This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more hereX

GDPR The FAQs


 

GDPR – the frequently asked questions!

It’s been some years since the General Data Protection Regulation (GDPR) came onto the scene, replacing the old outdated Data Protection Act 1998 dictating business’ obligations when it comes to personal data.
So let’s start at the very beginning, GDPR relates to the processing of personal data. Processing here means doing more or less anything with personal data, this includes storing the data, using it to contact people, using it to make decisions about people, keeping notes about a client, using the data to receive payments, the list goes on. And what do we mean by personal data? Personal data is any information that relates to a living person. This could be photographs, personal email addresses, their name, their address, notes about someone, bank information, criminal records, and anything in a database alongside under their name or other identifying information.

So if you at any point in your business use any living person’s personal data, GDPR needs to be on your mind.

We work with clients who are building the foundations of a business, and so get a lot of questions about GDPR. This is welcome as the early stages of a business is the best time to start thinking about how you can make data protection a priority.
 
If you’re looking for some resources to help you quickly understand what’s involved, a good starting point is this guide from Simply Business, and if you really feel up to it, the ICO’s official guidance. You can also find a speed read that I’ve drafted here!
 
Here are some of the more common questions:

Do I need to register with the Information Commissioner’s Office (ICO)?
Sometimes businesses need to register with the ICO and pay a data protection fee, and for most organisations it costs between £40 and £60, though can be as high as £2,900, depending on your business’ size and turnover. Some organisations are exempt and non-profit organisations will only pay £40 regardless of their size and turnover.
You may be exempt from this fee, it depends on factors such as if you use CCTV, whether you process data electronically and whether you’re in charge of the data or processing it under the strict instruction of another organisation (i.e. if you’re the Data Processor, or Data Controller). If you’re not sure whether or not you have to pay this fee, good news there’s an online test you can take here!
 
Does GDPR just apply to my customer’s data?

No it also applies to anyone in your organisation, for example any employees you may have, are looking to employ, or have been employed by you in the past whose data you’re processing.
 
Do I need permission from my customers to use their data?
The answer to this question is a bit complicated, but most of the time the answer is no. It all depends on what legal reason you’re using to process the data. Here are the 6 reasons you can use:
·       Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (the definition of consent has been changed to mean a clear affirmative action or statement)
·       Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
·       Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
·       Vital interests: the processing is necessary to protect someone’s life.
·       Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
·       Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
If the reason you’re using is consent, then yes you will need your customer’s consent and keep records of it. However there are also other legal reasons you can use, and consent is the one you use when none of the others are applicable.
Not sure what reason you should be using? Good news, there’s an online tool you can use here!
 
What if I use another company who does all the data processing?
If you’re using another company to process data on your behalf, it’s your responsibility to make sure that company is GDPR compliant. Say for example you use a shredding company to shred confidential documents, it’s your business’ responsibility to check they’re compliant.
 
What about if the data I’m using is available freely online? Does that still count?
GDPR still relates to personal data that is freely available online or in public places. For example, if you found someone’s email online, and processed it in any way, for example storing it, you would still need to do so in a GDPR compliant way, making sure it is transparent and the data subject is aware of what is being done with their data.
 
What should I do if a customer asks for their data?
If you have someone’s personal data stored, whether they’re a customer or a employee, they have some rights concerning their data, one of them is called the “right of access”, which means they have the right to access any data you may have of them. This request for data is called a “subject access request”, can be verbally or in writing, and can be to any member of your organisation. Once you’ve received one of these (and you’ve confirmed the identity of the person making it) you have a month to respond to this request and provide them with the data they are requesting. One very important point here is if someone makes a subject access request, and between them asking and you supplying the data you delete their data, you risk breaking the law.
 
So there are some of the most common questions that get asked regarding GDPR. Making sure your business is GDPR complaint can seem a bit overwhelming but if you approach it in a methodical way, and seek advice where you need it, you can do it!


 
General Data Protection Regulation (GDPR) Speed Read

Definitions
Data Controller: a controller determines the purposes and means of processing personal data.
Data Processor: a processor is responsible for processing personal data on behalf of a controller.
Data Subject: the person whose data is being processed.
Data breach: A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

What’s new with GDPR?
New definition of “personal data”
This now includes any information that directly or indirectly identifies a natural (living) person
Further considerations are also needed for “special data”, data which include criminal offences, sexual orientation and biometric data.
New increased penalties
Penalties for non-compliance are up to EUR 20m, or 4% of turnover (whichever is higher)
Data Subject Rights
GDPR outlines rights held by Data Subjects, which need to be accommodated, where applicable, free of charge within 1 month. Further info on these rights can be found here.
·       Right to be informed (to know what is done with their data and why)
·       Right of access (the right to access data help on the Data Subject)
·       Right to rectification (to correct inaccurate data)
·       Right to erasure (aka Right to be Forgotten)
·       Right to data portability (the right for data to be provided in a secure usable format)
·       Right to object (objecting to the use of personal data)
To collect and process data, you now need to pre-emptively determine and document at least one valid lawful basis.
Here are the 6 lawful bases available:
·       Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (the definition of consent has been changed to mean a clear affirmative action or statement)
·       Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
·       Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
·       Vital interests: the processing is necessary to protect someone’s life.
·       Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
·       Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Privacy by Design
You must demonstrate that privacy considerations are incorporated into early stage design of processes within the organisation. (more information here)
Changes to consent definition
Gaining consent to process personal data is harder under the GDPR, requiring a positive affirmative action and consent must be as easy to withdraw as it is to give. However, consent is just one of six “lawful bases” you can use to justify the collection and processing of data (more info here)
Collecting data from young people
If you are collecting data from people under 16 years old, you may need to have parental consent. (more info here).
Mandatory breach reporting
Data controllers are now legally required to inform the ICO if there has been a data breach within 72 hours without undue delay. You must also keep records of Data breaches. (more info here)
Privacy Policies

Privacy policies will need to be updated to include further information regarding how data subjects’ data will be processed as well as our lawful basis for doing so. These policies must be in plain English, especially if collecting data from people under 16 years old. (more info here)
Processor and Controller liability
Controllers are now responsible for making sure their processors are compliant, resulting in more stringent legal agreements between processors and controllers. (more info here)
Changes to required documentation (more info here)
You not only need to be able to comply with the new regulation but also need to be able to demonstrate you comply. This was not required to the same extent under the Data Protection Act and will require us to produce a series of new documentation, including the following:

Records of processing activities
For Data Controllers these documents include:
1) Name and contact details of the controller
2) the purposes of the processing
3) a description of the categories of data subjects and the categories of personal data
4) the categories of recipients who the data have been or will be disclosed to
5) (where applicable) transfers of data to a third country or international organisation
6) (where possible) envisaged time limits for erasure of the different categories of data
7) (where possible) a general description of technical and organisation security measures
Records of consent
Where consent is used as a lawful basis, records of this must be kept.
Records which demonstrate data security
Documented processes for protecting personal data (security policy etc.)
Privacy Impact Assessments
These are required for high-risk processing, and must be carried out when using new technologies. More information can be found here

 


pne development