The GDPR (General Data Protection Regulation) provides greater rights to individuals in relation to the privacy of their personal data. It places stricter requirements on organisations to demonstrate that they comply (the Accountability Principle) and introduces harsher penalties for those that don't.
Organisations must ensure that they are honest about what they will do with personal data, must ensure it is accurate and up to date and must take appropriate steps to keep it secure. They must not collect excessive personal information or share it without authorisation and they must not keep it for any longer than is necessary.
Important things about the Data Protection Legislation
Transparency and Accountability – Being Open and Honest
Organisations need to be more open and transparent with people and must tell them exactly what they will be doing with their personal information.
Businesses will need to keep careful records and account for their actions and provide a detailed Privacy Notice prior to processing personal data. This notice includes information such as explaining who they are, why they need the information, what they are going to do with the information, who will have access to the personal data, how long they are going to keep it and the individual’s rights.
GDPR has six defined principles plus the accountability principle, which is central to demonstrating compliance. This can be shown through having appropriate policies and procedures in place, together with contracts between Controllers and Processors, Data Sharing Agreements, Privacy Notices and appropriate training for staff.
Many organisations have been sending out emails in the hope of customers signing up to consent for their information to be retained or used for further marketing. However, depending on whether the customer purchased a product or service, the organisation might be able to rely on the “soft opt in” rather than seeking new consent that may not be provided.
In addition, consent is not the only lawful basis for processing personal data. Organisations should consider whether consent is appropriate or if they can rely on legitimate interests or one of the other lawful bases for processing.
Subject Access Requests
Individuals are entitled to request an organisation to provide details of the personal information held about them. Strict rules and time limits apply on how to process these requests, known as Subject Access Requests (SAR). Under the GDPR, an organisation has up to one month to provide the necessary information (subject to exceptions). It is important that staff recognise a SAR and act appropriately and organisations have suitable systems in place to deal with a SAR expeditiously.
New Systems – Privacy Issues Addressed Early
When an organisation proposes to introduce new systems, any impact this may have on the privacy of personal information must be considered carefully and needs to be formally documented in a Data Protection Impact Assessment.
The Right to be Forgotten
Individuals have a number of rights under the GDPR and one of these is the ‘right to be forgotten’. However, although this is a fundamental right, it is not an absolute right. Organisations will still need to balance this right against other rights and obligations, including their own legal requirements to retain information.
Data Processors – New Liability
Under the GDPR there is additional responsibility on Processors and they can be held directly liable for their own data protection mistakes and can face monetary penalties from the ICO. As such, data processing contracts should be reviewed to ensure that they explain the roles and responsibilities of both parties.
The GDPR has increased the monetary penalties available to the ICO. There is a two-tier system. Tier 1 has a maximum penalty of up to €10,000,000 or 2% of global turnover, whichever is the greater, and will be used for breaches such as failing to maintain records of processing activities, failing to implement appropriate technical and organisational measures and failing to appoint a Data Protection Officer, where necessary.
Tier 2 has a maximum penalty of up to €20,000,000 or 4% of global turnover, whichever is the greater, and this applies in relation to breaches such as failing to comply with the data protection principles and data subjects’ rights.
For further information, advice and assistance Contact Us.