GDPR – What you need to know
You should all by now be into the final stages of implementing plans for the impending new legislation on GDPR which comes into effect on Friday 25th May 2018.
There has been much written in the media and we are sure you will have been bombarded with information from various providers seeking to offer solutions.
The first thing to remember in all of this is the fundamentals have not really changed. The regulations are a consolidation and update of existing laws. There are some rights which are now requirements but the main difference is that firms need to demonstrate that they are taking steps to protect personal client, employee and supplier data that will avoid the now punitive fines that The Information Commissioner’s Office (ICO) can levy.
Greg Walsh, Bermans Consultant and specialist on contract law and data protection (part of Chris McDonough’s team) recently spoke at a client event in Whiston, Merseyside (pictured below). At the event Greg set out the key parts of the legislation and how it affects businesses going forward.
What is the Legislation?
The principles/rules have not really changed, whilst they have reduced from eight to six – the principles for rights and international elements have been incorporated into other rules
Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
The key elements for the use of data are set out in Article 6 which deals with the lawfulness of processing. Whilst a lot of consideration is being given to consent being the basis for lawful processing there are six provisions which allow this that include consent; the performance of or steps to enter a contract with an individual and processing necessary for the legitimate interests of the processor.
Greg also went on to provide a checklist to assist businesses with their planning in preparation of the new regulations.
- Be aware of the timeframe that the legislation comes into effect on Friday 25th May 2018
- Confirm data that you hold – customers & employees – e.g. employee handbook
- Suppliers – Create a contract management database and understand what suppliers are doing with your data.
- Accountability & Governance – How going to meet requirements – look to appoint a Data Protection Officer, produce Data Protection Policies, manage changes of suppliers etc.
- Contract review -are processor requirements needed?
- Info provisions – – privacy notices will need to be updated and you may need to revise consent notices.
- Clients – are you acting as a processor for your clients or do you hold information on your clients staff?
You will need to review your supplier agreements where they are processing data for you as you have an obligation to ensure that the data is managed properly and that a contract is in place. You should also review your own client contracts as it is likely that even if you don’t process consumer data you are processing data about individuals. If you need assistance with these reviews, preparing any of the policies/notices required or support to implement the GDPR we can assist.
Need Further Guidance?
The above is general advice and we would recommend seeking specific assistance, as each business is different. Greg can be contacted on firstname.lastname@example.org