General Data Protection Regulation (GDPR)
It has been over three months since the General Data Protection Regulation (GDPR) came into force that tightened up the law on data protection in many ways.
- Introduces the “accountability principle” which puts a burden on businesses to be able to demonstrate compliance.
- Makes it harder to rely on consent as a ground for processing personal data.
- Raises the penalties for non-compliance. There are potentially huge fines.
There is a lot of publicity on the new law, making individuals and businesses more aware and so more likely to question what you do with personal data.
The basic principles have not changed much. The Information Commissioner’s Office (ICO) describes this as evolution, not revolution. So don’t panic – you are probably at least 50% of the way there but you need to take control now if you have not yet done anything.
Generally, the most important things are to:
- update your data protection policy
- train your staff
- check your security arrangements are sound
- check and update your standard privacy notices and contract terms; and
- check you have the necessary consents for marketing.
Helpfully the ICO have provided a summary of the key actions you should take:
KEY POINTS TO NOTE
- Awareness – make sure your decision makers are aware of the law and key changes.
- Document the information you hold, where it comes from and who you share it with.
- Review your current privacy notices and put a plan in place for making any necessary changes. Follow the guidance here:
- Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Update your procedures and plan how you will handle subject access requests. You will have a month to comply and, in most cases, you will not be able to charge.
- You should identify the lawful basis for processing activity, document it and update your privacy notice to explain it.
- You should review how you seek, record and manage consent and whether you need to make any changes. GDPR sets a high standard for consent as you will see here:
- Consider special protection for children. Consent from a parent or guardian maybe needed when collecting or processing personal data for children 15 years of age or younger.
- You should make sure you have the right procedures in place to detect, report and investigate personal data breach. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will have to notify those concerned directly.
- GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. Consider if you are required to carry out a Data Protection Impact Assessment which are mandatory in certain circumstances.
- Consider whether you need to formally designate a Data Protection Officer or at the very least appoint someone to take responsibility for data protection.
- If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.
EVALUATING YOUR CURRENT PRACTICES – QUESTIONNAIRE
Complete this questionnaire to help you to evaluate your current practices. You should then take appropriate remedial action in any areas where you cannot confidently answer “yes”.
|Backup: Is information appropriately backed up? |
That includes electronic information being backed up offsite, and copies of important paper documents being made and kept separate from originals.
|Retention: Do we keep information for appropriate times? |
Do we have clear time limits for the retention of records, in particular for matter files? Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed (GDPR Article 5(1)(c)). Hence you have to delete personal data where you no longer have a good reason to keep it.
Do we safely dispose of confidential information when those time limits expire? For example:
– Are documents shredded rather than being placed intact in the refuse?
– Are electronic devices thoroughly cleaned of information before they are disposed of?
|Security of Electronic Records: Do we have effective safeguards against hacking, malware, phishing and other cybercrime? For example: |
– Do we have a firewall to protect our intranet?
– Do we have up-to-date anti-virus software?
– Do we install software upgrades promptly?
– Do our systems have suitable password protection?
– Are passwords managed effectively? In particular do we ensure that passwords are of sufficient complexity and changed from time to time?
– Do our staff understand the risks and their responsibilities in respect of information security?
– Do staff understand the importance of reporting any breach of security?
– Do we circulate reminders about current risks and criminal methodologies?
|Security of Paper-Based Records: Do we have appropriate security arrangements to protect paper-based records? For example: |
– Are paper files well organised to minimise the risk of documents being lost?
– Is access to our premises appropriately controlled?
– Do we give staff clear guidelines about the risks involved in taking confidential papers out of the office, e.g. to court or to work on at home?
|Collecting Personal Data: Do we only collect and process personal data when we have a lawful basis for doing so? Articles 6 and 9 of the GDPR set out the “processing conditions”, at least one of which must be satisfied to process personal data or sensitive personal data. You will often have several grounds for holding the same data, e.g. |
necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
|Transparency: Do we use appropriate privacy notices or other means where practicable to let people know the use we make of personal data we hold about them? Personal data must be processed in a transparent manner under Article 5 GDPR. Privacy notices are the main way businesses comply with that obligation.|
|Training: Overall, are staff adequately trained so that they understand their obligations under the GDPR and SRA Code of Conduct in respect of data protection, confidentiality, security and reporting of breaches?|
|Third Parties: Have we considered the risks associated with us sending personal data and confidential information to third parties? This may include accountants, contractors and consultants (not limited to). |
Is it adequate in all the circumstances for us to rely on the general data protection and confidentiality obligations of those third parties?
Otherwise, have we taken appropriate precautions? That may include the following.
– Checking that they have appropriate data protection procedures in place, including adequate security arrangements.
– Requiring them to agree to contractual terms.
|Marketing: Do we ensure we do not send marketing communications without opt-in consent where that is necessary?|
If you would like some help with GDPR and how I can be of assistance to you, please do not hesitate to get in contact with me, Paula Hebberd, at [email protected] or on 0330 380 0010 .
This guide is to provide general information and a general understanding of the law, not to provide specific legal advice nor does it create a client relationship.