Note that while all the following gives info on GDPR, your own legal counsel will give you the best compliance advice for your specific situation. As much as we’d love to help answer legal questions, we’ll stick to what we know best: Websites and Marketing. In addition, while the information helps to enable compliance, there’s no one-size-fits all solution. Every circumstance is different. Ultimately, it’s up to you and your team to determine what compliance looks like to your business.
GDPR is the new European regulation to improve protection and transparency over personal details. It comes into effect on 25 May 2018.
For any personal data you’ve processed, you must be able to cite where you got it from, when you got them and why you’ve got it.
There are six lawful reasons why you would be able to process data:
- Legal obligation
- Vital interests
- Public task
- Legitimate interest
What is the GDPR
General Data Protection Regulation (GDPR), it’s created to give greater control and privacy to individuals and make personal data more secure.
As defined on the official GDPR website:
“….empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
Reminder: This comes into effect on 25 May 2018 🙂
Who does it apply to?
It applies to anyone in the EU or anyone who processes any personal data from someone in the EU.
Failure to comply with this will result in a fine of up to €20 million (approx £17 million) or 4% of global turnover.
What constitutes as ‘personal data’
Any information that can either directly or indirectly identify an individual, this includes data such as name, address, phone, email etc. However, it also applies to data that isn’t as obvious but can still be used to identify someone, such as social media details.
This applies to any personal data you might store, such as clients, employees, business partners.
It applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria (e.g. chronological sets of manual records containing personal data).
Any personal data you collect is owned by a ‘controller’, and will be processed using a ‘processor’.
What are controllers and processors
A controller is the owner of the personal data that is processed. They are responsible for determining why the any personal data is processed (more on this below) and must ensure that the processor meets the GDPR requirements.
Processes the data on behalf of the controller. They are responsible for maintaining the records of personal data, how it’s processed and securing the data to prevent a breach. They may only act on written instructions for the controller, must give the controller the data requested.
When you’re allowed to process personal data
If you want to process someone’s personal data you need to have a valid lawful basis to do so, there are six lawful basis that this can fall into (we detail these below).
For any personal data you process, you must be able to say:
- What data has been processed.
- When you got it.
- What lawful basis it falls under.
In all cases the processing must be necessary. If you could reasonably do what they want without processing their personal data, the processes do not apply. Here we explain the six lawful basis:
For this, we’ll take an example of an eCommerce website, pre-GDPR, when someone places an order, they are automatically signed up to your marketing list, you send marketing material via email, SMS and post. This data is shared with some sister and partner companies.
When the GDPR comes in, this current process for adding people to your marketing list will need rectifying to make it GDPR compliant. First off, you may not make consent a precondition of service, it must be separate. It also, may not be part of your T&C’s, to overcome this, you would need to add something like a checkbox for them to opt in when placing their order.
The opt in checkbox now in your checkout process, MUST NOT be pre-ticked, you can not use default consent, people have to positively opt in to your mailing list.
We also mentioned that you contact them through email, SMS and post, you have to be specific with what they’re opting in to and offer granular consent, so one opt in checkbox for each channel you would contact them through.
If you share their personal data with any third parties (like sister companies), this needs to be clearly stated up front, what you share and who with. You must also make it easy for people to withdraw consent and tell them how, such as giving them settings on their customer accounts.
You may process someone’s personal data to fulfil contractual obligations to them, so if someone places an order through your website, you need to process their data to be able to deliver and fulfil their order.
You may also process their data if someone contacted you because they have asked you to do something before entering into a contract, such as asking for a quote for a custom product, you’d need to process their data to contact them and provide the quote.
This is if you need to process personal data to comply with common law or statutory obligation, (this does not apply to contractual obligations).
You should be able to either identify the specific legal provision or an appropriate source of advice that clearly sets out your obligation, such as disclosing employee salary details to HMRC.
You can process the personal data to protect someone’s life, e.g. if someone is admitted to hospital with serious injuries, their medical history is necessary to protect his/her vital interests.
You may not use vital interest however for health data or other special category data if the individual is capable of giving consent.
This is mostly relevant to public authorities, but can also apply to organisations that have official authority to carry out tasks in the public’s interest.
You can process personal data in the exercise of official authority’. This covers public functions and powers that are set out in law.
This is the most flexible lawful basis, but you must not assume it’s always the most appropriate. The interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
When processing data under legitimate interest, there are three elements you need to think of, you need to:
- Identify a legitimate interest.
- Show that the processing is necessary to achieve it.
- Balance it against the individual’s interests, rights and freedoms.
This would apply where people would reasonably expect their data to be processed, or where there is compelling justification to process their personal data. However, if they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
For any legitimate interest, you must include details of your legitimate interests in your privacy notice. In all cases, you must keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
The processing must also be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
What users can ask of you
Any personal data you process will be for a ‘user’. A user has rights to their data their data you’ve process under the GDPR, they have:
- The right to be informed
- The right of access their information
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
As we mentioned before, for any personal data you process, you must be able to say what data has been processed, when you got it and what lawful basis it falls under
Failure to do so could end up being costly. There’s still time to make changes now before 25 May 2018.
What you need to do going forward
- For any data you collect, know where you got it and why you have it, the means of processing the data (know which lawful basis you use to collect data).
- Review everywhere you collect personal data and update it to comply with GDPR (e.g. update your website).
- Make sure you have a written agreement/contract in place with your processor about their responsibilities and ensures they meet the requirements of the GDPR.
- Letting people know what data you will collect from them and what it will be used for.
- Anyone’s data you currently have, notify, update and confirm their consent for you to have it.
- You need to document what you’re doing to comply with GDPR and be and be able to prove that in cases where it’s not self evident. Educate your teams on privacy and data protection by design.
- Have a plan in place, in the event of a data breach.
- Ensure any personal data you keep is stored securely.
- The only time you will make changes to the data is when you have written consent from the controller.
- Have a process in place for processing personal data, which includes records of processing activities.
- Ensure that people processing the data are subject to a duty of confidence (the personal information is kept confidential and won’t be used for the benefit of unauthorised persons).
- Put a plan in place for updating, deleting, pausing etc. the data you have.
- Be ready to submit to audits and inspections by providing the data to the controller/governing body.
- What personal data you collect
- Why you collect it
- What you do with it
- How long you keep it
- The users rights regarding their personal data
As we said, this is a minimum, if you do other things, like profile your visitors for marketing purposes, you will need to include that, as well as give them an option to opt out of it.
Our thoughts on the matter are, that with the 25th May fast approaching, you need to look at ‘getting your house in order’ as it were. If you have any questions for, please don’t hesitate to drop us a message.