Your responsibilities under the GDPR

BusinessGDPR | 10 November, 2017 by Eddie Paterson

The most radical change in 20 years for personal data protection came into force in May 2018. The new set of regulations will significantly strengthen the protection of personal information for individuals across the EU including the UK – the General Data Protection Regulations or GDPR. In this article, we look at the obligations on organisations that hold and process personal data – and the significant levels of penalties if an organisation fails to deliver on its responsibilities.

Will my organisation be affected?

The answer is almost certainly yes. The regulations apply to entities of all sizes and shapes that hold or process personal data both inside and outside of Europe. So, whether you are a sole trader, a public company, a non-profit or a school you need to be prepared.

What is personal data?

The regulations are all about protecting an individual’s privacy, rights and people – and so data which is personal. The GDPR’s definition of “personal data” is extensive and includes a person’s physical, physiological, mental, economic, cultural, online or social identity. This broad definition of personal data easily covers the simplest records that relate, even indirectly, to customers, clients, staff, pupils and any other record relating to an individual.

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning a natural person’s sex life or sexual orientation is specifically called out.

There are child-specific provisions in the GDPR, particularly in relation to grounds for processing and notices. Children are identified as “vulnerable individuals” and deserving of “specific protection” with ability to add additional restrictions and precautions.

What does data processing mean?

The section above looked at what is meant by “personal data” – “Processing” is what is done to the data. The GDPR takes a very broad view of what this means and covers the whole lifecycle of the data – from how and when it is collected, what is done with it to how it is finally deleted. Sending a routine email will constitute processing as it includes personal data related to the recipient. Storing, structuring and organising staff, member or customer information is processing. Reviewing an employee’s performance or providing feedback is “processing” and so will require permission.

The regulations refer to “Controllers” (they determine how and why personal data is processed) and “processors” (who act on the controller’s behalf). Controllers have to be open and honest about what they do with personal data, stick to the purpose for which it was collected, keep it current and accurate and delete when it’s no longer required. Processors have a greater legal responsibility to protect personal data under the GDPR than the DPA, in particular if they are responsible for a breach.

You must respect an individuals’ rights

As we reviewed in part one, your employees, customers and members will have new powers to request detailed information on how their data is used, stored and protected – free of charge. They’ll have the right to access, port and even request erasure of their personal details. So, you will need to ensure that you have the processes in place to deliver on these rights – and to deliver them within the prescribed timescales.

You will be accountable for the personal data you hold

Data protection legislation has included the principles of lawfulness, fairness and transparency for some time and now the GDPR goes further and adds the principles of accountability and governance. In essence, you must not only do the right thing, you must be able to show and prove that you are. This means you will need to implement privacy by design, with appropriate technical and organisational measures such as internal data protection policies, staff training, internal audits of processing activities, and reviews of internal HR policies. You will also need to maintain records of processing activities under your responsibility.

GDPR Obligations

You need to make data protection business as usual

Privacy by design and default means that you must consider these issues right from the start of a project and not just tack them on as an afterthought. The Information Commissioner has always promoted this approach in the UK but it has not been a legal requirement under the Date Protection Act – but it will be under the GDPR. Data privacy by default means that an individual’s right is not to share any information – anything above this level requires the individual’s permission.

Security is paramount

A key purpose of the GDPR is to protect an individual’s personal data, so of course security of personal data and its processing features strongly in the new regulations.

Both data controllers and data processors are jointly responsible for personal data protection which means that data controllers need to know more about sub-contractors (processors, such a cloud service providers or marketing agencies) than at present. All of us use cloud services to one extent or another – perhaps for storage (such as Dropbox or Google Drive) or applications (such as email, accounting or CRM). And sometimes your staff may elect to use a third-party service without your knowledge. Whatever the case, as a data controller, you will be held accountable for the security of the data.

The regulations specify that data should be held within one of the 28 EU countries, or a country that has an agreement with the EU. You not only need to understand and approve the technical and organisational competence of the third party, you need to understand where they hold the data you are accountable for.

In addition to the above, the regulations specifically bring out pseudonymisation and encryption of personal data as ways to protect personal data. The ICO has been encouraging the encryption of personal data on mobile devices for some time, now under the GDPR it becomes more explicit.

Personal Data breeches must be notified

A personal data breach is much more than just loosing personal data and can involve the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. There has been considerable media coverage of high profile data breeches and the theft of personal data in recent times. So Data breeches do happen, regardless of the size of organisation and it’s only the big ones that get the publicity.

You will have the responsibility to notify the ICO and the individuals concerned if the breech is likely to result in a risk to the rights and freedoms of individuals. Where a breech meets the notifiable criteria, you must report the breech within 72 hours which is a tough requirement as it means you need the processes and systems to be in place to detect that a breech has occurred.

Additional responsibilities and obligations

The regulations call out additional requirements when processing “Sensitive Personal Data”, when there are high risks to privacy and individual rights or carry out large scale processing of special categories of data. In these cases, organisations may need to conduct Data Privacy Impact Assessments. Both data controllers and processors will need to appoint a Data Protection Officer where the processing is carried out by a public authority, where processing requires regular and systematic monitoring of data subjects on a large scale, or where processing on a large scale of special categories of data.

Penalties with teeth

The maximum level of fine available to the ICO is currently £500,000, but the GDPR raises the level significantly. Two levels of fine will be available:

Up to €20,000,00 or up to 4% of global turnover for infringements such as contravening the basic principles of processing, breeching a data subjects’ rights or international transfers; and
Up to €10,000,00 or up to 2% of global turnover for infringements such as failing to obtain consent to the processing of data relating to children; failing to implement technical and organisational measures, failing to maintain records or failing to notify a breach when required to do so.

What’s next?

In the next article, we will review the 12 steps the Information Commissioner recommends organisations take to prepare for the GDPR.

If you’d like to know more, please call us on 01428 770 290 or complete our contact form

Cookie	Type	Duration	Description
_abck	1	11 months 29 days 23 hours 59 minutes	This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
bm_sz	1	3 hours 59 minutes	This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checkbox-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
viewed_cookie_policy	0	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Type	Duration	Description
IDE	1	1 years 23 days 23 hours 59 minutes	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	1	5 months 29 days 23 hours 59 minutes	This cookie is used to a profile based on user's interest and display personalized ads to the users.
VISITOR_INFO1_LIVE	1	5 months 26 days 23 hours 59 minutes	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Type	Duration	Description
_ga	1	1 years 11 months 28 days 23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1	23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
GPS	1	29 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
vuid	1	1 years 11 months 28 days 23 hours 59 minutes	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.