Getting ready for GDPR
When I mention the General Data Protection Regulation (GDPR) to most of my clients, I normally get one of two reactions. The first (and most common) is “what’s that?”. The second is “it won’t really change what we do though – will it?”.
GDPR has been looming for the last two years. However, most businesses have done virtually nothing to prepare for it and may be caught unawares when it is implemented in May 2018. Some businesses have taken a calculated gamble on not spending time (and money) getting compliant, only for it to change following Brexit. However, this is a very risky strategy. Not only will GDPR still apply until the UK government decides to change it, but the UK may still have to comply with its provisions if we continue as part of the single market or some other type of trade deal.
So who does this legislation apply to? The short answer is that it applies to anyone who holds any form of personal data. This is not just data which is in electronic format (although this forms the vast majority of data held), but also to paper documents. A business cannot get out of its obligations just because they contract out their data processing to another company or a sub-contractor. GDPR applies to both data controllers, who are the people who say how and why information is processed, and the processers themselves, who are the people who actually process the data.
A distinction is drawn in the legislation between ordinary personal data, which is anything than can identify a person (including IP addresses) and special categories of personal data, which are more sensitive. These includes things like medical details, information about a person’s religion and their genetic and biometric data. There are more safeguards in place for these special categories and greater care must be taken with storage and access. Many businesses think that they do not carry sensitive data, but it can be frighteningly easy to accumulate. Most employers will ask employees about any disabilities or other medical conditions during induction. But often this information is gathered for other purposes. If you organise an event and ask about dietary requirements, you may get people informing you that they are halal or kosher (information about religion) or that they are allergic to strawberries (information about medical conditions). Would you think about how this information is to be stored and protected?
The focus in GDPR is much more about providing information to people who give you information than about trying to make you spend large sums of money on encryption software. This means that businesses can protect themselves just by putting in place decent policies and internal controls to protect the information.
The means by which data protection information is given to people and the consent that they give you in order to process their data needs to be looked at. It is not enough to bury data processing information with your other terms and conditions; it must be in a separate document, which deals only with data protection. When seeking someone’s consent to process their data, this cannot be inferred from their silence or done by means of pre-ticked boxes. Only a genuine “opt-in” is permitted. If the consent you already hold does not meet all the criteria, you will have to get consent all over again.
With the large amount of publicity surrounding all issues EU at the moment, people will be better educated about their rights to access their data, get it rectified if it is incorrect, object to it being processed or opt-out of their data being used for direct marketing. Businesses will need to make sure that they know their obligations and have processes in place to respond to any enquiries, as trying to retrofit these while complying with tight deadlines on responses would be a nightmare.
Coles Solicitors can help you prepare for the upcoming implementation of GDPR. We can “health-check” your business to ensure that you know what you need to do, as well as helping you put your policies and procedures (including internal policies and updating contracts of employment) in place ready for May 2018. With offices across Yorkshire and special GDPR workshops taking place in York, Harrogate, Northallerton & the Tees Valley, our trusted solicitors are ready to help your business prepare.