Data protection changed forever with the introduction of the EU’s General Data Protection Regulation. This EU-wide law sets out the legislation organisations must follow regarding how they manage customer data. In this article, we reveal the big changes that will affect your business.
The EU’s General Data Protection Regulation (GDPR) is a piece of EU legislation that strengthens the rights and freedoms of individuals within the EU from a data privacy perspective. It places new obligations on organisations as data controllers and their partner organisations as data processors in the way they handle personal data.
In the UK, the GDPR is read alongside the Data Protection Act 2018, which superseded the Data Protection Act, 1998. The DPA 2018 incorporates the main provisions of the GDPR, allowing organisations to devise their data protection infrastructure in line with the GDPR, while reflecting the allowances the DPA 2018 makes on the UK’s national interests.
What this means for businesses is simple: current data protection and privacy policies designed to the standards set out by the Data Protection Act 1994 are now outdated and must be revised to comply with the GDPR. There are huge implications for non-compliance. Aside from fines of up to 4% of global turnover, or £17m, the ICO can impose severe restrictions on the processing activities of companies.
Here’s how the GDPR will change the way you manage your customer data:
Accountability is a key principle of the GDPR. Organisations must now be able to demonstrate their compliance with data protection law, by producing upon demand, written policies and procedures reflecting how personal data is used by the business. The previous data protection act did not require this level of accountability, so all organisations will need to put proportionate measures in place to create this documentation.
Accountability is one of seven principles of the GDPR, and an on-going principle that all other data protection activity must relate to. If a business activity or process changes, then the appropriate policy must be updated. In other words, it is not lawful to create a policy, claim you are “compliant” and leave it.
The GDPR covers two types of data: personal data, such as names, addresses, location information, age, date of birth; and sensitive personal data: such as racial or ethnic information, political, religious, trade union, health, sexual or criminal activity. Biometric and genetic data are new additions to this under GDPR. Examples here include the fingerprint data collected by many smartphones. Sensitive personal data is defined as a special data category and has unique conditions for processing to give it more protection. Which type of data you process will steer your data protection policy a certain way.
Data can be either “low risk” or “high risk” and there are specific obligations placed on those who process high risk data.
The main obligation is a Data Protection Impact Assessment (DPIA) must be carried out before processing that personal data. This is necessary to assess the extent of the threat and to ensure the data is categorised accurately.
In addition to this, you must now also carry out a DPIA whenever processing is “likely” to result in a high risk. This is necessary even where high risk is only “suspected” and where high risk is “unlikely”. It means businesses must carry out DPIAs on a case-by-case basis to identify high risk data, so it may be protected.
This will require the development of a robust data processing process with guidelines, best practices and the building of categories.
There are six legal basis of processing – and consent is just one of these. You will need to identify which is most appropriate for the data and its purpose of processing.
If you identify consent as the legal basis, then you must ensure that the consent you have obtained satisfies the demands of the GDPR, as detailed in Article 7.
If you rely on consent, you should be able to demonstrate that the individual has consented to the processing of his or her data – it is your responsibility to prove this, rather than theirs to prove you don’t have permission.
Pre-ticked boxes are no longer permitted – as this is not classed as a “clear, affirmative action”. The subject has had no real choice here. If you data has been collected using pre-ticked boxes, this data can’t be used for any purpose and must be re-permissioned.
‘Purpose’ is actually a very important point with regards to consent, as all personal data must have a ‘purpose’ under the GDPR. If it does not, it cannot legally be stored for any period of time.
Under the GDPR people have individual rights which they can exercise at any time. You must comply with these on request. Also, you now have a responsibility to make individuals aware of their rights and to make sure there are mechanisms in place to act on these.
The rights are as follows:
1. The right to be informed - Individuals have the right to be informed that their personal data is being collected.
2. The right of access - Individuals have the right to access the personal information your organisation holds on them.
3. The right to rectification - Individuals have the right to have inaccurate information rectified and modified at any time.
4. The right to erasure - Individuals have the right to have the personal information your organisation holds on them erased permanently.
5. The right to restrict processing - Individuals have the right to restrict how you process their personal data (how you use it).
6. The right to data portability - Individuals have the right to request, obtain and reuse the personal data you hold on them.
7. The right to object - Individuals have the right to object to you collecting personal data about them, in part and in full.
8. Rights in relation to automated decision making and profiling - Individuals have specific rights to limit decisions made by automated systems.
These rights will change the way you manage customer data in 2019 more so than any other element of GDPR. They also spell out the steps to cover in your data protection policy: inform, access, rectification, erasure, restrict processing, data portability, objection, and how your business handles processing and profiling.
Suffice to say, data protection in 2019 is a very different proposition to previous years, but it isn’t an unscalable mountain.