GDPR Legal Advice
The General Data Protection Regulation (GDPR) has shone a light on data protection. It has implemented recording and reporting obligations on businesses to engender genuine assessments of compliance.
How we can help with GDPR compliance
What is data?
Personal data is any information that can identify an individual person (‘data subject’), in particular by reference to name, identification number, location, online identifier or factors relating to physical, genetic, mental, economic, cultural or social identity.
Controller or Processor?
Most obligations under the GDPR fall on the data controller but the GDPR also imposes specific and separate duties and obligations on the data processors so it is important to know in which capacity you are using data and ensuring your contracts, terms and conditions and policies match these obligations.
You are a controller if you “determine the purposes and means of the processing of personal data”. Most companies are likely to be a data controller in at least part of their business. For example, you will control your employees personal data.
You are a processor if you are a “natural or legal person, public authority, agency or other body which processes personal data on behalf of a data controller”. Your suppliers are likely to be processors, however, a company being a controller does not make all other parties processors, the controller can act alone or jointly with others.
Do you have a lawful purpose for data processing?
You must have a valid lawful basis in order to hold and process data. There are six lawful means under the GDPR:
Consent must be freely given (no pre-tick boxes) after receiving clear information about the purpose of processing the data. The data subject must have the right to withdraw their consent at any time and be informed of how to do so.
In practice it will be very difficult for an employer to show that employee consent was freely given. The employer-employee relationship puts the employer in a position of power, whereby continued employment could be made dependant on consent being given. In such situations consent is not freely given so will not be a lawful purpose for processing data.
If you have entered into a contract, or are providing a quote or negotiating for a contract with the data subject, and it is necessary to process their data, this will be a lawful basis upon which you can rely.
Where you have to process data in order to comply with the law itself. For example, if you are required to keep data for HMRC records.
Where the processing of a person’s data is necessary to protect someone’s life. This will have very limited application
If you need to process data as part of the exercise of official authority or to perform a task in the public interest, this will be a lawful basis
The processing must be necessary for a legitimate business interest. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply. This is subject to the ‘balance test’ judgement between the interests of the company and the interests of the individual
These are extra layers of protection to process sensitive data, such as information relating to race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, or sexual orientation, you must have a lawful purpose and satisfy one of the conditions for processing such data.
The conditions for processing special category data, include explicit consent; necessary for carrying out obligations in the field of employment and social security; and legal claims.
Your choice of lawful basis does not dictate which special category condition you apply. So if you use consent as your lawful basis, you are not restricted to using explicit consent for special category processing, although in many circumstances this will be the most appropriate.
To process criminal offence data, you must have a lawful purpose and either legal or official authority for processing the criminal offence data.
How to choose a lawful basis
You must decide which lawful basis applies to you before you start processing personal data. When deciding, you might need to ask yourself the following questions:
- What are you trying to achieve and why are you trying to achieve it?
- Can you achieve your anticipated outcome through a different way? or
- Do you choose what happens to the data?
It might be the case that more than one basis applies. If that is the case, it is best to identify them and document them form the start of the process.
Data Protection and GDPR compliance management
Processing will always need to be necessary to be compliant. This does not mean essential but a proportionate way to achieve the purpose unless there is a less intrusive way to achieve the same purpose.We recommend that every company should nominate a Data Compliance representative. Centralising privacy and data protection functions under a designated representative will improve consistency and accountability. It provides a structure to help demonstrate compliance with the GDPR’s requirements. The GDPR requires you to appoint a Data Protection Officer (DPO) if you have over 250 employees or large scale monitoring of individuals data or large scale processing of special categories or criminal offence data.
A DPO has separate responsibilities under the GDPR, however, general duties of data compliance representative should be to ensure compliance with all relevant data protection regulations, monitoring processes (such as data protection impact assessments), keep policies and contracts up to date employee training and awareness and collaboration with authorities. It is usually also their responsibility to record and report any breaches.
Subject Access Requests
The task is time-consuming and can mean the release of commercially sensitive information but can you refuse? The Data Protection Act only provides a few very limited circumstances for refusal. Grounds for refusal of a subject access request are where refusal is a necessary and proportionate measure to:
- avoid obstructing an official or legal inquiry, investigation or procedure;
- avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences;
- protect public security;
- protect national security;
- protect the rights and freedoms of others (which will likely include where the data includes data about another person, unless they consent or its reasonable to provide the information without the consent).
When you can deny a person access to data
There is a catch all for requests that are “manifestly unfounded or excessive”, however, what this may mean in practice is yet to be put to the test.
If you seek to rely on any of the rights to refuse, you will need to communicate this to the person making the request.
Security measures and breaches
There are some steps that can be taken now to minimise the risk of breach. If there is a breach, there are obligations on the company and the data compliance manager that must be upheld.
Making small changes to your working practice now can save time and effort later.
Although there are no specific GDPR password requirements, a password policy is another way to show GDPR compliance. This includes information relating to computer passwords, access cards and ID badges and will usually details policies to minimise risks of data breaches, such as multi-factor authentication and encryption policies. Companies must be able to demonstrate that their password reset processes and procedures are secure. For example, your system should prevent help-desk employees from directly accessing passwords.
Leaks of data
Personal data must be secured to a level appropriate to the risk, by technical and organisational measures, so that there is adequate protection against unauthorised or unlawful processing. This will also include accidental loss, destruction or damage, for example, leaving your laptop on a train.
You should review the company’s risk analysis and where appropriate you should consider minimising the risk of a leak with measures such as encryption and pseudonymisation. In order to reduce the risk of breaching the GDPR requirements and only personal data necessary for a specific purpose should be processed.
If personal data is leaked, the processor should inform the controller without undue delay and the controller should notify the Information Commissioner’s Office within 72 hours of becoming aware of the breach. You should also inform the data subject of the breach.
Suppliers and how to deal with commercial contracts
A common scenario for many businesses will be where they transfer data to a third party providing services.
If your suppliers have access to your data (whether you are acting as controller or processor) you will need to ensure your commercial contracts are GDPR complaint which means ensuring the processor or sub-processor confirms that they will, for example follow your instructions of maintaining their own adequate security measures. You will need information on or restrict such suppliers transferring data. Please contact us if you require guidance on your supplier relationships.
What you need to tell people
There are various obligations on data controllers and processors to inform the data subject of their rights.
Rights of data subjects
Data subjects should be informed of their rights in relation to their data, including:
- The rights to request access to the data;
- The right to request rectifications to the data;
- The right to ask for the data that you hold to be erased;
- The right to ask you to restrict the purposes for which their data is processed;
- The right to ask for an electronic copy of the data you hold;
- The right to object to you holding their data for some purpose(s).
Data subjects are able to withdraw their permission at any time and must be clearly informed of this. They should also be given the option to opt out if you intend to use their data for marketing.
Data subjects should be notified of how their data is collected, for what purpose and under what lawful basis their data is used and the identity and contact details of any processors. They should also be made aware of any third party transfers, the retention period, their rights as a data subject and the procedure for making a complaint.
Everyone should keep a record of all data processing activities. This should set out a record of the data compliance assessments made on all categories of data and their subjects controlled by the company.