We all need to be aware that compliance with GDPR is not optional. Whilst it is more relevant to some businesses than others (Marketing, PR, HR and Recruitment to name a few), all businesses need to take on board what GDPR is and what they need to do to comply.
GDPR applies to both “controllers” and “processors” of data. The definitions for these are broadly the same as the Data Protection Act (‘DPA’). A controller says how and why personal data is processed and a processor acts on the controllers behalf (think of a business and its outsourced IT – the business is the controller but the IT Company processes the data by holding it on their servers).
GDPR places specific legal obligations on processors including more legal liability if you are responsible for a breach. Controllers will need to ensure they contract with processors that are compliant with GDPR.
GDPR applies to personal data. Be careful not to be too narrow with your definition of personal data. This is much more detailed and wider than DPA to reflect technological changes and the way that organisations collect data, for example a work e-mail address can now be construed as personal data. Anything that previously fell under DPA will fall under GDPR including HR records, consumer lists and contact details. It applies to:
This is wider than under DPA. Coded personal data could be caught by GDPR if it can be attributed to a particular individual.
This is “special categories” of personal data and whilst similar to DPA now includes genetic data and biometric data where it is processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included within this category but safeguards do apply to its processing.
You must have a lawful basis before you can process personal data. You must determine this at the outset and document it. Lawful reasons for processing data include:
Consent is now a key area for businesses to consider. Consent must be:
Consent requires an affirmative action – a positive opt in.
The request for consent must be separate from other terms and conditions, so no sneaky clauses at the bottom of T&Cs to allow ‘’marketing’’ ambiguous input! Individuals must be able to withdraw consent.
Children’s personal data
There are new provisions to enhance the protection of children’s personal data.
New rights for individuals
GDPR creates some new rights for individuals but also strengthens some that are already in existence under the DPA.
Key to GDPR is accountability and transparency which was previously only implicit in data protection law. Comprehensive but proportionate measures should be put in place and they should be able to demonstrate that you comply with the principles.
Under GDPR, breaches must be notified within 72 hours of awareness by the organisation.
All organisations must report certain types of data breaches under GDPR. These must be reported to the relevant supervisory authority and in some cases to the individual affected.
Relevant breaches for notification to a supervisory body are those which are likely to result in a risk to the rights and freedoms of individuals.
Individuals must be notified where a breach is likely to result in a high risk to the rights and freedoms of individuals. This is therefore a higher threshold than for notification to the relevant supervisory authority.
GDPR now imposes restrictions on the transfer of personal data outside of the EU. This is to ensure that GDPR provisions are not undermined.
It is important to remember that if you are complying properly with the DPA then this compliance will remain valid under GDPR. This can be a good starting point to build from. However, the above sets out some key differences and some things will have to be done differently to ensure compliance.
We provide here 5 GDPR key reasons you should consider good compliance software to support your project are:
1. Accessibility. The IT department alone is not responsible for this massive undertaking, so naturally, you would need to include the people from legal, sales, marketing and operations to form cross-functional teams capable of taking on GDPR compliance requirements. This team of people will handle many operational activities, and they need to have steady access to all data and tasks they need to undertake.
2. Centralised data flow. Having your team members using a variety of tools, Excel sheets and emails to track tasks, documents and discussions to piece together all that data will drive them ‘’crazy’’, and more importantly, cost you precious time. So, make sure your software has all the information in one place.
3. Powerful features. Your team will have to map data flows, do a gap analysis and assess current privacy policies and procedures. There will be a lot documents, tasks and communication to handle, so your software should have means to support all of this under a single login. Project, task, document and communication management modules are definite must-haves, your software should have these templates.
4. User-friendly interface. Look for a simple, yet effective solution that offers smooth use getting the job done. A good interface should be welcoming, familiar and logical. So, make sure the software tool you select meets this requirement.
5. Vigilant support. This should include not only user guides to ensure smooth user acceptance, but GDPR documentation, step-by-step guides and educational materials to get you to that deadline effectively. Make sure the vendor you are considering has strong supporting documentation, and GDPR expert support you can rely on for your businesses compliance.
