By Neil Kelley
Head of Litigation at Griffin Law UK
21 Law can facilitate GDPR audits or advice in the United Kingdom through Griffin Law.
The GDPR is a significant piece of legislation originating from the EU and it effects every organisation or individual holding the data of EU based private individuals.
It isn’t new…
GDPR replaced the Data Protection Act 1998 (“98 Act”) and is the 98 Act on steroids.
It has been in force since 25 May 2016 and will be enforced from 25 May 2018.
Pursuant to the GDPR the UK Information Commissioner’s Office (“ICO”) can:
- Carry out an audit to confirm compliance with the GDPR; and
- Impose a maximum fine of up to Euro 10 million or 2% of annual worldwide turnover, whichever is greater.
The ICO has allowed a two-year period of grace to allow those affected to make the necessary arrangements to ensure compliance.
Many have ignored it until the threat of enforcement and penalties is imminent.
The GDPR does not have any impact in respect of data held about corporate clients and their business operations. However, you should ensure that you do not hold any information about individuals who work for such a corporate client or customer, and which goes beyond that required regarding their business interests. If you have, you should probably have complied with the requirements of the GDPR.
The general rule to remember is that as a Data Controller you should not hold any data concerning a Data Subject unless you have their consent and have complied with the requirements set down in the GDPR. It is more complex than this, but the best advice is get the Data Subject’s consent.
A Data Subject is an individual who is the subject of personal data. This would include any individual, customer, client or business contact who is not a limited company.
A Data Controller means a natural or legal person or body which determines the purpose and means of processing data. That probably means you!
A Data Processor means any natural or legal person or body which processes data on behalf of any Data Controller.
For the avoidance of doubt, the Data Controller will ordinarily be responsible for any breach of the GDPR. A Data Processor may be liable for breaches of the GDPR if they are (ie have taken decision as to the nature of the processing of the data) a Data Controller and/ or breach the GDPR contrary to the terms of their agreement with the Data Controller. However, a Data Controller can be fined for the negligence or malfeasance of the Data Processor. Be wary if you obtain data as a Data Controller and that data is held or processed by another party as a Data Processor.
The purpose of the GDPR is to ensure compliance with the Data Protections Principles. These are like those set down in the 98 Act.
There is legal basis for many data processing activities. These range from consent through legal obligations to legitimate interests. For example, a justification for holding personal data regarding money laundering obligations, could be legal obligation. However, consent is always preferable.
The best way to safeguard yourself is to not hold any personal data without the Data Subject’s consent. You should ensure you do this, can prove you have done it and are seen to be doing it.
The GPDR requires you to provide a Privacy Notice to an individual and obtain their consent before you can hold a personal data.
Privacy Notice to a Data Subject under GDPR must contain:
- The identity and contact details of Data Controller;
- The purpose and legal basis for processing data;
- If ‘legitimate Interests’ is used as a legal basis, what those ‘legitimate interest’ are;
- The recipients or categories of recipients of the data;
- Any cross-border transfers of the data and what safeguards are in place;
- How long the data will be retained;
- An outline of individual rights under GDPR;
- Whether a statutory or contractual requirement to process the data exists; and
- The existence of any automated decision making.
Conditions for consent must be:
- Written in clear and plain language; and
- Separate from other written matters.
That also means, no implied consent or pre-ticked boxes. Consent to hold personal data may be withdrawn at any time. The burden is on the Data Controller to demonstrate consent was given.
Even if you have held the data for many years and it is a long-standing contact, you will have to comply with the GDPR and send a Privacy Notice and ideally seek the Data Subject’s consent or failing that rely upon another legal basis for holding the personal data.
The document seeking consent should be a separate document with a requirement that it be signed and returned. No hiding the request in the small print.
The mantra regarding GDPR compliance appears to be two-fold. Less is more and consent, consent, consent. Hold the least amount of personal data you can, do not hold it if you do not need to and get the Data Subject’s consent.
If you are daunted by the impact of the GDPR, then you have every right to be. The work involved is potentially significant, and enforcement and substantial penalties commence in a few short weeks.
In our next article we will cover the further complications and implications of the GDPR.