Leave a Reply

Your email address will not be published.

What is GDPR and how on earth will it affect you?

Unless you have been living under a rock for the last few months, we all know that GDPR is coming and it is coming whether we like it or not.  There of course is reason to be a little confused as it becomes like spaghetti with the whole Brexit ‘will we, won’t we’ debate but as of today, GDPR is coming and we need to be ready.

Now I am not at all trying to trick you all that I am clever enough to have written this document myself.  In fact it comes courtesy of my own fantastic legal firm Forde Campbell, who specialise in data protection, IT, commercial, corporate and I.P. law and who have kindly given me permission to use their document.

I hope you find the advice useful and urge you to read and implement.  This will be law and something none of us can hide from (if you are UK based of course).

 What is the GDPR? 

The General Data Protection Regulation is incoming EU legislation which sets out new rules for data protection. The regulation replaces the existing Data Protection Directive, which was brought into law in the UK under the Data Protection Act 1998 (“DPA”).

Will it apply to me? 

If you handle “personal data” (information from which a person can be identified), the GDPR will most likely apply to you. Unlike the DPA which only imposed obligations on a “data controller” (the party which decided what data to collect and what to do with it), the GDPR also imposes direct obligations on a “data processor” (the party which agrees to handle personal data on behalf of someone else).

This is important to know, since the penalties for failure to comply with data protection law will be increased from £500,000 up to the greater of €20,000,000 or 4% of a company’s global annual turnover.

We’re leaving the EU – why should I care? 

The GDPR will come into force in the UK on 25th May 2018 and will apply directly in the UK from that date until we leave. Post-Brexit, the UK government is planning to implement national legislation which almost certainly will be broadly equivalent to the GDPR. The contents of the bill are as yet unknown, but are expected to get their first airing in parliament in September this year.

Do I need to take any action? 

If you want to be in a position to comply with the new law when it comes in – you need to take action now. We’ve set out a simple 3 step process below to help guide you through the process.

1. Carry out a data audit. 

This means mapping the flow of the personal data you handle, from collection to destruction. You need to know: Whose personal data is collected? What types of data? Where does the data comes from? What uses do you make of it? How and where do you store it? Who has access to it? What security measures do you have in place? How long do you keep it for? How do you destroy it?

2. Conduct a gap analysis 

To do this, you’ll need to know what obligations the GDPR imposes on you. This will differ depending on whether you are a data controller or data processor. In many cases you will be both. For example, you’ll most likely be a data controller in respect of data relating to your employees and clients, but a data processor if you handle data relating to your client’s customers. Most hoteliers however will fall under the term ‘data controller’.

There are a number of obligations imposed on a data controller but one of the key requirements is compliance with the ‘Conditions for Processing’. This means (in part) that you must have a legal basis for processing. The two most common basis are likely to be: (i) consent from the “data subject” (the person who can be identified from the data), or (ii) the processing is necessary to perform the contract – i.e. to provide the services requested.

In addition, data controllers will need to comply with the ‘Principles of Processing’ – which deals with the ‘how’ rather than the ‘why’. The new principles are broadly similar to those under the DPA, but offer new concepts of ‘Data Minimisation’, ‘Purpose Minimisation’ and ‘Storage Minimisation’.

Data controllers will also have to familiarise themselves with the ‘Rights of Data Subjects’, which will be enhanced substantially under the GDPR, including a new express right to be forgotten as well as the right to object to automated decision making.

3. Implement Procedures to comply 

Once you’ve mapped out the life-cycle of the data you hold and are aware of your obligations, you should be able to work out what procedures you need to implement to comply. The GDPR does not offer a checklist of steps to comply, instead it requires each business to look at its particular model and decide how to put data protection at its core.

The procedures required will be different for each business. However, there are likely to be some steps which will be common to many, which we’ve set out below.

(a) Update your privacy policy 

If you’re collecting the data directly from a data subject, it’s likely that you’ll need to update your privacy policy to include the following information: legal basis for processing; identity of your DPO if appointed (see below); how long you’ll retain the data; any transfers outside the EEA and safeguards around the transfer; the rights of data subjects; how a data subject can complain; what happens if a data subject withdraws their consent; the rationale for any automated processing.

(b) Update your mechanism for obtaining consent 

Under the GDPR consent must be freely given, informed, specific, unambiguous and signified. This means: your privacy policy needs to be clear, available at the point of collection and sufficiently detailed; no more pre-ticked boxes; and consent will need to be given specifically for the use of the data (and not bundled in with consent to your ts and cs). Particular attention will need to be given to any use of personal data related to under 16s – for which you’ll need parental consent.

(c) If you outsource your infrastructure, review your data processing agreements 

Does the processor provide contractual promises to implement adequate security measures? Where are their servers based? Are they obliged to assist you if any access requests are received from data subjects? How long do they retain the data for? What can you sue them for if there is a data breach? Do they have a policy in place for data restoration?

(d) Implement robust internal processes within your organisation 

Draft an internal data protection policy. This should deal with matters such as who is authorised to access particular types of data; whether data can be accessed on personal devices; use of passwords and encryption; data retention periods and deletion procedures.

Carry out staff training particularly if you have customer-facing staff, so that data is handled correctly from the point of collection.

While it’s not compulsory for all businesses, it is a good idea to appoint someone in your organisation to act as a Data Protection Officer (“DPO”). They will be responsible for ensuring that policies are implemented and that data access requests are dealt with.

At the heart of the GDPR is the idea of ‘privacy by design’ which means that businesses will need a change in culture within their organisations. It won’t be sufficient to carry out a one off process. You will need to implement policies and continue to audit and update.

If you’d like to find out more about the GDPR and how it might affect you, feel free to contact them by email at info@fordelaw.com or you can call them on: 028 9089 7610.

and as usual, for all things revenue, just ask@rightrevenue.wpengine.com