This guidance note has been produced to provide you with advice on the main changes GDPR will bring when it comes into force on 25th May 2018.
On 25th May 2018, the new General Data Protection Regulations (GDPR) come into force and replace the current Data Protection Act (DPA). While many of the GDPR principles are similar to that of the DPA, there are some new elements that you will need to understand and implement within your business.
These new regulations will apply to anyone who runs a business, as all businesses deal with data in one form or another. Many FSA members run their own businesses and may not yet have considered the need for GDPR compliance. We hope that this document helps. The FSA can not offer any individual advice to members and we recommend that, for further information on GDPR, you visit www.ico.org.uk
Where do I start?
As a business owner, it is your duty to ensure that all data is kept secure and managed correctly in compliance with GDPR, irrespective of what format it is kept in.
You will need to work out who is going to be dealing with what. In order to be compliant with the new GDPR legislation, you will need to establish who is the Data Controller, and who is the Data Processor within your organisation. If you are a sole trader, then you will be taking on both roles; however, if you are a larger organisation then you can allocate the roles to your staff/volunteers.
What is a Data Controller?
The Data Controller is a person who determines the purpose, conditions and methods of processing the data but, they don’t actually do the processing. This person is responsible for ensuring that outside contractors also comply with regulations and they must report any data breaches to the relevant authorities.
What is a Data Processor?
The person who processes the information. This could be a third party or an employee within the organisation. The processor will adhere to the contract set out by the Data Controller and ensure confidentiality. The Data Processor also protects data with technical and organisational controls and provides documentation to prove compliance.
What is personal data?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of all personal data is governed by the General Data Protection Regulation (the ‘GDPR’).
What does this mean for me?
Under the new GDPR legislation, people will have the right to know what personal information you’re storing about them and what you might do with that data.
According to the ICO, “Data should be explicit, freely given and unambiguous”. This means you need to be completely upfront and honest with people about what you plan to do with their data, who will have access to it and how long is it going to be kept for. You must also allow them to withdraw their consent as and when they please and make it easy for them. Remember, this applies to any data that can be used to trace an individual (phone numbers, addresses, email addresses, names, etc.)
You will need to keep an up to date log of where your data came from and how long you have stored it, consent information and whether that data is stored in any other location, such as your phone, email address book, hard copy paperwork, etc.
You should be keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
You should only be keeping personal data for the following purposes: –
• to maintain customer details;
• to maintain financial accounts and records (including the processing of gift aid if relevant);
• to provide news and information about events, activities and products/ services;
• to market and promote your business;
• to manage employees or volunteers;
You must not disclose any data to a third party without explicit consent from the data subject.
One of the principal aims of the GDPR is to make people accountable as to how they collect, use and process data. You will need to take a risk-based approach and document how your subjects personal data is being used and processed; then you will be able to demonstrate your approach to data protection should the need arise.
Opting in is now the name of the game if you want to add somebody to your mailing list. It is not ok to assume you have permission to send them emails, it is not ok to wait for somebody to opt-out, and it is not ok to have a pre-tick box which people have to untick.
Consent must also be time-limited and offered to the subject in an easy to understand format.
If you use email marketing or send mass emails then you will need to start gathering your opt-in consent now; do not wait for the deadline.
As well as getting their consent, you also must keep a record of when and how they opted in. With some mass email providers, you receive an email whenever somebody signs up to your email lists; this would be more than adequate, so long as you keep the email securely and it shows clearly what information they signed up for.
Note: One consent from an individual does not mean you can add people to multiple mailing lists, you will have to obtain individual consent for each list they are added to, and they must fully understand what they have agreed to when they opt-in.
You will also need to give your subject the opportunity to withdraw their consent at any time; this could be by using an ‘Unsubscribe’ button, or even just a ‘reply with unsubscribe’ option for example. If somebody does unsubscribe, they must be added to a ‘Do Not Contact’ list, or you could face a hefty fine for non-compliance.
Note: With sales phone calls, check that the person you are calling hasn’t registered with the Telephone Preference Service (TPS). If you make a sales call to somebody who is registered with the TPS, you may receive a fine. You can check to see if a number is on the TPS list by looking here: http://www.tpsonline.org.uk
Subject access rights are still a cornerstone of the GDPR. However, individuals also have new rights under the GDPR, these new rights include:
1. The right to erasure / to be forgotten: All data held on the individual being permanently deleted. Please note this right would not apply if you still need to process the information for your usual legal duties and functions.
2. The right to object: If a challenge is made by an individual about you processing their personal data you must stop processing it unless you can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of that individual. This right also relates to marketing which you must stop if an individual objects to it.
3. The right to data portability: The data you hold on an individual must be transmitted, if requested, in a structured, commonly used and machine-readable format to another organisation. It is unlikely this right will impact schools, as this right only applies if your processing is based on consent, and it does not apply if you still need the data for your usual legal duties and functions.
4. The right to rectification: All inaccurate data must be amended within one month of notification.
5. The right to restrict processing: If a challenge is made about why processing is taking place, or the accuracy of information held on an individual then you must stop using that data and mark this in some way as not to be used until the challenge has been resolved.
As from 25th May 2018, all requests made by individuals exercising their rights, including subject access requests, must be responded to within one month. This can be extended by a further two months if the request is highly complex or large in volume. It is also worth noting that you are no longer permitted to charge a fee for subject access requests.
Keep it secure!
A breach of personal data can result in a risk to the rights and freedoms of individuals and must be reported to the ICO within 72 hours of it occurring, the data subjects must also be informed. In order to remain compliant, you must show that you have taken steps to ensure that your data remains secure and stays protected.
There are a number of ways in which this can happen
• Make sure you have a good anti-Virus and/or Malware software installed on your computers and mobile phone/tablet. But, don’t forget to keep it up to date.
• Ensure you take reasonable steps to implement cybersecurity, this may include encryption (for example setting up encryption on your emails, computer, local hard drive, etc.)
• Create a risk assessment and a plan of action for if the worst should happen.
• Password protect/ encrypt files or folders (e.g. word documents, pdf’s, Zip files, etc.) when sending them via email or sharing them via cloud-based storage and sharing websites. Have an agreed password with your recipient, so you don’t have to send it each time.
• Use private, password protected client portals when exchanging data with clients.
• Encrypt ALL portable storage devices, such as flash drives, mobile phones, tablets or USB drives. Portable devices easy to lose, be careful with them.
• Install all updates on devices and software.
• Remove any personal data that is no longer required, particularly when you are sending information or storing it online.
• Ask yourself, ‘does this need to be printed out?’ And ensure all personal data is shredded or disposed of securely when no longer required.
• Be careful where you access your data, for example, who is looking over your shoulder, who is listening in to your phone call?
Make sure you have the correct procedures in place to detect, investigate and report if required, a personal data breach. If the breach is likely to result in a risk to the rights and freedoms of individuals, then the ICO will generally need to be notified within 72 hours of the breach occurring, and if there is a high risk the data subject will usually need to be notified without undue delay.
Storing or transferring data outside of the UK
Many businesses now use online cloud-storage and transfer software like Dropbox, WeTransfer, Google Drive, OneDrive, etc. These are great but, unfortunately, they all take your data outside of the UK and the European Union.
Organisations outside the EU, do not have to adhere to GDPR, so it is your responsibility to ensure they take the necessary steps to ensure your data is protected. Some of the storage providers in the United States have signed up to the Data Privacy Shield which indicates that they are taking your privacy seriously and goes some way towards making them GDPR compliant. However, it is your responsibility to draw up a risk assessment to demonstrate that you have thought about how secure that data is. It is advisable, where practical, to keep your data within the EU to ensure that you are not held responsible if there is a data breach.
Special Category Data
Special category data is personal data which the GDPR says is more sensitive, and therefore needs extra protection.
According to the ICO “In order to lawfully process special category data, you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9. These do not have to be linked.”
In other words, you must have a very good reason for processing special category data, and you should document that reason.
Special Category Data can be:
• ethnic origin;
• health/ medical information;
• biometrics (where used for ID purposes);
• sexual orientation.
– In order for you to process Special Category Data, the subject MUST give explicit consent to the processing of that data
– You must give a good reason for collecting and processing Special Category Data, stating what will it be used for?
– If a third party requires it, consent must be sought, and the subject must be told how this will be used.
– How long do you actually need to keep the data for? For example, if somebody is on a course, do you need their medical details after they have attended?
Storing Children’s Data
Much like storing Special Category Data, storing children’s data requires extra protection. The ICO states that:
– You need to have a lawful basis for collecting their data.
– To store a child’s data, you must obtain explicit consent from whoever holds parental responsibility for the child. Children over the age of 13 are allowed to provide their own consent (according to the current Data Protection Bill, whoever this may change). You must take reasonable steps to ensure that the person offering consent does, in fact, hold parental responsibility for that child.
– Clear privacy statements should be written about how you will handle a child’s data, written in simple terms that they can understand. This should cover what will happen to their data and what rights they have over it.
– Children should also have the right to access their own personal data, request updates and ask for it to be deleted.
Always ensure that suitable, child appropriate, measures are in place to safeguard the child’s rights, freedoms and legitimate interests.
What happens if I don’t comply?
GDPR applies to you! It is no good trying to stick your head in the sand and hope it will go away. Under the DPA, fines were only applied to security breaches but, under the new GDPR legislations fines can be issued to any organisation that cannot demonstrate compliance with any of the principles.
The fines are being changed too! If found to be non-compliant, you could face a fine of up to €20 million or 4% of your annual turn over, depending on which is larger.
WHAT CAN I DO TO PREPARE?
1. Carry out a data audit of all the personal data you hold and use. This could be in any electronic or paper format and includes text photographs and audio files.
Data can be found in a variety of places; all these need to be checked and cleaned. For example:
– Computers / Laptops
– Phones / Tablets
– External data storage (USB sticks, external hard drives)
– Cloud storage, e.g. Dropbox, GoogleDrive, OneDrive, Box.
– CRM Systems / Websites e.g. emailing sites, project management sites, social media, etc.
– Address books
– Paper / hard copies
– Notepads & notice boards.
2. Create a risk assessment for any online storage and file transfer site you use that is based outside the EU, and check they are signed up to the Data Protection Shield if they are based in the United States.
3. You will need to create a record that documents:
– What kind of information you are holding.
– Where your information has been obtained from.
– What your reasons are for holding the data
– How will you let your subjects know what you hold on them
– Do you have consent to use it and in what way?
– How long have you had that data and how long you intend to keep it.
– A description of your security measures.
– Where you are storing that data
– Any transfers to countries outside of the EU.
5. You may need to revisit your other policies and procedures to ensure these are GDPR compliant. This could include your data protection policy, use of images and photographs in the media, staff training and safeguarding policies.
6. Check your current procedures to ensure you are able to respond to the new individual’s rights that will come in with GDPR, such as how your delete data. Your systems will need to record what you have done and when.
This advisory note has been produced to provide you with guidance on the main changes GDPR will bring in when it comes into force on 25th May 2018. For further information on GDPR, visit www.ico.org.uk