I guess it’s some consolation that the term ‘GDPR’ will probably phase out in a year or so when the UK’s new Data Protection Act will become synonymous with data privacy. But fear not, the current hype and hyperbole will continue as the new Act will encompass all of the GDPR (with some derogations) as well as the European Law Enforcement Directive and other ‘secret squirrel’ stuff! The UK will suffer the ignominy of being classed as a ‘Third Country’ and will require to be assessed as adequate in Data Protection in order to process EU citizens personal data, hence enshrining the GDPR in UK law. So, having established that the regulation is not just a passing phase, we might as well take a look at what it means to be compliant.
The important touchstone here is the 6 plus 1 principles of the General Data Protection Regulations (GDPR). Article 5 of the regulations state:
Personal data shall be:
(a) Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘Legality, Transparency and Fairness’)
Ok then that seems alright, there are 6 lawful purposes for collecting personal data, consent being one and probably the most depended on in commerce, is the pursuance of a contract or to enter into a contract and legitimate interest of the Data Controller. Makes sense after all, how do you expect to conduct business if you have to depend on consent all the time?
According to Recital 60, The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed.
Data Subjects need to be informed about why you need to collect their personal data, what you’re going to do with it, how long you’re going to store it and how you are going to protect it; they also need to know this at the time you collect the data, so enter the new Privacy Policy. Please note: Just because you create a new privacy policy, it means nothing if you do not back it up with actions!
(b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘Purpose Limitation’).
Ever put your business card into a jar at a conference to win a bottle of champagne? I bet you’ve never been surprised that you didn’t win, but I bet you were not surprised to get marketing emails from the company as a result! Well, this can’t happen under GDPR, you casn only use the data for the purposes you stated when you collected it.
(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘Data Minimisation’)
Ever signed up to a service and the agreement asked for all sorts of personal data? A data of birth has been asked for when there are no age considerations? Gender or ethnicity questions for products or services? The chances are that the data is being used for profiling purposes and in future this activity requires explicit consent.
(d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘Accuracy’)
The paperless office much vaunted in the early 80’s really hasn’t happened. Maybe it’s a generational thing but the security blanket of paper copies and the mistrust of computer retained data are still alive and well! Apart from the inefficiencies of having duplicates around the office, there is every probability that paper records are never as up to date as the computer file. Also, the data cleansing of a store room full of paper is a real ‘job for tomorrow’. It’s time to take a deep breath and begin the cleansing journey.
(e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘Storage Limitation’)
Keeping personal data ‘just in case’ just doesn’t cut it anymore. Data should be retained only for as long as it’s required for the processing purpose. Financial data required by the HMRC for instance, you have no choice, it’s 6 years. New employee starter information? That’s OK too, current year plus three. Data captured as part of accessing financial products, well that could be for life! The important thing is, have a rationale that is firstly not outside of the law, but is thought through, rationalised, articulated in a policy and adhered to.
(f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical organisational measures (‘Integrity and Confidentiality’).
Keep it safe, away from unauthorised prying eyes, also, keep it backed up (always check if you are using a cloud service, where their servers are located in the world!). Contract cleaners in the office at night? No clear desk policy? That sounds like a breach in the making! Computer monitors left unlocked whilst away from the desk? Ditto! Your third party processors not taking this seriously? Oh dear, you’re still culpable. Publishing security policies and privacy statements on their own will not keep data safe, if you talk the talk; walk the walk!
(g) The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘Accountability’).
Nominated Data Controllers, those executive members of the team have the greatest burden to bear. Your processor dropped one? Did you ensure they were compliant? Did you lead from the front and make sure your organisation was properly orientated to achieve and importantly, maintain compliance? Risk assessments in place? I’ll not labour the point but senior leadership and continued sponsorship to engender a culture of data privacy and protection is crucial to success. I’ll not mention the £17m administrative fines available for breaching (oops!) but maybe the lesser sanctions of warnings and potentially banning your processing operation (that stops you trading, probably) will focus the mind.
For those finding this daunting and complex, you will do well to understand the principles and do all that is reasonable to comply with them. Then we can talk about the rights of data subjects ………