The Guild has published some handy FAQs in relation to the hot topic of GDPR.
The General Data Protection Regulation (GDPR) is an EU Regulation that will replace the Data Protection Act 1998 in the UK. It takes effect on 25 May 2018 and will govern data protection law in EU member states and the privacy rights of all EU citizens. Parliament is developing a data protection bill to govern data protection law in the UK post-Brexit. The data protection bill will largely replicate the provisions of GDPR. On this basis, the application of the GDPR in the UK will not be affected by Brexit.
What follows are some frequently asked questions we have received from our clients. Please bear in mind that these are general questions only, and do not constitute legal advice. If you have specific questions, you should consult your legal advisers.
Who does GDPR affect?
The GDPR applies to all ‘personal data’ and ‘sensitive personal data’. Therefore it will impact all businesses located within the EU, businesses that offer goods or services within the EU or those which monitor the behaviour of EU citizens. It also applies to all companies processing the personal data of people who live in the EU.
What is personal data?
Personal data is any information that relates to a natural person, also known as the data subject, that can be used to directly or indirectly identify the person. It includes names, addresses, contact information, bank details, but also photographs, finger prints, computer IP addresses and so on.
Under article 9 GDPR, some personal data is ‘special category’ data, which requires extra safeguards. This data is information relating to:race/ethnicity, politics, religious (or spiritual) beliefs, trade union membership, genetics, biometric data, health (mental as well as physical), sex life and sexuality. Further, under article 10, information relating to criminal offences likewise requires additional safeguards.
What are the penalties for non-compliance?
The potential penalties for non-compliance with GDPR have probably attracted more attention than any other single aspect of the regulations. This has made everyone stand up and take notice! It’s true that GDPR introduces a hefty penalty regime for non-compliance, with a maximum fine of 20 million euros or 4% of global turnover, whichever is greater. There is also a lower tier regime for more data security-type non-compliance, with a maximum fine of 10 million euros or 2% of global turnover, again, whichever is greater. In addition to receiving fines, a business may potentially be sued for compensation.
However, it’s worth noting that these are maximum penalties, not guaranteed – any fines levied under GDPR will likely be proportionate to the harm caused, as well as your own compliance efforts.
Within the UK, The Information Commissioners Office (ICO) is the supervisory authority and will take investigatory or enforcement action if required.
In addition to the ability to impose fines, the ICO have a range of powers which are listed at Article 58. If an investigation is conducted by the ICO, they have the ability to impose a temporary or definitive ban on processing. As you can imagine, this will mean that a number of organisations would not be able to continue working until the ban is lifted, which could be crippling.
What is the difference between a data controller and a data processor and which one are we?
A data controller determines the purposes, means and conditions of a given processing activity; the data processor processes data on behalf of the data controller. Whether you are a controller or processor for GDPR purposes will depend in part on how your business operates and where you sit in the contractual chain. It is possible for your business to be both a data controller in some respects and a data processor in others.
What is a Data Protection Officer (DPO) and do we need one?
A DPO is someone with responsibility for ensuring compliance with GDPR. The DPO must be a specialist with the clout to influence how your business deals with data protection. The DPO may be an employee of your company, or you may use a specialist outsourced data protection organisation.
Under GDPR, a DPO must be appointed for public authorities, businesses that engage in large scale systematic monitoring or large scale processing of special category or criminal data. If your business does not tick any of these boxes, you probably won’t require a DPO. It is essential though, that if you do not require a DPO, you appoint somebody within your organisation who is the GDPR Representative.
Unfortunately, GDPR is not precise about what large scale means in this context so if you are unsure about whether or not you need a DPO, you should seek specialist advice.
How does GDPR affect data breaches?
This is another big change to the law: GDPR severely curtails your options and the timeframes for dealing with data breaches. There will no longer be any wiggle room – data breaches must be reported to the ICO within 72 hours of your organisation becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting the individuals’ rights and freedoms, you must also contact the individuals affected without undue delay.
You must review your data security policies and procedures and make sure you and your colleagues know what to do in the event of a data breach. The education of your staff on their obligations under the GDPR is a vital step to take for all organisations.
Does all this mean that we can’t email documents about operatives to you or our clients anymore?
GDPR does not outlaw any particular activity or technology as such. Instead, you should consider what information you are emailing and why, and who you are emailing it to. Ask yourself if you have a lawful basis (such as consent) for sharing the information and if you are sharing too much (or not enough). You should consider and carry out a review of whether or not you have appropriate technical and organisational measures in place to ensure a level of security which is appropriate to the risk. Alongside this, of course, you must ensure that you are controlling and processing data in accordance with the principles relating to processing of personal data and that any processing is lawful. If you are in any doubt, seek legal advice.
Can we register candidates online and hold information about them before they start working for us?
In order to satisfy yourself that a given individual will be suitable for the kind of work in consideration, you have to compile some information about them, regardless of the registration method.
Nevertheless, as a general rule you should assess all the categories of personal information you gather and identify and record your lawful basis for all acts of processing, such as registering individuals, sharing information with third parties and so on. You should only be collecting data that you require and ensure that it is only collected for specified, explicit and legitimate purposes.
You should pay particular attention to special category and criminal data, as these kinds of information will require additional safeguards.
You should also ensure that any data processing you do complies with the principles relating to the processing of personal data (article 5 of the GDPR). Ask yourself: what information do I need to gather about a given person? You should also bear in mind that your requirements may change depending on the specific circumstances, such as the nature and location of the work, the employment status of the individual, for example.
Should we add a confidentiality notice at the end of our emails?
If you don’t already have one, a confidentiality/privacy notice is best practice and it’s worth taking the time to implement one. However, while this is best practice, it won’t be sufficient by itself to satisfy your data protection obligations.
Do we need consent to process the operatives’ information?
There are six lawful bases for processing data, one of which is consent. Whether you will need consent or not will depend in part on what the processing activity is and whether or not one of the other lawful bases applies. You can rely on one or more lawful grounds for consent. It is recommended that you do not rely on consent alone. You must clearly demonstrate and document the lawful basis on which you are processing personal data.
GDPR makes some changes to how consent will work in practice – long, difficult to understand terms and conditions full of legalese will not be adequate, and nor will implied pre-ticked consent tick-box exercises (e.g.: “untick this box if you don’t want us to share your data with our partners”). You can no longer assume consent has been given by a data subject.
Instead, a request for consent must be given in easy to understand terms, with the purpose of the data processing made clear. If you are relying on consent as a lawful ground to process personal data, that consent must be specific, informed and unambiguous and can only be given if there has been an affirmative action taken by the data subject.
Explicit consent is mandatory for situations in which you seek to rely on consent as your lawful basis and the processing relates to special category data or data relating to criminal offences. In this context, it means you need to set out more or less exactly what you intend to do with the data and get unambiguous and absolute ‘opt-in’ consent from the data subject. There are other situations in which special categories of personal data can be processed, but you should take legal advice in those circumstances.
How long should we keep individual records before deleting them?
One of the data protection principles is that you should keep personal information for no longer than is necessary. The concept of minimisation states that data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which the data is processed. However, this can be highly complicated in practice so you should take legal advice on any specific questions you have. For example, the type of individual in consideration- an employee; a private customer – has a bearing on what records you should keep, and the nature of the information as well as you reasons for collecting and retaining it are highly variable.
Finally, you must always consider the individual’s rights when storing or using their personal data, which have been enhanced by GDPR. When an individual provides their personal data to you, they are effectively lending it, it is not yours to keep and do as you wish. Data protection by ‘design and default’ is the cornerstone of the GDPR, and the privacy rights of individuals should be at the top of any agenda within your organisation.