Dispelling the GDPR myths

Myth 1: If you’re compliant with the Data Protection Act 1998 you’re okay.

Not quite. If you’re compliant with the DPA 1998, it's an excellent start to your compliance journey. However GDPR is bringing about some big changes that businesses need to be aware of, even if to date you have been compliant with the DPA 1998. Therefore it is a good idea to revisit your compliance toolkit, map your data flows, and look at your privacy policies and contracts.

Myth 2: It’s just an HR problem.

No it really isn't. We're aware that HR teams have been tasked with the management of GDPR, but it is more accurate to say that the issues broadly fall into two camps, as follows:

Business issues

The business issues cover the management of personal data from individuals, whether those individuals are your customers, your prospects, your donors, your members, or your suppliers. Bear in mind we are talking about personal data, so it is not a company name (for example), but the name of a person at the company/organisation.

The business issues also cover the dissemination of personal data that you gather. So for example, are you transferring personal data to IT providers, cloud providers or insurance companies to provide services? The dissemination of such personal data needs to be managed through a data processing contract or data processing clauses in another contract.

HR issues

From a HR perspective organisations need to consider two angles:

(i) Employee data:

Organisations will be processing employee data which includes data collated as part of the recruitment process right through the employment lifecycle and beyond. The type of data will be wide-ranging but is likely to include things such as identification, contact details, medical information, DBS checks and bank details.

All employee data needs to be processed in accordance with the principles of GDPR. This includes establishing a lawful basis for processing the data, not collating or keeping data without good cause and ensuring that you inform candidates and employees of the purposes for which you are processing their data.

(ii) Employees handling third party data:

It is likely to be your employees who are handling your third party data on a day to day basis and therefore, it will be your employees who ensure that your business either complies or fails to comply with the GDPR requirements.

Employment contracts, policies and internal rules may therefore need to be updated to make the obligations clear. Employees will need to be provided with information and training to ensure they know what they are required to do and what the consequences of not doing so, will be. For example, you may want to introduce a policy relating to reporting of GDPR breaches, amend your disciplinary policy and introduce or update your policy in relation to subject access requests.

Myth 3: It’s all about fines.

Fines are going up, without a question, increasing to a maximum of 4% of global annual turnover for the most severe breach of GDPR. However, the Information Commissioner's Office has clearly indicated that it prefers a carrot rather than a stick approach, so we are not expecting to see immediate large fines once the Regulation is in force. However this should not encourage complacency; the ICO will be monitoring how businesses manage personal data (for example through complaints it receives, or proactive investigations it launches) and flagrant disregard will no doubt be addressed.

Myth 4: It’s all about consent.

Not quite. To process personal data, the data controller must have a lawful basis on which it can rely. One of the lawful bases is consent, however the other key lawful bases are:

• to perform a contract to which a person is a party
• to comply with a legal obligation
• for the legitimate interests of the data controller.

Thus if you are wishing to send marketing information to a customer, you will need consent, as there is not another relevant legal basis. However to use a different example, if you are providing software to an individual under a contract, your lawful basis to process that personal data is to perform the contract.

From an HR perspective, consent is unlikely to be the lawful basis you can rely on for processing employee data. You are more likely to rely on the performance of the contract or a legal obligation. For example, to be able to perform your contractual duty of paying an employee, you will need to process their bank details and to comply with your legal obligations in relation to health and safety and disability discrimination, you may need to process data relating to an employee's health.

So what happens next?

In our previous blog we provided some tips on what to do now, including mapping your information flows. Having worked out your information flows, consider whether you have the necessary consents for processing that data. Don't forget legacy data, where consents might not have been sought in the past. It is wise to revisit your privacy policy, see whether it covers the personal data and consent collection you require, and obtain additional consents now if they have not previously been obtained.

From an HR perspective, review the employee data you hold and consider the lawful basis for this. Review contracts and policies to ensure you have clearly set out the correct basis for processing and have not just referred to consent. You should also start planning for how you will inform and train your staff about their obligations and review or create policies to ensure the requirements are clear.

Further updates

We will continue our countdown to 'GDPR day' over the next few months. In our next blog, we'll shine the spotlight on the issues around consent: what constitutes consent, how to obtain it and what happens when consent is not given.