The General Data Protection Regulation came into force on Friday 25 May 2018, amid a raft of mixed messages and media coverage. The Data Protection Act 2018 incorporates the GDPR into UK domestic law, and supplements its provisions. The DPA was badged by the UK government as a law “fit for the digital age”, which “empowers people to take control of their data.” But what does it mean for your business?
A flurry of activity around May 2018 suggested organisations were frantically trying to get their houses in order. Almost one year on, the dust has settled and there are now three types of organisations: those that are GDPR-compliant, those that are in the process of becoming so, and those that are yet to begin. Whichever category your organisation falls into, it’s not too late. There are simple steps that can be taken to ensure your business is moving in the right direction.
The term “data audit” is an unhelpfully vague term but, whilst it sounds like an overwhelming task, a data audit is essentially about getting a handle on what data you hold and where it is stored. Delegate this task to a responsible individual within each department and put together a uniform template setting out what the data is (e.g. customer/client, employee or supplier) and where it is stored (e.g. electronically, filing cabinets, a box in the loft).
Once you have rationalised what data you hold, put together a data retention schedule. This should be categorised into customer/client, employee and supplier data, and any other categories relevant to your business. The GDPR does not prescribe specific retention periods and it is therefore a case of your organisation justifying its retention of personal data based on its specific needs and legal requirements.
Delete, shred or anonymise any data that is surplus to requirements (both regulatory and commercial). Those responsible for IT need to carry out an electronic clear out, and physical files should be securely destroyed or archived. This process will help hugely if you ever receive a subject access request from an individual, as you can’t be expected to disclose data you no longer hold.
A key driver of the GDPR is to give individuals enhanced rights. Consequently, your business is usually required to tell individuals what data it holds about them. Again, this will help to pre-empt any subject access requests.
You need to inform employees, customers/clients, and suppliers what data you have, how it was collected, why it is processed, where it is transferred to, how long it is stored for and what their rights are as individuals. A layered approach should be taken, with a privacy notice containing the above information situated on your organisation’s website and issued directly to individuals where practical.
A fairly common misconception is that consent is the most appropriate legal basis to rely upon when processing personal data. This may represent an overly cautious, or even incorrect, approach to justifying data processing.
The Law Society recently reported that lawyers had been publicly criticized by Chris Combemale, chief executive of the marketing network DMA Group, for providing ‘extremely conservative’ advice in advising their clients to seek consent, or even double consent, to retain customer details. It should be noted that marketing activities are also governed by the Privacy and Electronic Communications Regulations (or “PECR”). This is a complex area of law that should not be over-simplified. In certain instances, consent may well be the most appropriate lawful basis, but many businesses take advantage of the “soft opt-in” justification, rather than gaining fresh consent. The risk of being too cautious is that customer sign-up rates can plummet unnecessarily. Take legal advice before deleting your customer database!
One area where consent is very rarely the appropriate lawful basis is in the employment context. Review your employment contracts to identify any clauses under which an employee consents to the processing of his or her data. The GDPR recognises the potential imbalance in the employer-employee relationship and makes this approach unsustainable going forward. Instead, your employment contracts should refer to a “fair processing notice” or “privacy notice” that is then made available to staff.
Introduce a dedicated data protection policy and make sure staff are aware of what is expected of them through internal or external training and seminars. It is vital to create a “culture” of data protection alongside putting in place robust policies.
It appears no issue is safe from Brexit. The UK government has recently issued guidance on data protection both in the event the UK leaves the EU with a deal in place and in the event that there is a “no deal” Brexit. In both instances, the advice is, unsurprisingly, to continue to be compliant with data protection law and that the Information Commissioner will remain the UK’s independent regulator for data protection.
In the event of a deal, the government has advised that the implementation period will mean that data controllers will see no immediate change in their day-to-day obligations. Personal data should be able to continue to flow both ways between the UK and the EEA during such period, whilst the EU makes an assessment of the UK with a view to adopting adequacy decisions by the end of the implementation period.
In the event of a “no deal” Brexit, the government has advised that there will be no immediate change to the UK’s data protection standard, with the GDPR being brought into UK law. However, there will be a change to the way data is shared from the EEA to the UK. The government is hopeful that the European Commission will adopt adequacy decisions in respect of the UK as soon as possible, but this is unlikely to have happened by the time a “no deal” Brexit occurs.
Whilst implementation has resulted in widespread changes in the vast majority of UK businesses, the GDPR is not as radical a departure from pre-existing data protection regulations as has been portrayed.
The above are examples of effective and pragmatic steps that your business can and should be taking, but there are many more areas that fall under the remit of the GDPR. The imposition of fines by the Information Commissioner’s Office is not reserved for personal data breaches alone and can result from failure to implement internal procedures and non-compliance with the principles of transparency and accountability.
If you would like to discuss data protection matters and how your business can work towards becoming GDPR-compliant, please contact Ben Jackson, or call 0191 232 8345.