One of the most frequently asked questions, particularly from small companies is “Do I need to appoint a DPO?”

A DPO is a Data Protection Officer.  Some organisations are required to appoint a DPO, in the cases of: (a) public authorities, (b) organizations that engage in large scale, systematic monitoring, or (c) organisations that engage in large scale processing of sensitive, personal data (Art. 37).  If your organisation does not fall into one of these categories, then you do not need to appoint a DPO.

The Data Protection Act 2018 is effectively GDPR.

The EU GDPR is a region-wide law and all organisations that handle data on EU citizens are compelled to comply or face harsh financial penalties.  To ensure that British organisations can continue to trade and share data with EU counterparts post Brexit, the Government made moves to absorb GDPR into UK law. The existing Data Protection Act 1998 was repealed and replaced with the Data Protection Act 2018.

Understand how your organisation manages and processes personal data

Instead of overwhelming your organisation with unmanageable strategies, break down your GDPR into simple, easy to understand and manageable components and put into place a strategy that meets your business data processing requirements.

The GDPR states that implementation should be “appropriate” and “proportionate”

Nominate a suitable team member to work with you to oversee and govern your GDPR strategy (consider whether your organisation requires a data protection officer). 

The first step should be formulating comprehensive internal data processing policies and procedures in a clear and accessible document to cover vital issues such as

  • Regular staff training and awareness
  • Management of data sharing and transfers
  • Third party supplier contracts
  • Regular data risk assessments
  • Regular data security analysis
  • Data access management
  • Data breach detection and prevention

Notifications to the relevant regulatory authority

If you do not know, what personal data you hold and where it came from, you will need an audit to find out.

This involves reviewing all personal data held including staff members, customers, clients, third party suppliers etc.

As you work through the list you should document your findings as this will give you a good understanding of where there may be risks involving personal data.   Additionally this exercise will help you produce a record of processing activities for the future. 

Create a “to do” list as this will help to set out what needs to be done.  Include in your "to do list" actions such as increasing your understanding of different types of data such as "sensitive personal data".

Consider the following:

Do you keep hard copy documents securely - do these go back many years? Remember, data applies to both electronic and hard copy documents

Understand if you have a lawful basis for collecting and using personal data

Consider creating a Data Privacy Impact Assessment (DPIA). These are mandatory in certain situations and should be undertaken if you are considering new technologies, for example, such as CCTV or where you are processing high risk data.

Create a register of processing as an overall record for when individuals ask for detailed information about what you hold about them and how you use it.

The main risk comes from disgruntled individuals

The UK and each EU Member State have a Supervisory Authority. In the UK, the Supervisory Authority is the Information Commissioner’s Office (ICO). Supervisory Authorities are able to perform spot checks and request compliance evidence, for example, they will attend your offices and ask to see your policies and procedures and perform physical checks to see what data is on display, etc. 

An individual who has personal data managed by an organisation has the right to lodge a complaint with the Supervisory Authority. E.g.  Customers, students, employees, contacts, suppliers, consultants, external experts, etc. Every individual whose data is on your records is a potential source of complaint. Depending on the severity and nature of the complaint, the Supervisory Authority will launch an investigation.

If your budget is limited, there are affordable options we can help you with

We have a number of practical solutions on offer with GDPR compliance toolkits to meet every budget. From off the shelf templates with detailed implementation instructions, through to bespoke onsite delivery solutions. 

Our off the shelf service includes:

  • Tailored assessment and training programmes
  • Implementation templates and tool kits with easy to follow instructions

Whichever you choose will help you to establish regulatory compliance, a fully operational strategy and all the necessary regulatory documentation.

For complete GDPR peace of mind, contact us for more information and to set up a meeting.

GDPR is a data protection regulation in force from May 25, 2018

The GDPR is a European Union data protection regulation that protects the fundamental rights and freedoms of natural persons in the EU.  It is focused on the right to the protection and privacy of personal data. Rather than a hindrance, the GDPR should be considered as a value-adding product that demonstrates your organisation’s respect for privacy and personal data. Being GDPR compliant presents significant competitive advantage opportunities as it shows customers and stakeholders that your organisation respects the right to privacy and that data is safe in your hands.

GDPR sets out six lawful basis for processing data and at least one will apply in all cases of data processing

A recent update in the Regulation is that your Privacy Notice has to set out the lawful basis you rely upon for processing data.  These can be one or more as listed below.

Common lawful basis include:

  • Explicit consent(except for special categories of personal data such as “sensitive data”)
  • Compliance with a legal obligation
  • Contractual necessity (eg with external contractors)
  • To protect the “vital interests” of the data subject
  • Public interest or exercise of authority vested in the data controller
  • For the purposes of “legitimate interests” (these interests must be balanced against those of the data subject

Your record-keeping will prove essential in determining compliance with the GDPR.  You should be able to demonstrate that you have conducted a full legitimate interest assessment (LIA) in order to satisfy the ICO

Personal Data is any information (Data) relating to an identified or identifiable natural person (“Data Subject”)

Even de-identified data, hidden by tools such as encryption or pseudonymisation remains personal data and falls within the scope of the GDPR as this data has the factor of being re-identified.

Non-personal data is personal data rendered irreversibly anonymous in such a way that the individual is no longer identifiable.

Some examples of personal data include:

  • names and surnames
  • home addresses
  • email addresses
  • location data
  • Internet Protocol (IP) addresses

cookie IDs

Processing literally means something carried out on personal data including collecting, storing or deleting such data

To be more precise, any operation or set of operations performed on personal data or on sets of personal data.  Particularly:

  • Collection
  • Recording
  • Organisation
  • Structuring
  • Storage
  • Adaptation
  • Alteration
  • Retrieval
  • Consultation
  • Disclosure
  • Transmission
  • Dissemination
  • Otherwise making available
  • Alignment

Restriction, erasure or destruction

GDPR Recital 51: “Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.”

Under the GDPR any information regarding health, race or ethnic origin, sexual orientation, religious or political beliefs, genetic and biometric data are among a special category of data classified as sensitive personal data and given a higher level of protection.

It is important to clearly define in your data analysis exercise the type of data processed,  and that you fully understand the necessary steps required ensuring protection and compliance if you are processing this type of data.

The lawful processing of sensitive personal data is permitted only in accordance with Article 9 of the Regulations and include but are not limited to the following:

  • Explicit consent
  • Processing is necessary for the purposes of carrying out certain obligations such as employment or social security
  • Processing is necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent
  • Processing is carried out in the course of the legitimate activities
  • Processing is necessary for the establishment, exercise, or defense of legal claim
  • Processing is necessary in furtherance of a substantial public interest

Processing is necessary to protect the public interest

Data Controllers are individuals or organisations that collect personal data. A Data Processor is a separate body hired or assigned to process personal data on behalf of the controller

Data controllers determine why and how personal data is processed and are the essential embodiment in protecting the rights of the data subject.

Data processors are (according to the GDPR) “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

Data controllers are able to process personal data themselves, although there may be situations where they would prefer to use an external service, i.e. data processors, to process the data further.

Contact us for more advice and GDPR resources

There are a number of factors to take into consideration, mainly regarding the processing itself.

You will need to consider the purpose and nature of the processing, the type of data processed and the handling of the data including storing and sharing. 

What is important is that there is demonstrable effort of protecting the rights and freedoms of the individual whose data you are processing.  The GDPR states that the data controller has to demonstrate that the processing is in accordance with the Regulation and policies and procedures are regularly reviewed and updated.

However, the very basic you should aim for should be:

  • A fully documented understanding of the data processing that takes place
  • Internal policies and procedures to demonstrate data management and control
  • A commitment to maintain high standards with regards to data protection procedures
  • A policy to protect yourself when sharing data i.e. third party contracts and compliance agreements. Any third party agreements have to identify compliance, accountability, responsibility and liability
  • A designated individual or team to oversee ongoing data protection measures and to interact with the supervisory authority whenever necessary
  • Training and awareness programmes across the organisation

Compliance with GDPR is good for business!

In addition, it is a European regulation legally enforceable across the Globe.

The GDPR applies to any business actively processing personal data in the UK and the EEA regardless of where in the world the processing takes place.

GDPR compliance will enhance your image and trustworthiness

Be assured that your competitors will be taking action to implement the GDPR. If you chose not to, they will have a fair advantage over you. They are sending a clear message to their customers and suppliers that they are taking great care of personal data.

By complying with the GDPR you too can demonstrate that your organisation respects the rights and privacy of individuals by being careful with personal data and in turn gain the trust of customers and suppliers.

Avoid the financial and reputational consequences:

Financial penalties can exceed €20 million (£17 million pounds in the UK). Other punishments include sanctions and individuals may claim compensation for damages.

These penalties and other actions will be public domain knowledge and be damaging to the reputation of an organisation.

Under GDPR, website owners are obligated to disclose information they collect about their visitors and explain how this information is used.

A privacy policy page is a GDPR statement from your organisation, disclosing information you collect on your website through cookies, registration forms, comments, subscription forms.

  • If you enable commenting on your website then you are collecting personal data
  • If you use Google Analytics on your website to track visitor interactions, you are likely collecting personal data such as IP addresses, user IDs, and cookies for behaviour profiling.
  • If you use contact forms and store entries or use data for marketing purposes you should obtain explicit consent from users to do so.
  • If you serve advertisements through third party websites such as Google AdSense, then you are most likely sharing user behavioural information with advertising partners.

A privacy policy statement discloses how you use this information, e.g. sharing data with advertising partners. 

The GDPR requires website owners to be completely transparent about how they collect, store, manage and share personal data of EU individuals regardless of where the business is situated.

If your business is not compliant with this GDPR requirement, you face hefty financial penalties of up to 4% of the company’s annual global revenue OR €20 million (whichever is greater).

You need a privacy policy page on your website to protect your business from non-compliance legal claims.  A Privacy Policy will allow you to stay on the safe side of the Regulations as well as gain a good reputation. 

A properly drafted Privacy Policy sends a message that your organisation can be trusted.