The General Data Protection Regulation (GDPR) has changed the way that organisations need to handle their customers’ personal information. But many organisations still aren’t sure exactly what is expected of them, or what the consequences are if they get it wrong.
This article explains everything you need to know about GDPR, as well as some advice on how to make sure your organisation remains compliant with the new legislation.
What Is GDPR?
GDPR (the General Data Protection Regulation) is a new set of laws that places new rules and obligations on organisations when it comes to the use of people’s personal data. It came into force in 2018 and is enforced in the UK by the Data Protection Act 2018.
GDPR applies to everyone who processes the data of people in the EU; even organisations outside of the EU need to comply with GDPR if they have customers within the EU.
GDPR and Fines
GDPR granted the Information Commissioner’s Office (ICO) the power to impose significant fines on organisations that breach the new data protection legislation. The ICO can impose two tiers of fine on organisations that have failed to comply with GDPR:
- up to €10 million, or 2% annual global turnover, whichever is greater
- up to €20 million, or 4% annual global turnover, whichever is greater.
Although the ICO has yet to impose the maximum fine permitted, they have issued significant fines on organisations found to have committed serious breaches.
British Airways was fined £183.39 million after its website fell victim to malicious code injection and compromised the personal information of 500,000 customers.
Marriott International faced a fine of £99 million after systems used by a chain of hotels it had purchased were found to be insecure, compromising the personal information of 339 million guests.
And, on a smaller scale, Brighton and Sussex University Hospitals NHS Foundation Trust was fined £325,000 after a contractor sold on eBay some old hard drives which contained sensitive patient information, rather than destroying them.
How To Comply With GDPR
There are 7 key steps you need to follow in order to comply with GDPR.
1. Appoint a Data Protection Officer (if you need one)
The first thing you need to do is to consider whether you need a Data Protection Officer. Either way, you will need to appoint someone to implement GDPR within your organisation. This is someone who will have overall responsibility for how data is processed within your organisation and will be responsible for ensuring all of your staff are following both legislation and internal processes and policies.
2. Review GDPR
Your GDPR implementor should familiarise themselves with GDPR. This might seem daunting, but it’s important to understand how GDPR will impact your operations. While we have plenty of experience with GDPR and with data protection in general, you will have a much better understanding of the unique nature of your organisation and how GDPR will affect it.
3. Information audit
Your GDPR implementor should then do a thorough audit of the information you currently hold. You will need to establish:
- What data you collect
- Why you collect the data
- How you collect data
- How it used
- Where it is stored
- Who has access to it
- How it is protected
- How long you store it.
You will need this in order to ensure that your collection methods are compliant, that you are not using it in ways your customers would not expect, and that you are not storing data you do not reasonably need.
4. Determine your lawful basis for processing data
The ICO has outlined six lawful bases for processing most customer data:
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
There are separate legal bases for processing ‘ special category’ data (data that includes ethnicity, religion, sexual orientation, genetic, biometric and health data) and criminal offence data.
All six may not apply to you; depending on the nature of your organisation, it is likely you will only be concerned with consent, contract, legal obligation, and legitimate interests.
‘Consent’ describes a scenario where you have explicitly requested and been granted permission from the customer to use their data in a certain way.
‘Contract’ describes where you must process customer data in a certain way to fulfill your obligations under a contract you hold with the customer.
‘Legal obligation’ describes a requirement placed upon you to process customer data in a certain way in order to comply with a law or regulation.
‘Legitimate interests’ describes your use of customer data in a way your customer would expect, in order to meet the needs of either yourself or a third party, as long as it does not invade your customer’s privacy or where the same outcome could be achieved another way.
Legitimate interest is the most flexible basis for data processing but it also places more requirements upon you, as you need to demonstrate the legitimate interest for each use of the data and prove that it is reasonable.
Your GDPR implementor can assess the fine details of the lawful bases and determine which ones will best protect your organisation while also minimising the impact on its operations.
Depending on which legal bases you determine are appropriate for your organisation, you may need to update your data collection processes. For instance, you may need to ensure the email collection forms on your website have clear opt-ins.
5. Implement processes
You need to ensure that you have the required processes in place. For instance, GDPR grants certain rights to your customers, including:
- The right to be informed – you must provide people with information about your processing of their data, usually in the form of privacy notices
- The right of access – customers have a right to see what data you are holding that relates to them
- The right to rectification – you must correct a customer’s data where it is incorrect
- The right to erasure – customers have a right to request that you delete any information you are storing that relates to them
- The right to restrict processing – customers have a right to ask that you only process their data in certain ways
- The right to data portability – customer data must be made available to be transferred to other data processors
- The right to object – customers can request that you stop processing their data entirely
- Rights in relation to automated decision-making and profiling – customers can request that their data is not used by these kinds of automated systems
You can find out more about these rights here. GDPR requires you to respond within certain timeframes, so you need to have these processes in place before you receive a request.
Another key process you will need to implement is Data Breach Notifications; if a breach occurs, you may have to notify the ICO within 72 hours, and in certain circumstances, you will have to notify any customers affected by the breach.
6. Establish documentation
You should keep extensive records of your data processing, including ongoing records of the purposes behind your data processing; who you’ve shared data with, why and how; and what data you have kept and for how long.
The ICO can ask for these records at any time, so it’s important to keep them up-to-date.
7. Implement training and policies
One of the requirements of GDPR is that everyone is aware of their data protection responsibilities.
Providing your staff with data protection training ensures that they know exactly how to process the data they work with, as well as how to protect it. This can include security best practices, such as securing electronic devices with strong passwords, encrypting digital media, or ensuring that hard copies of data (such as printouts) are securely stored. It can also include what they need to do if they receive a request related to a customer’s rights under GDPR.
Data protection policies act as a resource that staff can refer to when they are not being trained. If there is no one readily available to help them resolve a data protection issue, a policy can give them the guidelines they need to ensure the data remains safe. It also means they have access to up-to-date guidance at all times, and that their responsibilities are clear and easy to understand.
Your customers will also need easy access to a privacy policy that makes it clear how their information is being used, which lawful bases you are using to process their information, and how they can exercise their rights under GDPR.
More To Be Done
The steps outlined above will help you to ensure that you are compliant with the data protection legislation.
But a word of warning: because your organisation is unique, we cannot guarantee that these steps are all you need to do. That’s why it’s so important that your DPO is fully aware of the details of GDPR!
If your GDPR implementor wants to learn more about the details of GDPR, I can recommend that they take our online data protection e-learning course. This goes into more detail than this article can, and can help you ensure that you are fully compliant with the legislation.
