The highly anticipated EU General Data Protection Regulation (GDPR) takes effect next Friday 25 May 2018 in a landmark moment for data protection in the UK and across Europe.
GDPR is the most significant reform of data protection law in Europe in over twenty years. The new rules cover any organisation that holds or processes EU resident personal data. That is not limited to tech companies but affects organisations of every size and sector.
This might seem daunting for some companies who may not be sure what they are meant to be doing to ensure they are GDPR compliant by 25 May 2018. There is plenty of guidance and advice out there. techUK has been doing lots of work to raise awareness of GDPR and as we approach the final push, we’ve outlined below the five key points companies should consider.
- There are no approved GDPR certificates… yet.
Approaching GDPR compliance isn’t helped by the fact that there are no specific GDPR compliance tools or approved standards. This is the first key point for organisations looking for help for GDPR – there are no approved seals, certificates or codes. There will be one day, but there are none available yet, so don’t be tricked by someone claiming they have an approved GDPR product or are a certified GDPR expert.
- The definition of personal data is changing… and expanding.
Let’s be clear about the type of information that is covered by GDPR. The definition of personal data has changed, and more types of information are covered. The official definition, in law, is:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The Information Commissioner’s Office (ICO) has produced a guide which sets out what information GDPR applies to which you can view here.
- You don’t always have to have consent.
There is a common misconception that organisations will always need consent to hold or process personal information. That is not true and is a misrepresentation of GDPR. There are, in fact, six legal bases for processing personal data and there is no hierarchy or preference of legal basis. Whichever is most suitable should be used. Consent may not be an appropriate legal base for processing data and therefore should not always be used.
The six legal bases are:
- Data subject has given their consent for processing
- Processing is necessary for the performance of a contract which the data subject is a party to
- Processing is necessary for compliance with a legal obligation
- Process is necessary to protect the vital interests of the data subject
- Processing is necessary for the performance of a task carried out in the public interest
- Processing is necessary for the purposes of the legitimate interest pursed by the controller or a third party.
You can see the ICO’s guidance on the legal bases here.
- You don’t necessarily need to appoint a specific Data Protection Officer.
GDPR requires companies to appoint a Data Protection Officer (DPO) if you are a public authority or your core activities require large-scale, regular and systematic monitoring of individuals, or large-scale processing of special categories of data or data relating to criminal convictions.
Other than that, you don’t need to appoint a specific DPO, although you can if you wish. The choice is yours.
- If in doubt check out reliable guidance and even the law itself!
The ICO has published a suite of guidance relating to the GDPR on both the law in general and specific parts.
The general piece of guidance can be found here which specific sections further down the document.
There is also ICO guidance on the UK Data Protection Bill (soon to be Data Protection Act), which can be found here.
There is specific guidance for small businesses here and a dedicated helpline for SMEs and charities which can be reached at 0303 123 1113.
Remember, the GDPR is an EU wide regulation. There is also guidance available from the Article 29 Working Party (The EU-level collection of each EU Member State’s Data Protection Authorities on which the ICO sits) here. Again, there is both general and more specific guidance available. One of the changes under GDPR is that the Article 29 Working Party will cease to exist on 25 May 2018 and will be replaced by the European Data Protection Board which will carry out many of the same functions.
And FINALLY, you could always check out the 156 pages of GDPR itself which you can see here.
If you would like to discuss the above or anything else to do with techUK’s work on GDPR and data protection more generally, please get in touch with Jeremy Lilley.