Director’s Toolbox: GDPR and Data Protection
The law applies to any “processing of personal data” and encompasses the activities of most businesses and organisations, whatever their size.
The Information Commissioner’s Office’s website www.ico.org.uk describes data protection as ensuring people can trust an organisation to use their data fairly and responsibly. Therefore, anyone who collects information about living individuals for any reason other than their own personal, family, or household purposes, needs to comply.
Personal data covers paper records if they are in an organised filing system or stored into a digital format, of customers, employees, partners, members, supporters, business contacts, public officials, or members of the public. It does not cover anonymous information that cannot be used to identify someone.
Important to note is that the law captures processing, which is almost anything you do with data, including collecting, recording, storing, using, analysing, combining, disclosing, and even deleting it.
Most businesses should by now be used to the concepts of data protection and the rights it affords to data subjects.
The seven key principles under UK GDPR require data to be:
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and kept up to date
- kept for only as long as is necessary
- processed in a manner that ensures appropriate security and protection against unauthorised processing
- stored in an accountable manner – the data controller must be able to demonstrate compliance with the principles
Failure to comply with these principles could be a costly mistake. The DPA states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to £17.5 million, or four percent of a business’ total worldwide annual turnover, whichever is higher.
In addition to GDPR, when processing data for marketing purposes, organisations need to also comply with the Privacy and Electronic Communications Regulations (‘PECR’). These apply if you send electronic marketing messages either by phone, fax, email or text; it also includes using cookies, or providing electronic communication services to the public. There is some overlap, so compliance with PECR will help you comply with the UK GDPR and vice versa.
However, one major difference is that the PECR applies even if you are not processing personal data, since some rules protect companies as well as individuals, and the marketing rules apply even if you cannot identify the person you are contacting for marketing purposes.
So, as you have probably realised, the rules surrounding data protection and PECR, and how these provisions inter-relate are detailed, and in some cases, complex. Bear in mind also that this article only relates to processing of data in the UK; further regulations and requirements apply when processing data abroad.
If you want to find out more, there is a lot of guidance available via the ICO’s website, or a lawyer specialising in data protection will be able to assist you with your business’ specific requirements, to ensure compliance with data protection and PECR.
It is important to note that compliance cannot be underestimated. Many businesses have been irreparably damaged, suffered large fines or had to settle claims due to their failure to value their customers’ personal data; all of which can be avoided or reduced by implementing good data processing hygiene.
If you would like to discuss data protection or PECR in more detail, please contact Tracey Dickens, Partner at Birkett Long LLP E: email@example.com T: 01206 217326
Some detail within this article is taken directly from the ICO’s website
Five key practical considerations for data protection
By Lenitha Bishop, The DPO Centre
The GDPR regulations aim to give individuals more control over their personal data by granting them a number of rights, and placing stringent obligations on organisations to ensure that they protect the personal data they process.
The DPO Centre (dpocentre.com) exists to reduce the burden of complying with data protection laws and to enable organisations to use compliance as a differentiator that increases organisational value. It supports organisations to establish and maintain robust privacy frameworks, and delivers the knowledge and experience required to understand the risks, improve trust and increase customer and stakeholder engagement.
Below, The DPO Centre lists five key considerations for every organisation when dealing with personal data.
Data subjects have the right to know about the processing of their personal data. It is essential, therefore, that organisations have a comprehensive Privacy Notice, which is easily accessible and clearly outlines information, including what personal data they are processing, for what purposes, how long they are storing it for, and who they are sharing it with. Organisations have to be honest and clear with all data subjects, including customers, employees, job applicants and suppliers. By being transparent in the first instance, organisations can often avoid complaints.
2. Know your data
Before any organisation can put together a comprehensive data protection strategy, it is important to be clear about:
- What categories of personal data you process
- Why / for what purposes you process it
- Who has access to it
- How long it will be kept for
Data mapping helps organisations understand how they process personal data, enabling them to identify risks which can then be managed.
3. Less is more
The less personal data you store, the less you have to lose or be compromised in a data breach. Furthermore, storing only the minimum amount of personal data makes it far easier and less time-consuming to deal with Data Subject Access Requests (DSARs), with less information to retrieve, review, redact and disclose to data subjects. Organisations need to remember that they should not collect data on a ‘just in case’ basis and a retention policy and schedule is vital.
4. Individual rights
The UK GDPR grants data subjects a number of rights including the right of access, erasure, and rectification, to name but a few. It’s important to fully understand these rights and ensure that staff are sufficiently trained in how to recognise a request, as well as deal with them within the one calendar month timeframe.
5. Non-compliance impacts finances and reputation
Outside of financial fines, the biggest risk facing most companies is the reputational damage caused by non-compliance. Non-compliance damages trust, as data subjects no longer tolerate the misuse of their personal data. Therefore, complying with data protection requirements, and demonstrating this through the UK GDPR’s various accountability obligations, is essential for maintaining data subject trust, as well as avoiding fines.