GDPR compliance is not an option – it’s the law, but it’s also your opportunity to improve existing business operations and to build competitive advantage. Here at Business Clan we are taking a pragmatic and risk based approach to GDPR compliance.
Reading time – about forty minutes. Alternatively, skip to the key takeaways (a 10-second read) and bookmark this page to read later.
What’s covered – if you are new to GDPR, then first read our overview and get to grips with what your legal duties and responsibilities are. If you are ready to dive in, then follow our 6 Step Action Plan to progress your journey to GDPR compliance. Afterwards, if you still have questions, then read our FAQ.
Help – our team of specialists are here to help with training, consultancy and implementation. Get in touch for a FREE initial consultation.
This section covers what the GDPR is, its objectives and scope, and who needs to comply.
GDPR (the General Data Protection Regulation) relates to the collection, processing and protection of an individual’s personal dataPersonal data means any information that can be used to identify an individual (whether at home or at work) including, for example, name, email address, location data and online identifiers. within the European Union (EU). It also addresses the export of such data outside of the EU.
The GDPR came into force on 24 May 2016 but, due to its two year implementation period, will only be enforceable from 25 May 2018. It applies to all member states and will continue to be adopted by Britain even after we have left the EU. The government announced a new Data Protection Bill in the 2017 Queen’s Speech and this Bill is now going through Parliament.
How long is the GDPR and where is it online?
The GDPR comprises 99 articles and 173 recitals, and is much more comprehensive than its predecessor, the Data Protection Directive (Directive 95/46/EC). The original text (156 pages including the associated Directives) has no indexing. Luckily, there are easier to read versions (e.g. privacy-regulation.eu and gdpr-info.eu) with hyperlinked headings, a handy table of contents and a search facility. In addition, the UK’s Information Commissioner’s Office has produced easy-to-read information and guidance which is available on their website.
Personal data is defined as any information that can be used to identify a living person (called a data subject). It includes addresses, phone numbers, online identifiers (such as those stored by cookies) and factors specific to the physical, physiological, genetic, mental, economic, cultural and social identity of a data subject. This definition of ‘personal data’ reflects the fast pace of technological development.
It does not matter whether the data is of a personal nature or business related; if it is reasonably likely (see Recital 26) that you can identify the natural person either directly or indirectly, then it is personal data.
The Regulation does not apply to anonymous data.
The GDPR is about achieving three objectives related to the collection, processing and protection of an individual’s personal data. The objectives are:
- protect the rights of EU individuals in relation to their own personal data;
- require data processors and controllers to act lawfully and fairly; and
- allow the free movement of personal data within the EU.
Anyone, regardless of their legal entity, who collects or processes personal data of EU residents must comply under GDPR unless the processing falls outside the scope (Article 2) of the Regulation e.g. if it falls under law enforcement regulations, it is for national security purposes, or it is carried out by individuals purely for personal/household activities.
This means it applies to data processors as well as data controllers (click here to understand the difference). Where data is transferred e.g. from a data controller to a data processor, both parties are equally accountable (see Article 28 (4)).
Post Brexit, UK data controllers and data processors will still need to comply with GDPR. The new Data Protection Bill is currently going through Parliament and will become law in 2018. This will replace the existing UK Data Protection Act and incorporate GDPR legislation.
As a data controller or data processor you must adhere to the principles of the GDPR. As this is the crux of the GDPR, we have highlighted the principles in the section covering your legal duties and responsibilities.
In the UK, the ICO (Information Commissioner’s Office) is the appointed independent authority responsible for upholding information rights and data privacy.
The ICO has the power to issue administrative fines. The maximum amount depends on the type of infringement; for the most severe infringements fines may be up to 20 million Euros or 4% of an organisation’s global annual turnover of the preceding financial year (whichever is higher). The fines apply against both data controllers and data processors (where the total combined amount does not exceed the maximum penalty). However, in each individual case fines will be effective, proportionate and dissuasive (Article 83).
The ICO has confirmed that it will not be making early examples of organisations for minor infringements and it prefers the carrot to the stick approach.
Visit the ICO website for official advice and guidance.
There are three reasons why there’s a lot of media attention and why many business owners and managers are concerned:
- the scarily high fines if you don’t comply;
- the work involved to ensure compliance; and
- the difficulty in understanding what you need to do to comply.
Throughout the legislation, you are expected to follow best practice and, as is often the case with regulations, the articles and recitals are open to interpretation. For example:
- you will need to do a balancing test, when collecting and processing personal data under a legitimate interest, to determine whether your legitimate interest is outweighed by the rights and freedoms of the individual; and
- you will need to put into place comprehensive but proportionate governance measures.
At the end of the day, if you are challenged, it will be the ICO who decides whether your balancing test has been done fairly and whether your governance measures are comprehensive and proportionate.
Your legal duties & responsibilities
As a data controller or data processor you must adhere to the principles of the GDPR. In this section we highlight those principles and focus on your key duties and responsibilities.
The principles are similar to the eight principles set out in the UK Data Protection Act, with some added detail and measures, and a new accountability requirement.
The principles of the GDPR state that you must ensure that personal data is:
- processed in a lawful, fair and transparent manner;
- kept only for your stated purpose;
- limited to what’s necessary;
- kept no longer than is necessary; and
- processed with appropriate security and confidentiality.
In addition, under the accountability principle, you need to be able to demonstrate compliance and you are expected to put into place comprehensive but proportionate governance measures. This is, of course, open to interpretation and the measures that you will need to put in place will vary on a case by case basis.
There are six legal bases for collecting, processing and keeping an individual’s personal data:
- Consent – this must be freely and unambiguously given by the data subject whose personal data it is, and it must be given for a specific and clear purpose;
- Performance of a contract – this only covers personal data that is necessary for the performance of a contract to which the data subject is a party;
- Compliance with a legal obligation – this applies when the data controller has a legal duty to keep and / or process personal data;
- Vital interests – this is where processing is allowed in order to protect the vital interests of a data subject or another natural person;
- Public interest – processing is allowed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Legitimate interests – this is where the controller or third party has a legitimate purpose to process personal data except where such interests are overridden by the interests, rights or freedoms of the data subject.
Data subjects have various rights under GDPR:
- the right to be informed about how their personal data will be processed;
- the right to see their personal data; and
- the right to have their personal data
- restricted in use,
- erased, and
- moved (under a new right to ‘portability’).
In some cases, data subjects also have the right to:
- object to their personal data being used including in profiling and for the purposes of scientific / historical research and statistics, and
- not be subject to automated decision making.
Data controllers and data processors are required to protect all personal data.
However, the right to the protection of personal data is not an absolute right. The legal principle of proportionality requires that the rights of one party (in this case, the rights of the data subject to the protection of their personal data) are balanced against the opposing interests of the other party (in this case, the lawful purposes of the data controller).
Therefore, data controllers and data processors must use appropriate technical and organisational measures to protect personal data. This includes protecting personal data against:
- unauthorised and unlawful processing;
- accidental loss;
- destruction; and
The level of security must be appropriate to the risk.
Armed with an understanding of what you need to do, you then need an action plan to ensure that your organisation complies under GDPR. If your organisation is not compliant by 25 May 2018, you risk being fined.
Six step action plan
The following action plan is designed to help you comply with GDPR. If you already adhere to the principles of the Data Protection Act, then it will be a case of tightening up your best practices and implementing a few additional processes and procedures.
6 Step Action Plan
You need a clear road map to minimise risk and avoid costly mistakes later on. We have broken this stage into four tasks:
Once key decision makers in your organisation are aware of what GDPR is and how it will impact your organisation, designate someone to take responsibility for GDPR compliance. You may wish to consider contracting out this role, particularly if you are a small organisation.
Only public authorities and organisations that either carry out large scale systematic monitoring of individuals (e.g. online behaviour tracking), or carry out large scale processing of special categories of data or data relating to criminal convictions and offences, are required to formally appoint a Data Protection Officer (DPO). If you are unsure, then the Article 29 Working Party has published guidelines about DPOs (click to download) and an FAQ.
The designated person (including a DPO) does not have to have any special qualifications. However, he/she should have professional experience and knowledge of existing and impending data protection law (e.g. the new UK Data Protection Bill) which is proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires. Further guidelines are available on the ICO website.
Your designated person (or DPO) will also need to be familiar with the Privacy and Electronic Communications Regulations (PECR). PECR is complementary to the GDPR and the UK Data Protection Act, and relates specifically to people’s privacy rights in relation to electronic communications.
For more information about how to register and to find out about how the fees will be changing under the new Data Protection Bill, visit our FAQ: How to register?
A data audit needs to cover all personal data that your organisation collects and processes including:
- how and why you process it (i.e. establish your legal bases under GDPR);
- who has, or rather who should have, access to it and establish whether it is adequately protected:
- internally – how is it accessed, managed and reviewed,
- externally – who do you share it with (e.g. payroll service provider, marketing agency, delivery company);
- whether you are keeping only what is necessary and keeping it only for as long as is necessary; and
- whether the information is accurate and up to date.
There are various tools to help you capture the information from the audit. A visual data mapping and process tool may be helpful (e.g. Skore) together with a spreadsheet such as the ICO’s template for data controllers which can be downloaded here.
You may also be required to carry out data protection impact assessments (DPIAs) to help you identify and assess the impact of your data processing on the rights and freedoms of individuals. For further information about DPIAs and when you need to conduct one, see our FAQ.
Personal data must be processed with appropriate security and confidentiality.
Article 32 of the GDPR states that appropriate technical and organisational measures are to be put in place to ensure a level of security appropriate to the risk whilst taking into account available technology and the costs of implementation.
The ICO has yet to provide updated guidance with regard to Article 32, but a good starting point is their existing guidance located under the heading of ‘security’. There is also a practical guide to IT security for small businesses which includes reference to the government’s Cyber Essentials scheme.
If your organisation transfers personal data to third parties for processing or hosting, then you need to make sure that the organisation receiving the personal data has provided adequate safeguards.
The ICO website provides further guidance about international transfers.
The Privacy Shield framework
One way to help determine whether a receiving company has adequate data protection safeguards, is to establish whether it is on the Privacy Shield list.
Since 12 July 2016, the European Commission has deemed the EU-US Privacy Shield framework adequate to enable data transfers across the Atlantic under EU law. However, be aware that US laws may change and overrule the safeguards put in place for processing EU data. If that happens then the EU (and UK) may rule that the Privacy Shield is no longer valid, meaning that data stored or processed on US servers would suddenly fall foul of European / UK law. This happened with the predecessor of the EU-US Privacy Shield framework (the Safe Harbour agreement which became invalid in 2015).
Decide what processes and procedures you need to put into place in order to process personal data lawfully and fairly, including:
- how you will integrate, if need be, data protection impact assessments with your existing project and risk management policies;
- how you will ensure personal data is accurate, up to date and necessary, and specifically what your retention policies are (see FAQ – How long can you keep personal data for?);
- how you will respond to and handle subject access requests (within one month);
- how you will identify, report, manage and resolve any personal data breaches; and
- how you will document (if required) and provide evidence of compliance (see step 4 of the action plan).
Transparency is key to processing personal data fairly and you must inform people about how you will collect and use their personal data.
Privacy notices need to be informative and transparent about:
- the identity and contact details of the data controller;
- what personal data you collect;
- how you will use personal data including your legal basis for processing and how long you will keep the data;
- who you share personal data with or the categories of recipients;
- how you protect personal data; and
- what rights data subjects have in relation to their personal data and how individuals can exercise their rights.
In particular, privacy notices should be written in language that is clear and easy to understand, particularly if addressed to a child, and it must be made easily accessible and available free of charge.
The ICO has provided examples of good and bad privacy notices.
Consider all points of capturing personal data and the different media you use to capture it. Communicate your privacy information, where possible, at the first point of collection using the same media.
You can give privacy information orally, in writing, through signage and electronically.
Where consent is required, make sure that it is given unambiguously and freely.
If you have more than one purpose, provide separate un-ticked opt-in boxes for each purpose. You need to record consent (when, how and for what it was given) so that you can demonstrate compliance.
Most reputable email campaign tool providers have built-in functionality to help you comply. Whilst checking this, you should also check what backup procedures are in place, how you can restore from a backup and that data subjects are easily able to withdraw their consent at any time.
If you offer services directly to a child, then you must ensure that your privacy notice is written in a clear and simple way that a child will understand.
You will also need to put in place systems to verify an individual’s age and to obtain parental or guardian consent for any data processing activity if that child is under 13 years of age.
The ICO’s website provides further guidance about Children and the GDPR.
Make sure you train your staff, so that they carry out what you say (in your data privacy notices) that you will do.
All staff should be aware of your organisation’s legal duties and responsibilities under GDPR, what your policies and procedures are, and what their specific roles are to help ensure compliance.
Remember that changes to your privacy policies and complaint handling procedures, may need to be communicated to staff and appropriate training for new staff incorporated into your on-boarding process. You should also check that you have adequate policies and procedures in place for when employees leave (and, in particular, that access to all personal data held by your organisation is removed immediately).
Keep a record of all training.
Under the accountability principle, you need to be able to demonstrate compliance.
The ICO has provided guidance on how to demonstrate compliance which includes:
- implementing appropriate technical and organisational measures such as appointing a data protection officer, staff training, internal audits of processing activities and reviews of internal HR policies;
- implementing measures such as data protection by design and by default (see the ICO website for more information) which could include:
- maintaining relevant documentation* on processing activities.
* Although documentation is an explicit provision of the GDPR, for small and medium-sized organisations with fewer than 250 employees, the documentation requirements are limited to certain types of processing activities where, for example, it is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences. However, documenting your processing activities can improve your data governance and in turn help you to comply with other aspects of the GDPR.
The ICO has provided templates for documentation purposes – the one for data controllers can downloaded here: the ICO documentation template for controllers.
The GDPR stipulates how you must respond to subject access requests and handle data breaches and complaints.
What you need to know:
- Verification – You must verify the identity of the person making the request, using ‘reasonable means’.
- Without delay and within one month – You must respond and provide the information without delay and at the latest within one month of receipt.
- Free of charge – Under GDPR you can no longer charge a data subject when he/she requests to see their personal data unless the request is manifestly unfounded or excessive.
- Manifestly unfounded or excessive requests – If the request is manifestly unfounded or excessive, then you can choose to charge a fee or not to respond. If you do this, then you must explain why and inform the individual without undue delay and, at the latest, within one month. You must also inform the individual of their right to complain to the supervisory authority and of their right to judicial remedy (i.e. a legally binding decision).
Under GDPR you must protect your data subjects’ personal data.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
Not all breaches are notifiable and this depends on the level of risk to the rights and freedoms of individuals.
- If there is likely to be a risk to the rights and freedoms of individuals, then you must notify the relevant supervisory authority and you must do so within 72 hours of the organisation becoming aware of it.
- If there is likely to be a ‘high risk’ to the rights and freedoms of individuals, then you must notify those individuals directly.
For further guidance see the ICO’s website.
The ICO expects organisations to handle and resolve complainants raised by individuals with respect to their personal data rights.
A complaints procedure will help you to resolve matters without undue delay. When you receive a complaint, make your procedure known to the individual and be sure to inform them of their right to take the matter to the ICO if they feel that a satisfactory outcome has not been achieved.
Individuals have three months from their last meaningful contact with you to raise any concerns with the ICO.
Remember that processing activities may change over time. As and when they do, you will need to test, record and, if necessary, amend your processes and procedures, and retrain staff.
- Doing nothing is not an option. If you are a data controller or data processor, you are accountable for collecting, processing and protecting personal data lawfully and fairly, and you have to be able to demonstrate compliance. You won’t be able to do that unless you understand your legal duties and responsibilities.
- Transparency is essential. Tell people when you collect their personal data, what you will use it for (your legal bases) and inform them of their rights via appropriate privacy notices.
- Compliance is an on-going task. You need to assess compliance whenever your business processes change and, if necessary, perform a data protection impact assessment (DPIA). Follow our 6 step action plan to GDPR compliance.
- It’s not black and white. If in doubt, put the privacy rights of individuals first and handle complaints well.
If you have questions or need help, you can reach our compliance team here.
The key differences between the GDPR and the Data Protection Act are that under GDPR:
- the scope is broader, the rights of the individuals are greater (in some cases) and the obligations of the data processors and data controllers are more extensive;
- where you process personal data from multiple EU Member States, you will have just one lead supervisory authority to deal with;
- there are new accountability measures;
- most breaches will have to be reported within 72 hours; and
- the potential fines for breaching the rules are much higher.
Throughout the GDPR you are expected to follow best practice. The extent to which you implement best practice is, as with many business decisions, about managing risk. However, you do have to comply and be able to demonstrate compliance – it’s the law!
If you don’t comply then you will be breaking the law, which is a criminal offence; you may receive a large fine; your brand and reputation may suffer; and a significant breach could put your organisation out of business.
A data controller is the person or organisation that collects personal data and determines the legal basis for collecting and processing that data. A data processor processes personal data on behalf of a data controller and must also comply with GDPR. A data processor also needs a legal basis for processing data (whether via contract or legal obligation).
If you handle personal information about individuals, then unless you are exempt, you need to register (notify the ICO) and pay a fee. The fees collected will fund the ICO’s data protection work whilst any fines will be passed back to the government.
Before the 25 May 2018, you may need to register under the Data Protection Act (DPA). You can check here, if you need to register. On and after 25 May 2018, you will need to register, unless you are exempt, and pay a fee. The ICO has published a guide: The data protection fee – a guide for controllers. This details the exemptions and covers how much you have to pay.
The new fee structure is dependent on your number of staff (full or part-time) and turnover of your organisation:
- Tier 1 – micro organisations
A maximum turnover of £632,000 for your financial year or no more than 10 members of staff.
The fee for tier 1 is £40.
- Tier 2 – small and medium organisations
A maximum turnover of £36 million for your financial year or no more than 250 members of staff.
The fee for tier 2 is £60.
- Tier 3 – large organisations
This applies if you do not meet the criteria for tier 1 or tier 2.
The fee for tier 3 is £2,900.
You don’t need to pay a fee if you are processing personal data only for one (or more) of the following purposes:
- Staff administration
- Advertising, marketing and public relations (to existing, past or present clients and suppliers)
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
- Processing personal information without an automated system such as a computer
However, remember that you still need to comply with all other legal duties and responsibilities under GDPR.
For more detailed information about the fees, how to pay and the exemptions available, please read the ICO’s guide.
Only some organisations need to appoint a Data Protection Officer (DPO) but all organisations need to designate someone to be responsible for complying with the GDPR. For more information see task 1 of the 6 step action plan above.
The Article 29 Working Party (sometimes referred to as WP29) is an independent advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission.
The Working Party publishes guidance on various data protection topics and advises the EU Commission on the adequacy of data protection standards in non-EU countries.
In the same way that there is no system to demonstrate compliance under the Data Protection Act, there will be no system under the GDPR.
However, there will be a voluntary system of certification (see Article 42 and the ICO’s website) which will enable data controllers and data processors to demonstrate their compliance and will help brands to build and maintain trust in how they control and process personal data.
Yes. GDPR applies to everyone who collects and/or processes personal data i.e. any information that relates to and identifies a natural living person.
Yes. If you collect and/or process personal data i.e. any information that relates to and identifies a natural living person then, even if it is already in the public domain, GDPR applies to you, unless you are an individual using that data for personal or household activities
They are both tools which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.
Privacy impact assessments (PIAs) have been part of the privacy and data protection landscape since the early years of the Data Protection Act (DPA). PIAs facilitated best practice, but were not a legal requirement under the DPA.
Data protection impact assessments (DPIAs) were introduced in the GDPR. Unlike PIAs, DPIAs are a requirement under GDPR, but only when you introduce a new technology and the processing is likely to result in a high risk to the rights and freedoms of individuals.
Even though DPIAs are not always required, you may wish to use them as a tool in privacy by design approaches and as a way to demonstrate compliance. In addition, they help to spread awareness of privacy throughout your organisation.
For further information about DPIAs, visit the ICO website.
Pseudonymisation means semi-anonymising personal data. It is a process whereby the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field.
The process of pseudonymisation makes the data neither anonymous nor directly identifying. This helps to significantly reduce the risks associated with data processing, whilst maintaining the usefulness of the data.
Data that has undergone pseudonymisation (see Article 4 (5)) is only classed as personal data if, together with easily accessible other data, it can be attributed to a natural person.
Completely anonymised data is outside the scope of the GDPR.
Yes. Unless your lawful basis for processing personal data is legitimate interest, then consent is required.
The ICO recommends that all marketing campaigns are permission-based. This is because other rules also apply to direct marketing e.g. the Privacy and Electronic Communication Regulations 2003 (PECR).
Under GDPR, permission-based marketing involves explaining clearly what a person’s details will be used for (via notification) and providing a simple way for them to opt out. You also need a policy and procedure in place (which all staff are aware of) for dealing with complaints.
For more detailed information check the ICO’s Direct Marketing Checklist and read their Direct Marketing Guidance. Also, you should be aware that there are specific rules in relation to marketing to children (see Step 2 above about privacy notices and gaining consent). The ICO’s website also provides further guidance about Children and the GDPR.
Marketers use lookalike audiences as a way of identifying and attracting new people who are likely to be interested in their organisation, product or service because they are similar to their existing website visitors, prospects or customers in terms of shared interests. Building lookalike audiences relies on profiling which, under GDPR, requires explicit consent.
There are in fact two types of consent involved when marketing to lookalike audiences: (i) you need to obtain explicit consent from your existing audience to use their data for profiling purposes and (ii) the data controller of the advertising network that you are going to use, needs (in theory) to gain explicit consent from its audience to display your advert.
Whilst, in theory, explicit consent is required, in practice the ICO may take a less stringent approach subject to responsible practices being in place. We will have to wait and see.
To keep up to date with the latest announcements and guidance from the ICO visit their What’s New page of their website.
No specific minimum or maximum periods for retaining personal data have been set out. However, personal data can only be kept for as long as is necessary for the purpose or purposes for which is was collected.
When deciding how long and what constitutes ‘necessary’ you should consider:
- what the information is used for and whether there are any legal or regulatory requirements or industry codes of practice that require you to keep the information;
- what value the information has now and may have in the future;
- the costs, risks and liabilities associated with retaining the information; and
- the ease or difficulty of making sure it remains accurate and up to date.
Lastly, the HR Solutions guide provides details of the authorities that cover the processing of personal data for particular purposes. This will help you to determine and justify your personal data retention periods.
To achieve and maintain GDPR compliance, you need to adhere to the principles of GDPR and follow best practices. The resources below will help you to do this:
- The ICO website for organisations
- Guide to GDPR
- 12 steps to take now
- The new Data Protection Bill
- GDPR guidelines for small businesses
- Download the data audit template for data controllers
- Download a template for recording your PIA process and results
- PECR (Privacy and Electronic Communication Regulations 2003)
- A practical guide to IT security for small businesses
- GDPR guidelines for marketers
- Direct Marketing Checklist
- Direct Marketing Guidance
- Children and the GDPR
- Examples of good and bad privacy notices
- Keeping up to date – What’s New
If you found this useful, please share.