The phrase ‘boring but important’ could have been involved to describe data protection law- GDPR. Back in January, Stuart Farr summarised the key points and potential penalties. Now the deadline is upon we bring you a reminder of what will change.
To put this subject into context, I first learned of the proposed introduction of the European Union’s General Data Protection Regulation (or GDPR for short) at a talk I attended in the spring of 2017. The person sitting to the right of me was a nice chap called Steve who ran a business based around combating stress through hypnosis. It was amusing to see his reaction to the talk as most people in the room glazed over. The technical detail of the GDPR is rather difficult to absorb – as has been the fashion with much of the EU driven legislation over the years. It is also easy to interpret the legislation incorrectly, so my aim here will be to provide at least a little clarity as to what it entails.
The GDPR will come into effect in the UK on 25 May 2018, so it’s not very far off; if you need to prepare for it I suggest you start right away. Its purpose is to place a much stronger emphasis on individual rights. It contains a new ‘right to be forgotten’, and the rules regarding consent to hold data about individuals will change. It requires organisations to be more open about what they will do with personal data and makes them more accountable if there are breaches of data protection.
Many of the basic data protection rules we already have are not changing. The GDPR seeks to harmonise rules across the EU, bring rules up to date with technological changes in the way data is held and shared, and enable individuals to exercise greater control over their personal data.
The GDPR requires organisations to implement a concept called ‘privacy by design’. This means taking a structured and proactive approach to embedding data protection requirements into their systems and processes from the beginning. For instance it will become compulsory, when planning a business project that is likely to pose a high risk to individuals’ rights, to undertake a Data Protection Impact Assessment (DPIA) in order to identify and mitigate the risks to data protection. Unfortunately, the GDPR does not define what is meant by ‘high risk’; guidance on the issue is currently awaited via the Information Commissioner’s Office (ICO).
Privacy By Default
There is also a requirement to implement a system based on ‘privacy by default’, the aim of which is to ensure that only the minimum amount of personal data is collected, accessed, used and retained. There is a particular emphasis in this context on the anonymisation of data, especially when carrying out market research or statistical analysis.
The GDPR requires organisations to be able to demonstrate, in a positive fashion, that they are complying with the legislation on data protection. Organisations need to adopt the right policies and procedures, carry out DPIA’s where required and maintain appropriate records of data processing activities. There will be a much higher degree of formalisation required. Simply sending a quick mailshot to customers on a database will be no easy feat if you wish to use printers or marketing agents to assist you.
Right To Forget
There is a specific requirement to set up a register of processing activities showing how and why personal data is processed. There are also a number of new rights granted to the individuals whose data is collected and stored. Many of these rights, it is fair to say, are conditional rather than absolute. The right to be forgotten, for example, only applies if the data is no longer needed for the purpose for which it was obtained – if the individual withdraws consent and there is no other legitimate reason for keeping it. This allows personal data to be preserved for important things such as firearms registers, which need to record, by law, gun purchases, transfers, sales etc.
Breaches of data protection are going to be treated more seriously. If you discover a breach the obligation will be on you to report it to the ICO within 72 hours. This applies wherever the breach of data security poses a risk to the rights of individuals.
The GDPR makes no change to the existing basic requirement that personal data is kept for no longer than necessary to meet the requirements for which it was collected. It is important, therefore, that you review the data regularly and cleanse it where appropriate. There will be greater scrutiny to ensure this requirement is met and prevent organisations from hoarding data.
If you have not already done so, you will need to introduce a system of informing individuals about how long their data will be kept and this information will also be accessible by the ICO – especially if a complaint is made.
In most cases the new GDPR is as much about formalisation and fine tuning as anything else. However it provides a timely reminder that one has a legal responsibility to hold anothers personal data securely and not to keep it longer than is necessary. If in doubt about the policies and procedures you may need to introduce, or how to go about implementing them, do seek some advice from a professional. It is better to be prepared now because in May 2018 the law will expect you to be up and ready.
And you are now back in the room!
Are you ready for GDPR? Gun Trade News is. Sign up now to receive our GDPR-approved email newsletter at guntradenews.com/subscribe. You’ll get regular news update from GTN and your data will be used responsibly.
Information that it will be required to record when processing data:
– The categories of data collected
– The categories of individuals from whom it is collected
– The purpose for which personal data is processed
– The categories of third parties receiving the data
– Details of any transfers of the data to countries outside of the EU – potentially a sticky situation in the future!
– How long the data is retained
New rights granted to individuals by the GDPR:
– To access their data and find out how it is being used
– To request that data is erased or deleted (the so-called ‘right to be forgotten)
– To request that inaccurate data is rectified or corrected and that incomplete data is duly completed properly
– To request that the use of their personal data is restricted to storage, except with their permission
– To object to processing (e.g. for direct marketing purposes)
– To object to decisions being taken solely on the basis of automated processing
– To data portability – to request that data be transferred electronically to another organisation