The data protection laws in the UK were in place since 1998, and considering the changes in technology since then, they were in much need of an overhaul. In the UK, we relied on the Data Protection Act 1998 (“DPA 1998”), which was enacted following the 1995 EU Data Protection Directive to protect personal data, but this has now been superseded by the new legislation.
The General Data Protection Regulations (“GDPR”) are EU legislation that has been created a uniform framework across Europe and came in to force as of the 25th May 2018. It has been clarified that Brexit will have no effect on this coming in to force, and the government is has now approved a new Data Protection Act 2018 (“DPA 2018”) to replace the 1998 one in its entirety.
The old data protection laws protect personal data, and the new GDPR and DPA 2018 can be seen as an evolution of this legislation. Your business was already subject to the DPA 1998 and will continue to be subject to the new GDPR and DPA 2018 as they take effect.
What is GDPR
The EU is keen to ensure that people have more control over how their personal data is used, especially considering that many companies like Facebook and Google swap access to people's data for use of their services. The DPA 1998 was enacted before the internet and cloud technology created new ways of exploiting data, and the GDPR seeks to address that. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy.
The EU also aims to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market (the EU estimates this will save businesses a collective €2.3 billion a year).
In short, GDPR:
- Widens the personal data definition
- Increases the fines for breaches
- Enhances an individual’s rights
- Imposes restrictions and obligations on both controllers and processors
Who does it apply to?
The DPA 2018 applies to anyone who controls and/or processes personal data.
- say how and why personal data is processed
- DPA 2018 imposes further obligations on controllers to ensure that contracts with their processors For instance, where you use the services of a supplier, such as a payroll company you use, your business is obligated to ensure that that payroll company is complying too.
- Your business will be considered data controllers due to the information it holds on its staff and
- act on the controller’s behalf
- As implied above, for your business, this would include suppliers like payroll, accountants, software suppliers, even office cleaning subcontractors or maintenance staff, and so
- All processors are required to maintain records of any personal data and processing activities they conduct; If processors are involved in a data breach, they are far more liable under the new laws than they were under the Data Protection
- Bear in mind, that your business may also be a data processor where it processors data on behalf of a customer or staff
What information does it apply to?
The DPA 2018 specifically focuses on Personal Data (including sensitive data) and enhances the definition in the DPA 1998. It now applies to any data that can identify an individual, such as:
- Name, address, telephone number
- Unique IP address
- Online personal identifiers
- Reference number / account number
- Health records
It also applies to sensitive categories of data, including:
- Data about children carries specific protections under the GDPR
The DPA 2018 doesn’t just apply to electronic data, but also any manual filing systems; any data that can be accessible according to specific criteria.
For your business, data it holds on its staff, customers and marketing contacts will all be covered by the new laws.
Archive / Storage
Your business will need to review what data it currently stores (electronically or in paper form). If that data is not being used for a specific purpose or kept for a legal reason, then it should be deleted or destroyed.
Your business must be able to show HOW you comply with the data protection principles. Data must be:
- Processed lawfully, fairly, and in a transparent manner
- Collected for specific, explicit and legitimate purposes
- Adequate, relevant and limited to what’s necessary
- Accurate and kept up to date (no delays to rectifying inaccurate data)
- Kept in a form which permits identification for no longer than is necessary
- Processed in a manner that ensures appropriate security, including protection from unauthorised or unlawful use, accidental loss, destruction or damage
Reason for Processing
Your business will need to identify the lawful basis for your processing activity. Depending on your business’ reason for processing the personal data, the individual’s rights will be modified and what needs to be done in order to comply will alter. For instance, an individual has stronger rights to have their data deleted where you use “Consent” as your lawful basis for processing.
The lawful reasons are:
- For the performance of a contract, or in order to enter into one
- Your business may rely on this for the services being provided to clients
- Where individuals have PAID to use an application or database or PAID for articles/information from your business, then there is a contract in
- Compliance with a legal obligation
- Your business can rely on this for complying with their legal obligations, such as Auto-Enrolment, or storing data for a specific retention period as required by law
- Protect vital interests of the individual
- Performance of a task for public interest or under official authority
- Legitimate interests of the controller, except where those interests are overridden by the individuals interests, rights or freedoms
- For matters where your business needs to store, use or otherwise process personal data as part of running its business, it can rely on this
- Consent is a big area and will cover any personal data being processes that solely relies on the consent of the
- Your business would need to comply with the consent obligations where it relies on individual registering for marketing updates or
- Consent would also be needed for those who register to use the free version of an application or product you provide.
Your business will need to carefully review how it seeks, records and manage consent, and if they don’t meet the new standards and requirements, it may need to refresh them.
Consent must be:
- Freely given, specific, informed and unambiguous
- Must be a positive opt-in (consent cannot be inferred from silence, pre-ticked boxes or inactivity)
- Separate from other terms and conditions
- Simple for people to withdraw their consent
Where individuals have not physically ticked an opt-in box to receive a regular newsletter or marketing emails, you should contact them and confirm whether they wish to continue receiving them. If they do not or they do not respond, then you must delete their contact details.
Individuals have always had rights when it comes to their personal data, however, the GDPR and DPA 2018 enhances those rights. They have the right:
- To be informed of what data you hold on them and why
- Of access to their data
- Any request must be complied within 30
- You need to consider how accessible the data is and how easy it is to pull it all
- Information you provide must be:
- Concise, transparent, intelligible and easily accessible
- Written in clear and plain language, particularly if addressed to children
- Free of charge
- If any information is incorrect, you must rectify the issue and also inform any data processor or controller of the
- Erasure or to be forgotten
- Restrict processing
- Data portability
- To object to the reason of holding the data
- Not be subjected to automated decision-making, including profiling
When you collect personal data, you currently have to give people certain information (usually using a privacy notice), the DPA 2018 will make some additions to this and it must include:
- Identity and contact details of data protection officer
- Purpose of processing / lawful basis of processing
- Categories of personal data processed
- Recipients of the personal data if passed to a third party for processing
- Transfer details to third country and safeguards
- Retention periods
- Existence of the data subject’s rights
- The source of the data (where not directly from the data subject)
- Whether the provision of personal data forms a part of a statutory or contractual requirement or obligation, and consequences of failing to provide it
Data Protection Impact Assessments (DPIA)
GDPR makes an express legal requirement to use of DPIA’s mandatory in certain circumstances (where there is a high risk to individuals):
- Where new technology is being deployed
- Where a profiling operation is likely to significantly affect individuals
- Large scale processing of special categories of data
- Large scale, systematic monitoring of public areas (e.g. CCTV)
If a DPIA indicates that the data processing is high risk, and you cannot sufficiently address those risks, you will be required to consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
International Data Protection
If your business operates in more than one EU state, you must determine your lead data protection supervisory authority and document this. This is only relevant where cross border processing takes place.
This is where your main establishment is, or where your central administration is in the EU, or where the decisions about the purposes and means of processing are implemented.
If your business carries out the payroll for an entity outside the UK, then this will need to be considered as to whether your businesses need to be registered with that country’s equivalent of the ICO (UK’s regulatory body).
Another restriction under the GDPR requires that any foreign (non-EU) business who is processing data for your business (i.e. where personal data is being transferred to a country outside of the EU) must also comply with the GDPR or provided adequate safeguards to ensure the protection of that data.
The ICO (Information Commissioners Office) is the public body who manages the data protection register. If your business is currently registered, the registration fees will be changing (from the current £35 per annum) to:
- Tier 1 - small-medium business less than 250 employees with a turnover less than £50million pa AND who holds less than 10,000 records of personal data = £55
- Tier 2 - small-medium business less than 250 employees with a turnover less than £50million pa AND who holds over 10,000 records of personal data = £80
- Tier 3 – large business having over 250 employees, with a turnover of over £50million pa = £1000
- Direct marketing Top Up – companies who carry out electronic marketing activities as part of their business = plus £20
Your business should have procedures in place to detect, report and investigate (including risk impact assessments). Some organisations are already required to notify the ICO when they suffer a breach, but the DPA 2018 introduces a duty on all organisations to report certain types of data breaches to the ICO, and in some cases, to individuals as well.
When the breach is likely to result in a risk to the rights and freedoms of individuals, e.g. discrimination, reputational damage, financial loss, loss of confidentiality, or other significant social or economic disadvantage, then you must notify the individual/ICO within 72 hours (of becoming aware).
The ICO can choose to fine the organisation for the breach; at present the maximum fine is £500k, the GDPR allows them to fine up to €20 million or 4% of your global turnover.
A cyber breach includes breach of security, includes the destruction, loss, alteration, unauthorised access/disclosure – its more than just losing data or mislaying it – and can result in a data protection breach as well. If the breach has occurred due to a cyber attack, this could also be subject to additional fines for not having adequate procedures in place to protect against such attacks.
What does your business need to do?
1. What information do you hold?
- Conduct a basic data audit and assess what personal data you hold, what type of data it is, where it is stored
- DPA 2018 requires you to maintain records of your processing
- For instance, if you store inaccurate information which has been passed to another company, you must be able to notify
2. Policies & Systems
- You must be able to show that you are complying with data protection principles by having effective policies and procedures in place, including detecting, investigating and reporting a breach, providing information on request, adequate retention periods
3. Who has access to the data?
- Restrict data access to those who actually need
4. Where do you get your data from?
- Did the data you hold come from a third party or the individual If an individual, have you got valid consent? If a third party, have they got consent from the individual? Where do they get their data from?
5. Who do you share the data with?
- Who are your third-party processors? Do your contracts with them adequately protect the personal data? What are their data protection policies?
6. Privacy Notice update and distribute
- Update your business privacy notice; distribute it via your website and to clients/customers and staff as necessary.
- This has recently been updated based on the guidance we have been provided to
7. Consent update
- Check your business has valid consent from all individuals where processing their data relies on consent, e.g. marketing newsletters etc.
Further information and guidance can be found on the Information Commissioner’s Office website: www.ico.org.uk.