If you handle personally identifiable information about EU citizens, you need to know about GDPR. It will give EU citizens ultimate control over the personal data that companies hold about them. As citizens, it’s great news. However as business owners, it seems to be causing some concern – though compliance isn’t as scary it’s sometimes made out to be.
Let’s take a straightforward look at the new legislation, the rights it affords to us as citizens, and the rules we’ll all have to follow as businesspeople.
DISCLAIMER: Though we’ve tried to remain as accurate as possible, this post briefly summarises a lot of quite complicated legislation. This information is provided only as a guide and should not be considered actual legal advice. Yell Limited advise that you seek your own, individual legal counsel.
GDPR: The Vital Info
The General Data Protection Regulation, or “Regulation (EU) 2016/679”, became law on 27th April 2016, but businesses were given just over 2 years to become compliant. Therefore GDPR will be enforceable as of 25th May 2018.
All businesses that hold personally identifiable data about private EU citizens (including their own employees) will need to comply, or face a considerable fine. Companies found breaching GDPR rules could face fines of up to €20 million, or alternatively 4% of their annual turnover worldwide – whichever figure is larger. The ruling serves to galvanise and unify existing data privacy rules across all EU member states.
Wait – What About the UK?
Seeing as the rules come into force in May 2018, the UK will still be a part of the EU when GDPR comes into force. However, it’s been confirmed that the GDPR’s rules (apart from a few very particular tweaks) will be adopted into UK law following the completion of Article 50 through a new Data Protection Bill.
Consent is a Crucial Concept!
Individuals giving clear and informed consent to use their data is a cornerstone of the GDPR legislation. When you seek consent from people to store or process their data, there should be no ambiguity about what you intend to do with that data, and permission should be given freely and willingly through a clear and positive action (with a few narrow exceptions or “lawful bases”). Companies can no longer assume any kind of consent from inactivity, pre-ticked boxes, or silence. It must also be easy for people to withdraw consent at any time.
If you currently send direct marketing materials to people who have not given explicit consent for you to do so, STOP IMMEDIATELY and gain consent from them before marketing to them further.
Further Information: Key Areas to Consider (ICO Website)
The Right to be Informed
All individuals under GDPR will have a right to be informed about how a company is using their data, and companies that use citizens’ data must provide an easily accessible privacy policy, available for free, and written in plain language.
Under this right, individuals will have the right to contact companies and ask whether their data is being processed or stored, ask what data that company holds about them, why the company has it, how long they intend to hold it, and what they intend to do with the data.
Further Information: The Right to be Informed (ICO Website)
The Right of Access
Under the right of access, individuals can request a digital copy of all data that a company holds about them. This data should be provided in a commonly used digital format, and should be provided free of charge within one month of receipt of the request. However, if the request is “manifestly unfounded or excessive”, you can charge a reasonable fee. You must verify the identity of the person making the request using “reasonable means”.
Further Information: The Right of Access (ICO Website)
The Right to Rectification
If an individual finds that a company holds incorrect or incomplete data about them, they have a right to contact that company and have it corrected. Companies must respond to rectification requests within one month – two months if the request is particularly complex.
If the company has previously disclosed the incorrect information to third parties, they must inform these third parties of the change request, as well as informing the individual about the disclosure.
Further Information: The Right to Rectification (ICO Website)
The Rights to Erasure
Under the GDPR, EU citizens will also have the right to request the deletion or removal of their personal data where the company has no compelling reason to continue storing or processing that data. If the company has disclosed this personal data to a third party, the third party must also be informed of the erasure request unless it “involves disproportionate effort” to do so. There are a few narrow exceptions where companies can refuse erasure requests.
Further Information: The Right to Erasure (ICO Website)
The Right to Restrict Processing
Under certain circumstances, EU citizens have the right to restrict any processing of their data by a company. When a restriction request has been made, companies are allowed to store the data, but not further process it. You can keep just enough information about the person to make sure their wishes are respected.
Further Information: The Right to Restrict Processing (ICO Website)
The Right to Data Portability
This right entitles individuals to ask that their data pass between two organisations upon request – for example when they want to change their service provider from one company to another. The data provided must be in a readily available, machine readable format. These requests should be responded to without delay within one month, though you can extend this to two months if the request is particularly complex.
Further Information: The Right to Data Portability (ICO Website)
The Right to Object
Under GDPR, individuals will have the right to object to direct marketing, analytical processing relating to historical/scientific interests, or processing relating to any “legitimate interests.”
Perhaps the most pressing to small businesses is the part relating to direct marketing. You should only send direct marketing to those who have explicitly agreed to receive it, and must immediately stop sending direct marketing materials to anyone who objects. You must comply with direct marketing objection requests immediately, for free, with no grounds for refusal.
Further Information: The Right to Object (ICO Website)
Rights Relating to Automated Decision Making & Profiling
This new rule is intended to protect citizens from potentially damaging decisions being made without human intervention. If you use profiling tools (such as credit scoring) to give a final “yay” or “nay” on matters of significant financial or legal importance to individuals, those individuals now have a right to appeal any automatically generated decision with a human decision maker.
Businesses will need to provide the option for people to speak to a human operative with the authority to overturn the decision; citizens will be entitled to explain their point of view, and contest the automated decision. All profiling taking place must be fair and transparent – see the below ICO link for more.
Further Information: Rights Relating to Automated Decision Making & Profiling (ICO Website)
Breach Notifications & Accountability
Companies must remain transparent about their compliance with the rules, and are expected to uphold good governance of data security. This may include regular data security audits, staff training, and ongoing reviews of data handling policies. Your systems must allow for data protection “by design and by default.”
There are also certain cases where companies must appoint a Data Protection Officer (DPO) to monitor compliance, though companies of all types and sizes can appoint a DPO. The role can be handed to an existing employee alongside existing duties as long as the two roles are compatible.
In the event of a data breach that could lead to the loss, alteration, destruction, access to or unauthorised disclosure of personal data; you may need to inform your supervisory body where the risk is “likely to result in a risk to the rights and freedoms of individuals”. If the breach is severe enough to pose a “high risk to the rights and freedoms of individuals”, you must also notify those individuals directly.
Further Information: Accountability & Governance (ICO Website) and Breach Notifications (ICO Website)
[bctt tweet=”Want a no-frills look at the upcoming #GDPR legislation? We’ve got you covered.” username=”yellbusiness”]
What is your opinion of the GDPR? There’s been a lot of talk about the new legislation, so we’d be eager to hear your take! Please share your thoughts in the comments below.
