At the moment it might feel that GDPR (the EU General Data Protection Regulation) is popping up in every business conversation, every seminar and every newsletter or article. Any significant change in the law tends to breed a similar response, but GDPR in particular seems difficult to escape. This is partly because of the vast increase in fines that can be imposed under GDPR; and partly because data protection impinges on almost every aspect of your business.
The immense scope of data protection means it can be very difficult to know where to begin, and all too easy to put off thinking about GDPR compliance. The aim of this article is to give you a clear starting point. We can’t cover everything that you need to do to comply but we can explain the key issues and map out the path that you need to take to ensure that your business is meeting the requirements of GDPR.
Where to begin?
The first step is to carry out an audit of the personal data your business has. The most important change under GDPR is the introduction of the new “accountability” principle. This requires you to be able to demonstrate that you are complying with the other data protection principles. So you need to have a clear understanding of what personal data you hold, how you obtained it and how you use it. If you don’t carry out an audit, you won’t know what personal data you actually have – and it will be very difficult to prove you are complying with GDPR.
Do you need consent?
Once you know what personal data you have, the next step is to be able to show that your use of that data is fair and lawful. Essentially this requires you to have a legal basis on which you can justify your use of the personal data, and brings us to the consent myth. There is often a mistaken belief that to comply with data protection, you require an individual to consent to your processing of their personal data. However, consent is only one way to ensure your processing is fair and lawful. There are other ways to meet this requirement. For example, you don’t need consent where your use of an individual’s data is necessary to carry out a contract you have with them. If I was to buy something online my name and address will often be passed to a delivery company. That is part of my contract with the seller as I want the goods delivered. The seller doesn't need my consent to do this. It has to use my data in this way to comply with the contract.
You can also process personal data without consent where this is necessary for the purposes of your “legitimate interests”, provided such interests are not overridden by the interests or fundamental rights and freedoms of the individual. So it is a balancing exercise. You cannot just decide to do whatever you want with someone’s personal data because it suits you. In the past this has been seen as a riskier way of demonstrating that processing is fair and lawful, because you need to make a judgment on whether the benefit to you outweighs the risks to the individual. It is less clear cut than consent. However, it is likely that under GDPR this position will shift quite significantly. Consent is going to be more difficult to obtain and retain. Consent also entitles individuals to additional rights. It is therefore important that you are aware that you may be entitled to use personal data without consent. Consent should really only be used as a last resort, if you are not entitled to process data on any other basis.
Are you providing the right information?
Existing legislation has always focussed on transparency and letting individuals know what you are doing with their data. However, a key change under GDPR is that you must tell individuals your reason for processing their personal data and what legal basis you are relying on to justify this.
Your justification may not always be the same. For example, you might need some personal data to comply with a contract you have with the individual. Other uses might be based on your legitimate interests or consent. You need to be able to explain this clearly to the relevant individuals.
As mentioned above, consent should really be used as a last resort. It is not mandatory to justify your use of personal data, and it is actually preferable to rely on another basis if you can. This is because consent can be withdrawn at any time, in which case you must stop processing the relevant personal data immediately. Of course if there is no other way to justify your use of personal data, then you need to review your processes to make sure consent is indeed freely given in relation to the particular processing concerned – and not bundled up in a non-negotiable contract.
Try not to panic…
A lot has been written about the huge increase in fining power under GDPR. But try not to believe everything you read. Fines will naturally increase. Just as they did when the previous fining power went from £5k to £500k. However, it doesn’t mean vast fines will become commonplace. The Information Commissioner’s Office (“ICO”) has always stressed its commitment to guiding, advising and educating businesses on how to process and handle personal information, with issuing fines being a last resort. The figures reflect this. Last year, the ICO imposed fines in only 16 of the 17,300 cases it concluded and to date, the existing maximum fine has never been imposed (80% of the maximum is the current record).
Start thinking about compliance today
There is no two ways about it: the path to GDPR compliance is likely to take a lot of work. It may be that your customers and suppliers have already started asking you about what steps you are taking as part of their own internal audits. If you have been guilty of putting things off, now is the time to carry out a meaningful review of the personal data you hold. Only then will you be able to fully map out what you need to do to ensure that you will meet the enhanced data protection requirements under GDPR.