list of best practices for GDPR compliance is not always straightforward, because as we have seen, the law is governed by general principles, rather than specific rules. This gives organisations flexibility over how to apply GDPR to their specific circumstances, but also the obligation to implement the rules creatively in a way that suits the needs of their data subjects.
This quick checklist can help all members of an organisation become more aware of their data security obligations under GDPR.
Keep confidential phone calls on a need-to-know basis. Conduct them in private and out of earshot of colleagues who have no legitimate reason to hear the conversation. Verify the identity of a caller before disclosing personal information about a data subject, and be mindful of who might be listening on the other end. Only share information over the phone that is strictly relevant to the matter at hand.
Be aware of who might be able to see your computer screen while working with personal data. Lock your PC when you leave your desk, and switch it off at the end of the day. Make sure antivirus software is installed and kept up-to-date. Do not use personal computers, phones or tablets to store or process personal data – which includes sending work emails. Securely cleanse old IT assets of personal data before recycling, sale or reuse within the organisation.
Ensure all organisational passwords are strong and difficult to guess, and are changed regularly (every 6 to 10 weeks). Do not share passwords or disclose a password to a third party, including other colleagues.
Waste paper containing personal data should be shredded before recycling. Keep a tidy desk: don’t leave information about colleagues, suppliers or customers unattended or where it can be viewed easily. File confidential paper records in locked filing cabinets or drawers.
Social media updates are also subject to data protection legislation. Don’t publish personal information about a colleague, customer or supplier without their consent. This includes photos and information about life events (e.g. Congratulations to our Bid Administrator Sam Jones on completing the London Marathon last week!)
Your CRM, databases, applications and communication systems must be set up to allow GDPR compliance. Most modern data software platforms have this capacity in-built, but this is not the case for legacy systems and unstructured data using a mixture of shared hard drives, email accounts and spreadsheets.
It is worth talking to a data solutions specialist, such as Clearview, about the current state of your data infrastructure and the steps you can put in place to stay compliant. GDPR compliance is often easier and cheaper than you may think, and no organisation can afford to take risks with the personal data in their care.
For confidential advice about GDPR compliance or how to improve your data security, please call 0845 519 7661 or send an email to firstname.lastname@example.org.
Visit our website: https://clearviewbusiness.com/
Keep up with our latest blog posts https://blog.clearviewbusiness.com/
Connect with us on LinkedIn: https://Linkedin.com/company/clearview-systems