What is GDPR? An overview
Significant advancements in the fields of IT and communication technology have increased the ease with which personal data (any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details although it may include information allowing the identification of a third party indirectly) is handled. Most businesses use personal data in their daily operations where it is collected, transmitted, stored, manipulated and disseminated.
The General Data Protection Regulation (GDPR) which came into effect on 25 May 2018 sought to introduce a data protection compliance regime across EU member states and the European Economic Area – neither of which the UK is longer a member of. None the less, EU data protection law has largely been converted into UK domestic law so UK and EU data protection law is largely aligned. UK businesses may not need to do anything differently but may want to consider that position for the future.
The GDPR introduced penalties of up to 4% of annual worldwide turnover of the preceding financial year or EUR20 million (whichever is the greater). Individuals who suffer damage or distress as a result of breaches of local legislation may be also entitled to seek redress through the courts.
In addition to the interruption, inconvenience and cost that could flow from remedying breaches, a business that is seen to disregard the privacy of its employees, customers and suppliers may suffer reputational damage.
A business must identify the countries in which processing activities take place or may take place in the future then follow those countries requirements.
The key steps involved in establishing an effective compliance programme for a business are as follows:
- Appoint a Data Protection Officer with responsibility for managing compliance.
- Conducting an internal data processing and compliance audit throughout the business.
- Ensuring appropriate lawful grounds exist for each processing activity (e.g.) sending unsolicited communications; data transfers to third party processors; marketing.
- Implementing systems to ensure only authorised employees have access to personal data.
- Ensuring appropriate data security levels exist within the business and that appropriate arrangements have been put in place with third party processors.
- Providing and maintaining a training programme for employees with access to personal data within the company, ensuring that processes and systems compliance with applicable privacy requirements, carry out data protection/privacy impact assessments.
- Maintaining the compliance programme.
Records should be kept evidencing a data controller’s ‘accountability’ obligation to demonstrate compliance with data protection principles.
Personal data must be securely collected and maintained only for specific, explicit and legitimate purposes, must be accurate and up to date and only kept as long as necessary.
Before a controller can process personal data, they will need to tell the data subjects (customers. Individuals on contact lists or marketing databases, employees, contractors, suppliers and consultants) that their data is being processed and, in many cases, ask for their consent to such use.
The two grounds that are most frequently relied upon are for processing are that it is necessary for the purposes of “legitimate interests” and the data subjects have provided their consent to that. Consent to processing can be obtained in response to an appropriate notification through a variety of means, including tick boxes, application forms, terms of business.
Obtaining the data subject’s clear and unambiguous consent to the transfer of their data to third party is important when transferring customer lists and employee data in the context of for example an asset sale or a joint venture or moving job.