Guy Wilmot: What are our GDPR obligations as a business?

Most businesses should have little difficulty complying with GDPR if they follow some pretty basic policies and procedures

9 minutes

Any business or organisation that holds or uses personal data – so virtually every business – is subject to data protection legislation. The main pieces of legislation covering this area are the General Data Protection Regulation and the Data Protection Act 2018 (DPA). In this article, ‘GDPR’ is used to refer to data protection legislation generally.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a data protection law that applies to all people in the EU –whether or not they are residents or citizens of an EU member state – and regulates the collection and processing of ‘personal data’.

The GDPR regulates the collection and processing of ‘personal data’ relating to individuals. Individuals whose data is held or processed are referred to as ‘data subjects’. An important point to note is that, if the data is not ‘personal’ in nature, it will not be regulated by the GDPR. Storing or holding personal data counts as ‘processing’.

How do I comply with the GDPR?

What each business needs to do to comply with the GDPR will depend on the nature of the business and how it uses personal data. In very general terms GDPR sets out seven principles that need to be followed.

These are that personal data must be: 1) processed ‘fairly and lawfully’; 2) collected for specified, legitimate purposes; 3) adequate, relevant and limited to what is necessary; 4) Accurate and up to date; 5) Kept for no longer than necessary; 6) Processed in a secure manner; and 7) the controllers of that data must be responsible and accountable.

Most businesses should not have too much difficulty complying with the GDPR and these principles as long as they put in place – and observe – some relatively straightforward notices, policies and procedures.

What is ‘personal data’?

‘Personal data’ means any information relating to an identified or identifiable natural person.  This means any piece of information that would enable someone directly to identify a natural person such as a name, an ID number or an online identifier like an IP address or a cookie. Information about a business or a public authority is not personal data.

In a business, personal data will usually include information about employees and contractors as well as personal information relating to customers and suppliers. For many bricks and mortar or offline businesses, the amount of personal data held about customers may be relatively limited. For online and service businesses the information held about individuals may be more extensive.

Do be aware that information relating to someone’s role at a business or organisation does not stop the information from being personal data.

What are legitimate purposes for processing data?

There are several legal bases that may be relied on in order to process data. One of the persistent myths about GDPR is that it requires consent to process personal data. Processing of data must be done under a ‘legal basis’ and consent is just one. The legal bases that are most commonly relied on are ‘performance of a contract’, ‘consent’ and, importantly, ‘legitimate interest’.

* Performance of a contract: Where processing of personal data is necessary in order to perform a contract with the data subject, then this is a permitted legal basis. Please note the contract has to be with the person whose data you hold.

* Consent: The consent of a data subject is always a permitted legal basis. Consent under the GDPR must be freely-given, specific, informed and unambiguous. This requires a positive step, so deemed consent and pre-ticked boxes are not sufficient.

* Legitimate interest: This is by far the most important legal basis and is the most widely applied.

What does ‘legitimate interest’ mean?

This means someone has a legitimate interest in processing personal data that is not overridden by the interests of that person in the security and privacy of their data. In plain English, this really means standard types of processing that are not unusual, would not be unexpected by the data subject and do not put the data security or privacy of the data subject at risk. Where legitimate interest is not possible – for instance, if the processing is of an unusual or unexpected nature – then consent may be required.

What about sensitive data? 

The exception to the rule about consent not usually being required is ‘special category’ data – often called ‘sensitive’ personal data. Unless one of the very few limited exceptions apply, consent is required to process ‘special category’ data. This includes information about: health; racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic and biometric data; sex life or sexual orientation; and criminal convictions.

Do we need to register with the Information Commissioner?

At present, data controllers are required to register with the ICO to pay an annual fee. You can register here

What information do we need to give to data subjects?

One of the requirements of the GDPR is for ‘transparency’. This requires data controllers to have in place a “privacy notice”. This is often referred to as a ‘privacy policy’ but the terminology is not important.

Among other things, the privacy notice will set out the types of data collected, the legal basis relied on, how the data is used, whether it is transferred to third parties and the rights of data subjects. A separate privacy notice will be required if there are fundamentally different types of data subjects. Accordingly, most businesses will require at least two privacy notices: one for staff and contractors and one for customers, clients and third parties.

Isn’t a privacy notice or privacy policy just a standard document?

There are similarities between privacy notices and there are some standard terms that are generally included in all privacy notices, but the requirement to give specific information about the legal basis relied on, the types of data collected and how the data is used will mean some thought needs to be given to a privacy notice.

Do we need to appoint a data protection officer?

The GDPR introduces a requirement for some organisations to appoint a data protection officer (DPO). All public authorities must appoint a DPO and some other organisations must also appoint a DPO if they carry out large scale regular and systematic monitoring of individuals or large-scale processing of special categories of data.

What rights do data subjects have?

There are some exceptions to data rights but broadly each data subject has the right to request that data is not processed, for a copy of any data and for data to be corrected or updated, and for a copy of data to be transferred. Subjects can also ask that data is not used for direct marketing or profiling purposes and can withdraw consent to process data.

How do we respond to requests to access data?

If a data subject wants to access their data, you will need to respond without undue delay and, in any event, within one month. In most cases you cannot charge a fee for this access.

What steps do we need to take to protect data?

The GDPR requires that anyone holding or processing personal data takes both ‘technical’ and ‘organisational’ measures to ensure personal data is secure and that data subjects’ rights are maintained.

‘Technical measures’ refer to firewalls, password protection, penetration testing and so on and anyone holding personal data on electronic systems should consult with IT professionals to ensure adequate security measures are in place to protect data.

‘Organisational measures’ refers to internal policies, staff training and so on. Ideally businesses will have both internal data protection policies and a program of staff training. Often this is done online.

Do we need to keep any other records?

If you have more than 250 employees or if you are processing ‘special categories’ of data, you will be required to keep a record of your data-processing activities.

How long are we allowed to keep data for?

It is a principle of the GDPR that data should not be held for longer than necessary. A privacy notice should also inform data subjects how long their data is to be held for. This means businesses do need to decide what their data retention policy will be.

A very common ‘default’ period for holding personal data is six or seven years. This is because the time limit for legal claims is often six years and this period can sometimes be extended temporally.

Are we allowed to transfer data outside of Europe?

Yes – but you will need to make sure appropriate safeguards are in place. Some countries have been deemed to have an adequate data protection framework – for example, Switzerland and Canada – and data can be transferred to these territories. Do note, however, that any processors will still need to enter into a formal processing agreement as described above.

If you are transferring to a US company, then they may be certified under the ‘Privacy Shield’ framework, which allows for transfers to those specific companies. For any other transfer outside of Europe, the parties to whom the data is transferred may need to sign up to ‘model clauses’ or contracts set out by the EU commission which incorporate data protections for data subjects.

What do we do if there is a data breach?

The GDPR requires all businesses to make a report to their regulator (in the UK, the Information Commissioner’s Office) within 72 hours of becoming aware of data breach that is likely to result in a risk to the rights and freedoms of individuals – for example, a cyber-attack on your system that results in personal data and/or special categories of personal data being temporarily unavailable or released. Where a breach results in a high risk to rights and freedoms, you will also need to tell the people who are directly concerned.

Guy Wilmot is a partner in the Technology and Growth team at law firm Russell-Cooke

MORE ARTICLES ON