The General Data Protection Regulation

The General Data Protection Regulation

Below is an article by Catherine Herries-Smith Solicitor, preferred BFM employment law solicitor. In Niovember 2017 at a BFM event, Catherine in a presentation – to over 50 delegates from furniture industry – detailed the changes they would need to make as a result of GDPR.

The General Data Protection Regulation (GDPR) is due for implementation by 25th May 2018. It aims to strengthen the rights of individuals in relation to processing of their personal data whether automated or held in structured manual files. At its heart will be 6 updated data protection principles. Personal data is defined as ‘any information relating to an identified or identifiable person (‘data subject’). There is a separate definition for high risk ‘special categories’ (eg: health, ethnicity, sex life etc). A new Data Protection Act 2018 will supplement the GDPR. Processing is a wide concept and includes acquiring, holding and disclosing personal data.

The legislation seeks to achieve greater accountability for processing and privacy by design in planning the life cycle of personal data. If you have 250 employees or more, or process personal data on a large scale, or special categories of personal data, you should keep a record of relevant categories of personal data, including purposes, data subjects, recipients, transfers out of the European Economic Area, legal basis for processing, retention periods and security measures. There will no longer be a requirement annually to notify the Information Commissioner (ICO). The appointment of Data Protection Officers will be mandatory in cases but otherwise is helpful to promote compliance. Data processors who process personal data on behalf of data controllers will acquire new obligations.

The first principle, requires that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. For each category of personal data there must be a lawful basis for processing (eg consent, necessary for performance of a contract etc) and a Privacy Notice provided when data is first obtained, or it is decided to change the purpose. The key information to provide is: who you are, the purposes, lawful basis, recipients and whether it is to be transferred out of the European Economic Area. In addition, you should make available, eg on a website Privacy Policy: retention periods and rights of the data subjects (such as to access their information, to be forgotten or to have their data transferred to a new data controller).

The second Data Protection Principle requires that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. In a word, if you obtain personal data for the purposes of fulfilling an order for goods you should not be using it for an unrelated purpose without a lawful basis such as the specific, informed consent of the data subject.

Under the third principle personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. For example, do not request information such as date of birth where it is unnecessary.

The fourth principle requires that personal data must be accurate and where necessary kept up to date. Inaccurate data can inconvenience or harm the data subject.

The fifth principle requires storage limitation of personal data. Adopt effective retention and disposal practices.

The sixth principle requires that personal data is processed in a way that ensures appropriate safety of the personal data. Under the GDPR there will be mandatory reporting of data breaches by data controllers to the ICO within 72 hours if there is a risk to the data subject (eg reputational damage or identity fraud) and within a reasonable time to data subjects if there is a high risk to them.

Administrative fines for various infringements of the legislation will be increasing to up to £17M or 4% of total worldwide annual turnover (whichever is greater). It is therefore imperative to implement good governance, training and policies to manage the risks of the legislation.