In less than six weeks GDPR will replace the Data Protection Act 1998 (DPA) to become law in the UK. GDPR is a set of legal requirements which will govern how organisations of every kind obtain, process and use the data they hold about people like you and me.
GDPR is an EU law which means it applies to all EU member states as well as to organisations in countries outside the EU which supply products or services in to the EU. It will continue to be law in the UK, even after Brexit.
Organisations that fail to comply with GDPR could face a fine of up to 4% of their annual turnover capped at 20 million euros. This far exceeds the current maximum fine allowed under the Data Protection Act of £500,000. Naturally, many organisations are concerned at the prospect of such substantial financial penalties being imposed. However, of equal if not greater concern, should be the threat to reputation that failing to comply with GDPR will bring.
In many ways, GDPR mirrors the existing data protection requirements of the DPA but there are also several new additions and the significance of some DPA requirements has also been increased. So, just how will GDPR affect the way you process your customer (or client, member or employee) data? The answer depends largely on the nature of your organisation, what you use the data for and how you use it. Key principles of GDPR which will have significant impact on how your handle customer data include:
- Data types
- Basis (reason) for processing data
- Data subjects’ rights
This blog will explore these principles in more detail and look at their potential effect on how organisations process customer data.
Accountability is a fundamental principle of GDPR. According to the website of the Information Commissioner’s Office (ICO), organisations need to demonstrate they comply with GDPR by putting into place “comprehensive but proportionate governance measures” that protect personal data and minimise the risk of a data leak. The accountability principle will guide how you process all your customer data, and some processes that were previously just good practice will become legal requirements under GDPR.
Types of data
GDPR focuses primarily on two types of data: personal data and sensitive personal data. Personal data is defined as any data that can identify an individual, for example, a name, an ID number, location number or online identifier. Sensitive personal data is a separate, special category which includes genetic and biometric data which could be used to uniquely identify an individual. Criminal convictions and offences aren’t included in the sensitive personal data category, although other conditions apply to their processing.
GDPR applies to both automated (electronic) data and manual records which contain data, such as paper files. Personal data that has been ‘pseudonymised’ (given additional protection, such as key-coding) can also come under GDPR jurisdiction. Identify which type of data you handle – it could be both- and familiarise yourself and your teams with the GDPR requirements of that category.
Basis for processing
Basis for processing is another very important aspect of GDPR that will heavily influence how you handle data. GDPR stipulates that every organisation needs a valid, lawful reason for processing personal data. This reflects the current Data Protection Act which also says that certain ‘conditions for processing’ need to be satisfied for data to be processed. GDPR recognises six lawful reasons for processing. These are:
- Legal obligations
- Vital interests
- Public tasks
- Legitimate interests
For every bit of data processed you must decide which lawful basis applies. This should be established before processing the data, and you should think carefully as it is bad practice to change the lawful basis later. To process ‘special category’ data (data that GDPR classes as more sensitive and in need of more protection), you must have both a lawful basis and satisfy an additional GDPR condition.
Gaining consent from data subjects in a way that meets certain criteria is a very important part of GDPR. Individuals must be given choice and control over, firstly, if their data is used, and secondly, how it is used. For example, people can opt-in to receive emails to a greater or lesser extent or choose not to receive emails at all. GDPR does not allow pre-ticked consent boxes or other methods of ‘consent by default’; a ‘positive opt-in’ from every individual is required. Organisations should also make it clear how to withdraw or refuse consent and make this an equally easy process. For additional clarity and transparency, consent requests and information should be kept separate to other website terms and conditions.
The revised regulations around consent actually present businesses and other organisations with a great opportunity to enhance their reputation and strengthen their relationship with customers, clients, employees or members. Businesses, for example, will benefit from positive opt-in because the result will be a more engaged and receptive email marketing list made up of potential customers who have deliberately chosen to receive marketing communications.
The first step in making sure your consent processes are compliant is to review them. If they don’t meet the new standards, making the changes outlined above is a good first step towards GDPR compliance regarding consent.
Data subjects’ rights
GDPR grants certain rights to data subjects to help protect their privacy and data. All data subjects have the following rights:
- The right to be informed – individuals have the right to be informed about the collection and use of their personal data
- The right of access – individuals have the right to access their personal data and supplementary information
- The right to rectification – individuals have the right to have inaccurate personal data rectified or completed if it is incomplete
- The right to erasure – individuals have the right to have personal data erased
- The right to restrict processing – individuals have the right to request restriction of their personal data
- The right to data portability – individuals have the right to obtain and reuse their personal data for their own purposes
- The right to object – individuals have the right to object to processing of their data for certain purposes and direct marketing
- Rights related to automated decision making and profiling – GDPR has provisions on automated individual decision making and profiling
These rights will influence all your data processing activity. More information on data subjects’ rights can be found here.
The principles above will undoubtedly have an impact on how you handle data, and while they may seem overwhelming at first, a few simple changes can help your organisation demonstrate a desire to be GDPR-compliant. If you would like further information on GDPR and how Core can help your organisation, contact us today. From free GDPR events to a full compliancy assessment and report, we can put you on the path to GDPR compliance.