The GDPR comes into force in the UK on 25 May 2018. It replaces the Data Protection Act 1998.
It applies to data processors within the EU and also to organisations outside the EU who sell goods and services into the EU.
There are two types of people and organisations to which it applies:
Controllers – they say how and why personal data is processed;
Processors – act on behalf of controllers.
Many organisations and individuals can be, and often are, both controllers and processes of personal data.
The GDPR applies to personal data. The definition of this has been expanded from that in the Data Protection Act. It not only covers things like HR records, customer lists or contact details, it now includes personal identifiers such as IP addresses.
It applies to both automated and manual data which can be searched by specific criteria. That means it will apply to paper files kept in an ordered system.
There is a sub-set of personal data, referred to as “sensitive personal data”. It includes data relating to more personal or sensitive matters, such as health. The scope is slightly different from that in the Data Protection Act as it no longer includes criminal convictions or offences, but it does include genetic or biometric data where they can be used to identify an individual.
Under the GDPR data must be processed in a manner which is compliant with the data protection principles. These are the main responsibility of organisations, and they can be summarised as follows:
Personal data must be:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up-to-date. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner which ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical and organisational measures.
Article 5 (2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
This means that you must show how you comply with the other principles. The decisions you take in respect of data collection and processing will need to be recorded, as will the reasons for those decisions. This is the new principle of accountability.
As noted above, data needs to be processed lawfully. To process data lawfully under the GDP are you need to identify the lawful basis upon which you intend to rely. The principle of accountability means you should establish your lawful basis for processing personal data, document this and why you decided this was the case. This step is important, because your lawful basis for processing data has an effect on the rights of individuals. If your lawful basis for processing is the consent of the data subject, they will have stronger rights, for example to have their data erased, than if you relied upon an alternative legal basis.
If you are relying on the consent of the data subject to render lawful your processing of their data then consent must be freely given, specific, informed and unambiguous. There must be some form of clear positive action on the part of individual to indicate consent. In other words, there must be a positive opt in. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent to data processing must be separate from other terms and conditions. It cannot be buried in the small print. You will need to provide simple ways for people to withdraw consent.
If you are providing services to children, in particular online services, you must ensure that any privacy notice is written in plain, clear, simple language appropriate to the age of the child. If you are providing online services to children under 16, they cannot give consent themselves. Instead, consent is required from a person with “parental responsibility”.
Under the GDPR individuals have rights in respect of their data. These include:
- The right to be informed.
This means providing “fair processing information”, usually through a privacy notice or policy. The information must be concise, transparent, intelligible and easily accessible. It must be written in clear and plain language, particularly if addressed to a child and, finally, it must be free of charge.
- The right of access
Under the GDPR individuals have the right to obtain:
- Confirmation that their data is being processed;
- Access the personal data; and other supplementary information, which should, in any event, be provided in any privacy notice.
These rights are similar to those under the old Data Protection Act. There are, however, two important changes. The first is that, in most cases, you can no longer charge a fee for the provision of information. The second change is that the information requested must be provided without delay, and at the latest within one month of the receipt of the request. This can be extended if the requests are complex or repetitive.
You must use reasonable means to identify the person making the request. If the request is made electronically, you should provide information in a commonly used electronic format.
- The right to rectification
Individuals are entitled to have their personal data rectified if it is inaccurate or incomplete. If you have passed inaccurate or incomplete data to third parties you must inform those third parties that the data is inaccurate or incomplete. You must also inform the data subject of third parties to whom the data was transmitted.
- The right to erasure
This is also known as “the right to be forgotten”. Individuals have the right to have their personal data deleted or removed where there is no compelling reason for its retention or continued processing. This is not an absolute right on the part of the individual, and there are circumstances in which a request for erasure can be refused. If you do agree to the deletion of personal data belonging to an individual, you should inform other organisations to whom you have passed that data.
- The right to restrict processing
individuals have a right to prevent processing of their personal data. When processing is restricted, you are permitted to store the personal data, but it may not be processed further. You can retain sufficient information about the individual to ensure that the restriction is respected in the future. As with some of these other rights, you should inform other organisations to whom you have passed the restricted data.
- The right to data portability
This confers upon individuals a right to obtain and reuse their personal data for their own purposes across different services. It is meant to allow individuals to move, copy or transfer data easily from one IT environment to another. Such transfers must be safe and secure, and without hindrance to usability.
- The right to object
Individuals have the right to object to processing of their data in certain circumstances. These involve where the processing is based on the legitimate interests of the processor or the performance of a task in the public interest, direct marketing, and processing for the purposes of scientific or historical research and statistics.
Individuals must have an objection based on grounds relating to his or her particular situation. You must stop processing the data of an objecting individual unless:
You can demonstrate compelling grounds for the processing which override the rights and freedoms of the individual; or
The processing is for the establishment, exercise or defence of legal claims.
You must inform individuals of their right to object at the point of first communication with them, and in your privacy notice. This must be brought to their attention in a clear manner and separate from any other information.
If you process personal data for direct marketing purposes, you must stop soon as you receive an objection. There are no grounds upon which you can refuse.
- Rights in relation to automated decision-making and profiling
The GDPR protects individuals against the risk that a potentially damaging decision is taken without human intervention. Individuals have a right not to be subject to a decision when it is based on automatic processing and it produces a legal or similarly significant effect on the individual. In those circumstances, individuals are entitled to deal with a human, express their point of view and obtain an explanation for the decision and challenge it.
For further advice, please contact us on 01792 468684 or email enquiries@pgmsolicitors.co.uk.
A pdf version of the guide can be downloaded here.