Thursday, May 3, 2018
You have probably heard about the upcoming data protection reforms which will undoubtedly affect your business.
We have been through some key details about GDPR for you and hope you may find this helpful.
The General Data Protection Regulation (GDPR) is aimed at giving individuals the power to better control who can access and/or process their personal data. There have been many cases of the mis-use of or failure to take adequate steps to protect this data historically, so with the changes now required this should provide better practice all round - and as a controller or processor of data, if you do not conform, there could be serious penalties.
What is "Personal Data"?
GDPR defines "Personal data" as any information relating to a person who can be identified, directly or indirectly, in particular by reference to information such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
For example, identifiers including IP addresses, cookies and so on will now be regarded as personal data if they can be (or are capable of being) traced back to the person in question. It does not matter if this is information relating to a person at work, or at home, from a GDPR perspective an individual is an individual.
Firms will now have an obligation to report any potential data breaches to the authorities no later than 72 hours after the suspected incident. Notifications will have to include the nature of the situation, including categories and approximate numbers of individuals concerned - and what measures are being put in place to ensure this doesn't happen again.
Fines and Enforcement
Failure to comply with new legislation can now carry serious repercussions.
Regulators will now have authority to issue penalties equal to the greater of EUR10 million or 2% of the entity's global gross revenue for violations of record-keeping, security, breach notification, and inadequate preparation.
However, violations of obligations related to legal justification for processing (including consent...), data subject rights, and cross-border data transfers may result in penalties of the greater of EUR20 million or 4% of the entity's global gross revenue.
Consent is a basis for legal processing of an individual's data - in other words, there must be a genuine sound reason for possessing and processing a subject's data, and that subject must have given explicit permission for the data to be held and processed in this specific way. For marketers in particular there has been much debate about the type of consent that might be required under this new regulation, for example, requiring people to positively 'opt in' to marketing requests, not positively 'opting out'.
According to the Regulation consent means "any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;"
Consent should be demonstrable - in other words organisations need to be able to show clearly how consent was gained and when - for example, positive opting in, and freely given - a controller cannot insist on data that's not required for the performance of a contract as a pre-requisite for that contract.
Withdrawing consent must always be possible and straight forward.
Legitimate Interests & Direct Marketing
GDPR does allow processing of data for 'Direct Marketing Purposes' - a legitimate interest.
Just like consenting, legitimate interest is grounds for an organisation to possess and process data.
The act says that processing is lawful if "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
A good example could be sending a mailshot of goods and services that are similar to a subject's existing purchases from the firm is legitimate without direct consent, however, obtaining a cold database of subject data and 'profiling' this to target customers with advertising without explicit consent from the subject (as no grounds for legitimate interest have been established) would not be permissible.
Retention & The Right to be Forgotten
When data is collected about a subject, the subject must be informed why their data is being collected and how long they can reasonably expect it to be retained for.
Should the subject wish to have their data removed and the data is no longer required for the reasons for which it was collected then it must be deleted immediately. Importantly, firms must maintain a register or similar of who they have provided this data to as well, for example, if a subject entered into a contract with a Building Firm, who use subcontractors, the subject's data will have been passed to the subcontractors for the valid purpose of carrying out the contractual works. If a 'Right to be Forgotten' is invoked, then the firm has an obligation to see who the data was provided to, and subsequently contact them to ensure the data has been deleted from their systems as well.