10 most Important things to know about GDPR compliance regardless of business size
The author is a UK qualified and fully licensed current practicing solicitor specialising in intellectual property cases and digital technology. His book A Business Guide to Business Law and the Internet published in 2002 has a whole chapter dedicated to the Directive 95/46/EC Data Protection Directive implemented as the Data Protection Act 1998 which has now been wholly repealed and replaced by GDPR
The Regulation (EU) 2016/679 General Data Protection Regulation comes into force this Friday 25 May 2018. Here are my picks of the ten most important things you need to know about GDPR regardless of the size of your business.
1. All has changed since the Directive 95/46/EC Data Protection Directive implemented in UK as the Data Protection Act 1998.
The GDPR completely overhauls the Directive. Do not think that just because you complied with the Directive you do not need to comply with GDPR.
Here are just a few examples of how it has changed the Directive:
- There is a new definition of personal data (art 4(1)) to bring much needed clarity to what constitutes personal data. Everything from IP addresses, location data, ID numbers is personal data.
- Although there has been no change to the definition of data processing, the GDPR has placed new duties on processors. The Directive left processors to their own devices because much of what they did was automated whilst it was the processor that was responsible for the “why” and “how” personal data was to be collected.
- There is a new provision for prior consultation of supervisory authority prior to introducing “new tech”.
There are many more changes GDPR has brought to the current data protection laws some of the other new provisions are mentioned below.
2. The complexity of compliance is not necessarily related to the size of your business.
2.1 Although large corporations will have more personal data to collect and process GDPR compliance is more about identifying the categories of data you collect, identifying the grounds upon which you will be relying to process each category of data, being specific as to the purposes for which you will be processing the data, identifying special categories of personal data; and complying with some new powers provided to consumers through which they can have more control over what you do with their data including:
- specific protection for children (art 8)
- erasure requests (art 17)
- data-portability (art 20)
- automated decision making (profiling) (art 22).
In other words, if you are a medical surgery with servers outside the EEA for example you are likely to need more time to understand and prepare compliant processes, policies and notices than if you are operating a brochure website with a UK based server that does not conduct any marketing to prospective or existing consumers.
For further information on each of the rights provided to data subjects, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.
3. GDPR will apply after Brexit.
Although domestic legislation is necessary to deal with some of the details of GDPR such as (art 6) the GDPR will apply as is in the UK post Brexit.
4. Consent has changed.
The definition of consent has changed. There are now far more stringent specific conditions for consent. The controller must demonstrate consent. (art 7). The provisions are long and complex and require some thinking to ensure compliance. A serious business cannot just pre-populate a form and out pops a compliant privacy notice and/or policy.
5. Obtaining personal data from third parties.
The personal data that you obtain from third parties is treated the same way as personal data obtained directly from the data subject. This is important to note for example where you obtain information from the Internet and elsewhere to enhance a user profile.
6. Access to personal data by third parties outside the EEA.
If you have employees, agents, associates, affiliates etc outside the EEA that will access the data even if it is stored in the EEA then you need to ensure that they are complying with GDPR as well.
7. Transfers outside the EEA.
If you are transferring personal data outside the EEA, then you need to comply with (art 44-50) of the GDPR.
8. Data mapping is the key to getting compliance right.
It is recommended that you go through the process of identifying what data you hold, why, in what form and for how long. You can do this by way of an internal questionnaire. Also, a data processing register will enable you to keep track of different categories of personal data, how it is protected (data security) which will help you with the international transfers and security responsibilities.
9. Article 29 Working Party Guidance.
Consider reviewing the Art 29 WP Guidance on privacy notices when preparing your privacy policies. You should also consider the recommendation of layering your notices. Rather than bundling all types of activities together with an opt in option you should present each privacy notice related to different categories of data separately to the data subject.
Supervisory authorities can now issue fines of up to Tier 1 – 10,000,000.00 for some contraventions and up to 2% of global turnover for undertakings whichever is the higher Tier 2 – 20,000,000.00 or 4% of global turnover for undertakings whichever is the higher.
10. Increased administrative fines for non-compliance and/or suing for damages.
Supervisory authorities can now issue fines of up to Tier 1 – 10,000,000.00 for some contraventions and up to 2% of global turnover for undertakings whichever is the higher Tier 2 – 20,000,000.00 or 4% of global turnover for undertakings whichever is the higher. Fines may be applied as an alternative or in addition to other measures that may be applied by supervisory authorities including for procedural contraventions. Fines are discretionary and must be “effective proportionate and dissuasive”, which is not meant as comfort for guilty parties.
Additionally, under Article 82 of the GDPR, a data subject who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the data controller or processor for the damage suffered. The data subject is entitled to bring a compensation claim for damages in the courts.
If you are a data subject the General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner whose contact details are on their website https://ico.org.uk/global/contact-us/helpline/ or telephone: [0303 123 1113].
The information and any commentary on the law contained on this web site is provided free of charge for information purposes only. Every reasonable effort is made to make the information and commentary accurate and up to date, but no responsibility for its accuracy and correctness, or for any consequences of relying on it, is assumed by PAIL Solicitors. The information and commentary does not, and is not intended to, amount to legal advice to any person on a specific case or matter. You are strongly advised to obtain specific, personal advice from a lawyer about your case or matter and not to rely on the information or comments on this site. No responsibility is accepted for the content or accuracy of linked sites.