Data protection law is changing. On 25 May 2018, the General Data Protection Regulation (GDPR) will radically change how businesses can handle and process personal information.
As the date creeps closer it is important for organisations of all sizes to prepare, as those that don’t risk hefty fines for non-compliance.
GDPR has become a buzzword in business over the past 12 to 18 months and it’s unlikely that this is the first you’ve heard of it. But the most important question small to medium-sized business owners need to consider at this stage is: do you know how it will impact your business and are you prepared?
What is GDPR?
It is now 20 years since the Data Protection Act 1998 came into force and the new legislation is designed to update data protection laws, give individuals greater transparency about the data organisations hold about them and greater control over how their personal data is used. Ultimately, it is about informing people what data you hold, the purposes you will be using it for, on what lawful basis you are doing so and how long you are likely to need it.
Under the new rules, there will be much greater emphasis upon businesses to demonstrate that they are collecting, storing and using data in compliance with the regulations and the ICO is getting greater powers to police and enforce failures to do so. GDPR operates on an accountability basis, this means that it is up to businesses themselves to ensure that they have appropriate policies in place, that they trained have their staff to handle data correctly and that they are being compliant with the new rules. Keeping a clear audit trail therefore becomes even more important.
What does this mean for businesses?
GDPR will impact the way all businesses collect and use data. It is not confined to one sector of the economy or to businesses of a certain size and its impact will be wide-ranging. However, how significant the impact will be, will very much depend upon how compliant the business is with the current data protection regime.
It will affect those operating across both corporate and consumer markets and with non-compliance resulting in fines up to €20million or four per cent of annual turnover, whichever is higher, business leaders cannot risk putting their head in the sand.
The first steps
With any regulatory change, education and preparation are the two key ingredients.
It’s important to ensure that the senior management team is aware of their new obligations under GDPR and vital that those handling data on a day-to-day basis are equally as informed.
Communicate with your employees, hold training sessions and ensure everyone is aware of the rules. You could also consider limiting access to data to those who absolutely need it. Breaches can often be caused by accidental human error so the more that can be done to help prevent this, the better.
When it comes to preparation, a good starting point is a thorough data audit. Analyse and ask yourself questions such as ‘what data do we hold?’, ‘where did this data come from?’, ‘how is this data being processed?’ and ‘on what basis are we holding this data?’
Once you have these answers you will be able to paint a clear picture of why you need that data and can delete the data that you no longer need or use.
What is a lawful basis?
As with the current regime businesses can only hold or process personal data if they can rely on a lawful basis.
Under the current regime the most commonly used lawful basis is consent, because in many instances it has been implied. However, GDPR will change this. Consent must now be freely given, informed consent and the individual must give it by clear affirmative action. Therefore, this lawful basis will be harder for businesses to show under GDPR as implied consent will no longer be acceptable.
There are also several other lawful bases that businesses can rely upon and the most appropriate will be dependent on the type of data you hold and what you are using it for. For example, you may need to hold personal data to perform a contract with the data subject, you may need it to comply with a legal obligation, or you or a third party (including the individual) may have a legitimate interest to be holding and processing the data concerned.
Given the difficulties in obtaining valid consent under the new rules, these other lawful bases are likely to become much more important.
Do I have a legitimate interest?
A legitimate interest is a clear and lawful goal that you or a third party are seeking to achieve when using an individual’s personal data. To use your legitimate interest as your lawful basis for processing personal data, the type of processing you do must be necessary to achieve your goal. For example, do you need the data to provide a product or service, or to contact your customers about new products or promotions?
Interestingly, direct marketing is recognised as a legitimate business interest, as long as those people would have an expectation that you may contact them for marketing purposes and you give people the opportunity to opt-out in a clear and transparent way.
It is essentially a balance between the legitimate interest being pursued and the rights of the individual’s concerned, this is why it is important to factor in what expectations the individual may have.
The key point to remember is that in any audit, the ICO will be looking for accountability and you must be able to share the details of your legitimate interest assessment. As long as you conduct an assessment now, you update the information you give to your customers explaining that interest and you make a record of your findings to show they are based on rational decision-making, there may be no reason why you cannot carry on as you are.
Is it all scaremongering?
It is not clear at the moment how significant the changes may be in practice. The ICO have been at pains to point out this is an evolution not a revolution. That said, the importance of GDPR and the severity of the potential penalties it is bringing in cannot be underestimated.
So, it is best to be prepared for 25th May and audit the data you hold – do you need it all? Have you given real though to the lawful basis you are relying upon? Update your privacy notices and policies to give people a clear understanding of what data you collect about them, how you use it, what you use it for and how long you intend to use it for that purpose. Remember it is everything you do with the data from its collection to its deletion, it’s not just about how you store it. Likewise, if you share data that you hold with any third parties (and remember this would include any cloud-based services you may rely upon), you should make sure you tell the individuals you are doing so and you should review your contracts with those third parties and if, you don’t have contracts already in place, establish them.
The ICO is getting much bigger teeth, but as long as you have a clearly defined purpose to collect, use and hold all the data you have and you have a clear audit trail and can demonstrate the lawful basis for using the data you hold, there’s no reason it can’t be business as usual.
About the author – Matt Brown
Matt is a partner in the commercial team at Brabners. He helps clients across a broad range of sectors to navigate the legal complexities of commercial law and increasingly that includes data protection and e-commerce. He supports clients as they negotiate all manner of commercial agreements and the legal issues relating to them, such as competition concerns and the creation and deployment of intellectual property.
February 6th, 2018