How Data Protection Changed
In 2018 Data Protection changed with the introduction of GDPR. All businesses should have already been abiding by the Data Protection Act, but the introduction of GDPR meant that there was more of an onus on the protection of individuals.
In order to carry out this objective stricter standards on how and when organisations can process and store personal data relating to identifiable individuals were introduced. This may sound like a bit of a mouthful and rather convoluted, so this post will aim to break it down and make it easier to understand.
When do I have to abide by GDPR?
You will need to abide by GDPR if the data controller (you collect the data yourself) or the data processor (you process data that has been collected by someone else) are based in the EU or are collecting / using personal data from EU residents.
There are a few instances in which you don't have to abide by the regulation, these are processing of personal data for national security or law enforcement of the EU.
But what is personal data?
According to the European Commission personal data can be defined as:
Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer's IP address.
This means that anything that can be used to identify an individual is classed as personal data.
Can I process any personal data?
Unless the person has given informed consent to the processing of their data for one or more purposes, you are unable to process it. That is, unless there is at least one lawful basis for which to do so. The lawful purposes for processing data are:
- If the data subject has given consent for the processing
- To fulfil contractual obligations to the data subject, or for tasks relating to entering a contract.
- To comply with the data controller's legal obligations
- To protect the vital interests of the data subject or another individual
- To perform a task in the public interest or in official authority.
- For the legitimate interests of a data controller or a third party, unless these interests are overridden by the data subject.
When gaining informed consent from people, you need to make sure you've told them exactly why you're gathering the data, make sure the request is simply understandable and plainly worded, and your request can't be unambiguous.
You need to make sure that you only process the data in line with what was consented to. You will need to gain fresh consent for each type of processing you wish to do. Consent for multiple forms of processing cannot be bundled" together.
So, I have their data, can I process it for as long as I like?
Well, you can, but. The person need to be able to opt out of the data processing any time they want to. Also, the process for opting out must not be harder than the process for opting in. The data controller cannot refuse an opt out request so long as the data processing isn't necessary in order to use the service they are offering.
What is Data Protection by Design and by Default?
Your business needs to take into account that you will be protecting data, this needs to be included in your procedures and systems. This can include pseudonymising personal data as soon as possible (this is where you use artificial identifiers in the data rather than actual data, this data can be restored to the original with the addition of certain information).
When you're collecting the data, as part of the informed consent, you need to make certain things clear. This includes:
- The legal basis for collecting the data
- How long the data will be retained for
- If the data is being transferred to a third party
- Will there be any decisions made that are solely based on algorithms?
- The contact details of the data controller and their designated Data Protection Officer (where applicable)
The person you are collecting the data from has certain rights when it comes to their data. They will need to be informed of these rights, including:
- The right to withdraw consent at any time
- The right to view their personal data that you hold
- The right to have information about how you are processing their data
- The right to obtain the data in a portable format (such as USB stick or transferable machine readable format)
- The right to have their data erased in certain circumstances
- The right to contest any decision that was solely based on an algorithm
- They also have the right to file a complaint with the Data Protection Authority
Your company will also have to carry out risk assessment in terms of the data.
What are all those rights again?
There seems to be a lot of rights regarding person you're collecting data from, so let's break it down a little. The main two to focus on are the right of access and the right to erasure, so let's look at these in more detail.
The right of access - gives a person the right to access their personal data and any information about how their data is processed. You also need to give information about how the data is shared and how the data was acquired. The person also has the right to transfer their data into another system without hindrance by the data controller.
Right to erasure - the person can have their data erased on any one of a number of grounds within 30 days, this can include the non-compliance of the legal reasons for the data collection.
What happens if the data has been breached?
If the data gets breached, the data controller needs to notify the supervisory authority without undue delay (in the UK this is the Information Commissioner's Office - ICO). This has to be done unless the breach is unlikely to result in a risk of a breach of rights and freedoms of the individuals. The maximum allowable time to wait is 72 hours before the report has to be made.
Individuals will have to be notified if there is deemed to be an adverse impact due to the breach. However, this may not be the case if the data has been made unuseable via a method such as encryption.
The data processor will have to notify the data controller without undue delay once they are aware that a breach has occurred.
I want to carry out B2B marketing, can I still do this?
You can use personal details in order to carry out direct b2B marketing so long as it is seen to be due to legitimate interest.
But what is legitimate interest? In order to use legitimate interest as a reason for marketing two key conditions need to be met.
- The processing must relate to the legitimate interests of your business, providing that the rights of the individual are not overridden.
- The processing must be necessary to achieve the legitimate interests of the organisation.
GDPR can seem like a bit of a minefield when it comes to what you can and can't do, just remember to notify the person about why you're collecting their data and how you're going to be using it. This is a good starting point for getting your head around what else needs to be done.
As always, remember to seek professional advice before taking any action.