Firstly – don’t panic. You’ve probably heard that the Information Commissioners Office (ICO) can impose huge fines for breaches of the GDPR, but the ICO has published a simple document twelve steps to take now. There is also the much more detailed Guide to the General Data Protection Regulations. Note that the GDPR does not only apply to digital data, but includes paper and similar records.
This isn’t a ‘here’s how you comply with GDPR’ post. It is intended to help, and to point an SME, much like ourselves, in the right direction. It does not deal with a number of areas, such as the personal data of vulnerable people. And, as the lawyers might say, no reliance should be placed upon it. We’ve tried to pick out the salient bits, those you really should know about. But if you complied with the old Data Protection Act then you are already most of the way there, with a few (but significant) add-ons and changes. But GDPR is a big subject and therefore this is the first of two pieces we’ve written on it.
Doing a GDPR Data Audit – what personal data do you have?
Personal Data is any data containing information about an identified or identifiable human person. (A limited company is, in law, a person – go figure). In most cases we are talking about actual names, addresses and the like, but any data can be Personal Data if it would be reasonably possible to identify someone from it. So, as the guidance states, an IP address might be personal data. That is a change from the old rules.
You will need to know and document where the data came from and who it is shared with. Unless you know this, you can’t perform your obligations under the GDPR. Your documentation will allow you to demonstrate compliance with the GDPR, a requirement that is another change from the old rules.
Are you a data ‘Controller’ or a ‘Processor’? You must know.
A Controller says how and why Personal Data is processed, and the Processor acts on the Controller’s behalf. It is likely that in respect of some data you will be a Controller, and in respect of some you will be a Processor. If you share data with another person or organisation, it will probably be that you are the Controller and the company/person the data is shared with is the Processor, or vice versa.
You may need to look at contractual agreements you have with companies/persons with whom you share data, and agree to alter them to provide that each party will perform their Controller/Processor roles. What matters is that you agree you will each perform your roles, and to set up communications and a system between the parties, as you will need to cooperate so each party can comply with GDPR. So, with whom do you share data and do you have an agreement with them to manage your obligations under GDPR?
For an SME, the data audit should not be onerous
For a large company, such an audit, and reaching these agreements, is a massive undertaking. For an SME, it is likely to be much more doable, limited to details of customers, suppliers and employees, and perhaps marketing (i.e. potential customer) data.
The fact is that an SME will almost certainly have a couple of people who could sit down and make a list of all the company’s Personal Data, who it is shared with, what it is used for, how it is processed, where it came from, in a few hours. The range of an SME’s activities is limited enough to mean one or two people can have an oversight of all of it. For any large company, the task of identifying everything is nightmarishly huge.
Gavurin is a data company – we hold huge quantities of data on behalf of, or for the use of customers, in addition to those listed above – but even so, identifying datasets which contain personal data is not a problem so long as you/we get on with it in an organised way. However, you/we need systems for dealing with things, and need to be able to show that you/we can comply with the GDPR obligations. This is a change to, indeed a critical difference to the old rules, which did not require that.
What are the GDPR obligations regarding Personal Data?
Processing of Personal Data must have a lawful basis, which requires either:
- the consent of the data subject, or
- that the processing is necessary to carry out a contract with the data subject, or
- that it is a legal obligation, or
- that it is necessary to perform a task in the public interest, or for your official functions, or to protect life, or
- that processing is necessary for ‘legitimate interests’.
There is a list of alternative circumstances but these are the main ones.
Consent must be explicit, informed, and freely given. The data subject must know what data there is and how it will be used. They must opt in (so no opting out tick boxes), and their agreement cannot be included in the general terms and conditions (and so possibly obscured). It should not be required as a condition of provision of a service (the guidance suggests that in this situation an organisation should rely on the ‘legitimate interests’ argument).
An example of a Contractual/Legal Obligation case might be data relating to employees. Here you must comply with tax and NI obligations (legal obligation), hence you need the data and are entitled to process it. You would also need personal data relating to your employees because of the contract of employment – this is necessary to carry out the contract.
What is a ‘legitimate interest’?
Legitimate interests are more complex. There is a three-part test:
- Is it a legitimate interest? – it might be yours, a third party’s, or a client’s interests; IT security, marketing, or fraud prevention are all potentially legitimate interests.
- Is processing necessary for the pursuit of the interest?
- The Balancing Test; does the legitimate interest override the individual’s rights? How non-trivial is your legitimate interest, and is your use of the data to be expected; is it non-harmful?
The more compelling the reason for the processing and the less the impact on the data subject, the stronger the case is.
You can only use the data for the purposes for which you have authority and it must be accurate, and kept up to date. Only data necessary for the authorised purpose may be kept, and it must be destroyed/deleted once it is no longer required. This may be not a fixed period of time, but based upon a rule; upon the happening (or non-happening) of an event, the data is deleted. That is the same as with the old Data Protection Act. The point is that again you now need a demonstrable system in place for ensuring that this happens.
The data subject has a series of rights relating to the data. Some of these are new, although others, such as rectification of inaccuracies, are existing rights. You are required to respond promptly to requests under these rights, a new obligation. You must have systems in place allowing you to respond, so that you can demonstrate compliance. And crucially, one of these rights is the right ‘to be informed’. This is discussed in our second post on GDPR; it is probably this requirement that will cause the most difficulty for any SME.
Under the Data Protection Act there was no obligation to report a data breach. Under GDPR there will be. I don’t suppose SMEs will usually be the ones reporting. It’ll be the banks, insurance companies and larger organisations doing that… It’s worthwhile to remember this.
Each data subject has rights, some of which carry obligations for Controllers/Processors. These are described in the companion blog ‘Rights of the Data Subject’ which will follow from this one.