August 18, 2017

Get ready for GDPR day

What will the Bill do?

From a technical angle, the Bill will provide for the repeal of the Data Protection Act 1998 (DPA) and incorporate the EU General Data Protection Regulation (GDPR) and related UK exemptions into UK law.

Arguably, such a Bill is not necessary as the GDPR will apply directly in all member states from 25 May 2018 and does not need legislation to implement. However, as there are some UK law exemptions from the GDPR, and given the backdrop of Brexit, it is understandable the Government has decided to publish the Bill to embed the GDPR in our legislation.

The Minister of State for Digital, Matt Hancock, commented that the Bill will "bring our data protection laws up to date". He added that "the Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive."

How easy is it for businesses to comply?

For businesses that are already compliant with the DPA, the new requirements under the GDPR are likely to be relatively easy to achieve.

However it is widely recognised, particularly by the Information Commissioner’s Office, that compliance with the DPA has been patchy. That is why, for many businesses, we recommend a detailed consideration of your processes and contracts. Not complying with the GDPR is a gamble you don't want to take. Failure to comply carries eye-watering sanctions, such as fines of 4% of global annual turnover or €20 million, as well potential bad publicity, which could affect your organisation’s reputation.

In our previous post on the GRPR, we have already provided an overview. For those who love a bit of law with their cornflakes or espresso, here’s where you can find the hard stuff (i.e the Regulation itself). But for speed readers, here are some tips I can share with you as to how you can start getting your business in line for GDPR day:

Understanding what personal data is

Let’s not get mixed up with data which might be a software program or generated by software. This might well be data which is confidential and protected by copyright or database rights - and so important and something you would not wish to disclose - but it might not be personal data.

In the data protection world, we’re talking about data that relates to living individuals, for example their name, an identification number, location data, or anything else that can identify them online. I'm often asked, does this include email addresses? Emphatically yes. IP addresses, cookie identifiers and other identifiers like RFID tags? Again, yes. Genetic data, biometric data and data which was previously known as “sensitive personal data” (such as ethnic origin data) is also personal data, but it is subject to additional stringent safeguards.

Mapping personal data flows

A good second step for getting in line with the GDPR is working out where your personal data comes from and goes to. This is a bit like an audit, but on a smaller scale.

In particular consider the following:

 employee data
 customer data
 prospect data
 supplier data.

Bear in mind that in relation to any business, we’re not talking about the name of a business, but the contacts that you have at those businesses and how you deal with that personal data.

Map your data flows so that you can see what your personal data’s routes are. In other words, create an infographic setting out the “pools” of organisations you deal with (e.g. customers, suppliers) and where that data is going.

For your employees, this might be as simple as them providing you with their personal data, and you processing it for payroll and HR purposes.

What contracts do you have in place?

When you have mapped your data flows, consider whether you have contracts in place which govern the processing of that data.

Such contracts would include:

 Contracts with your suppliers governing how they provide personal data to you, if that is what they are doing. Equally it might be the other way round – your supplier might be providing a service to you, based on personal data you are providing to them. An example would be a company which processes your payroll requirements. The data angle is not the main point of such contracts, but it is the aspect you need to deal with appropriately in light of the GDPR.

 Contracts with your customers setting out what data they are providing to you and what you are going to do with it. For example, if you provide IT outsourced services to your customers, and as a consequence of that you are naturally going to be obtaining your customer’s employees personal data, your IT services agreement needs to cover that angle.

What policies do you have in place?

Take a look at your relevant policies, procedures and privacy notices. This includes the manner in which data subjects (i.e. individuals whom particular personal data relates to) provide consent to processing and how you record that. If you are using your customer’s data to to enter into or perform a contract with the data subject, then you can use their personal data for that purpose and that purpose only.

However, marketing to that customer would require specific opt-in consent. Pre-ticked boxes or silence from a customer or a prospect is not consent to processing. Consent requirements are generally covered by privacy policies and these should be reviewed in light of the forthcoming legislation.

Sounds easy? Next steps?

Learn more in person: click on the below links to attend a GDPR seminar at our offices on the following dates:

Our Bath office - Tuesday 3 October 

Our Oxford office - Tuesday 17 October

Share on: