One of the most frequently asked questions, particularly from small companies is “Do I need to appoint a DPO?”
A DPO is a Data Protection Officer. Some organisations are required to appoint a DPO, in the cases of: (a) public authorities, (b) organizations that engage in large scale, systematic monitoring, or (c) organisations that engage in large scale processing of sensitive, personal data (Art. 37). If your organisation does not fall into one of these categories, then you do not need to appoint a DPO.
The Data Protection Act 2018 is effectively GDPR.
The EU GDPR is a region-wide law and all organisations that handle data on EU citizens are compelled to comply or face harsh financial penalties. To ensure that British organisations can continue to trade and share data with EU counterparts post Brexit, the Government made moves to absorb GDPR into UK law. The existing Data Protection Act 1998 was repealed and replaced with the Data Protection Act 2018.
Understand how your organisation manages and processes personal data
Instead of overwhelming your organisation with unmanageable strategies, break down your GDPR into simple, easy to understand and manageable components and put into place a strategy that meets your business data processing requirements.
The GDPR states that implementation should be “appropriate” and “proportionate”
Nominate a suitable team member to work with you to oversee and govern your GDPR strategy (consider whether your organisation requires a data protection officer).
The first step should be formulating comprehensive internal data processing policies and procedures in a clear and accessible document to cover vital issues such as
Notifications to the relevant regulatory authority
If you do not know, what personal data you hold and where it came from, you will need an audit to find out.
This involves reviewing all personal data held including staff members, customers, clients, third party suppliers etc.
As you work through the list you should document your findings as this will give you a good understanding of where there may be risks involving personal data. Additionally this exercise will help you produce a record of processing activities for the future.
Create a “to do” list as this will help to set out what needs to be done. Include in your "to do list" actions such as increasing your understanding of different types of data such as "sensitive personal data".
Consider the following:
Do you keep hard copy documents securely - do these go back many years? Remember, data applies to both electronic and hard copy documents
Understand if you have a lawful basis for collecting and using personal data
Consider creating a Data Privacy Impact Assessment (DPIA). These are mandatory in certain situations and should be undertaken if you are considering new technologies, for example, such as CCTV or where you are processing high risk data.
Create a register of processing as an overall record for when individuals ask for detailed information about what you hold about them and how you use it.
The main risk comes from disgruntled individuals
The UK and each EU Member State have a Supervisory Authority. In the UK, the Supervisory Authority is the Information Commissioner’s Office (ICO). Supervisory Authorities are able to perform spot checks and request compliance evidence, for example, they will attend your offices and ask to see your policies and procedures and perform physical checks to see what data is on display, etc.
An individual who has personal data managed by an organisation has the right to lodge a complaint with the Supervisory Authority. E.g. Customers, students, employees, contacts, suppliers, consultants, external experts, etc. Every individual whose data is on your records is a potential source of complaint. Depending on the severity and nature of the complaint, the Supervisory Authority will launch an investigation.
If your budget is limited, there are affordable options we can help you with
We have a number of practical solutions on offer with GDPR compliance toolkits to meet every budget. From off the shelf templates with detailed implementation instructions, through to bespoke onsite delivery solutions.
Our off the shelf service includes:
Whichever you choose will help you to establish regulatory compliance, a fully operational strategy and all the necessary regulatory documentation.
For complete GDPR peace of mind, contact us for more information and to set up a meeting.
GDPR is a data protection regulation in force from May 25, 2018
The GDPR is a European Union data protection regulation that protects the fundamental rights and freedoms of natural persons in the EU. It is focused on the right to the protection and privacy of personal data. Rather than a hindrance, the GDPR should be considered as a value-adding product that demonstrates your organisation’s respect for privacy and personal data. Being GDPR compliant presents significant competitive advantage opportunities as it shows customers and stakeholders that your organisation respects the right to privacy and that data is safe in your hands.
GDPR sets out six lawful basis for processing data and at least one will apply in all cases of data processing
A recent update in the Regulation is that your Privacy Notice has to set out the lawful basis you rely upon for processing data. These can be one or more as listed below.
Common lawful basis include:
Your record-keeping will prove essential in determining compliance with the GDPR. You should be able to demonstrate that you have conducted a full legitimate interest assessment (LIA) in order to satisfy the ICO
Personal Data is any information (Data) relating to an identified or identifiable natural person (“Data Subject”)
Even de-identified data, hidden by tools such as encryption or pseudonymisation remains personal data and falls within the scope of the GDPR as this data has the factor of being re-identified.
Non-personal data is personal data rendered irreversibly anonymous in such a way that the individual is no longer identifiable.
Some examples of personal data include:
Processing literally means something carried out on personal data including collecting, storing or deleting such data
To be more precise, any operation or set of operations performed on personal data or on sets of personal data. Particularly:
Restriction, erasure or destruction
GDPR Recital 51: “Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.”
Under the GDPR any information regarding health, race or ethnic origin, sexual orientation, religious or political beliefs, genetic and biometric data are among a special category of data classified as sensitive personal data and given a higher level of protection.
It is important to clearly define in your data analysis exercise the type of data processed, and that you fully understand the necessary steps required ensuring protection and compliance if you are processing this type of data.
The lawful processing of sensitive personal data is permitted only in accordance with Article 9 of the Regulations and include but are not limited to the following:
Processing is necessary to protect the public interest
Data Controllers are individuals or organisations that collect personal data. A Data Processor is a separate body hired or assigned to process personal data on behalf of the controller
Data controllers determine why and how personal data is processed and are the essential embodiment in protecting the rights of the data subject.
Data processors are (according to the GDPR) “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
Data controllers are able to process personal data themselves, although there may be situations where they would prefer to use an external service, i.e. data processors, to process the data further.
Contact us for more advice and GDPR resources
There are a number of factors to take into consideration, mainly regarding the processing itself.
You will need to consider the purpose and nature of the processing, the type of data processed and the handling of the data including storing and sharing.
What is important is that there is demonstrable effort of protecting the rights and freedoms of the individual whose data you are processing. The GDPR states that the data controller has to demonstrate that the processing is in accordance with the Regulation and policies and procedures are regularly reviewed and updated.
However, the very basic you should aim for should be:
Compliance with GDPR is good for business!
In addition, it is a European regulation legally enforceable across the Globe.
The GDPR applies to any business actively processing personal data in the UK and the EEA regardless of where in the world the processing takes place.
GDPR compliance will enhance your image and trustworthiness
Be assured that your competitors will be taking action to implement the GDPR. If you chose not to, they will have a fair advantage over you. They are sending a clear message to their customers and suppliers that they are taking great care of personal data.
By complying with the GDPR you too can demonstrate that your organisation respects the rights and privacy of individuals by being careful with personal data and in turn gain the trust of customers and suppliers.
Avoid the financial and reputational consequences:
Financial penalties can exceed €20 million (£17 million pounds in the UK). Other punishments include sanctions and individuals may claim compensation for damages.
These penalties and other actions will be public domain knowledge and be damaging to the reputation of an organisation.
Under GDPR, website owners are obligated to disclose information they collect about their visitors and explain how this information is used.
The GDPR requires website owners to be completely transparent about how they collect, store, manage and share personal data of EU individuals regardless of where the business is situated.
If your business is not compliant with this GDPR requirement, you face hefty financial penalties of up to 4% of the company’s annual global revenue OR €20 million (whichever is greater).