twitter  linkedin  googleplus  Miller Samuel Hill Brown's Blog

Data Protection & GDPR

Data protection issues have been put firmly into focus with the enactment of the Data Protection Act 2018 on Thursday 24th May 2018. This enacts the GDPR in the UK. The updated laws mean it is essential for organisations who will hold and process personal data relating to individuals to be fully compliant with the principles and obligations set out in the GDPR. Miller Samuel Hill Brown can assist you in ensuring compliance, whether you require general advice or whether you need assistance in putting in place the required documents or policies all organisations now require to have to fulfil their data protection obligations. This includes:

  • Provision of privacy statements (whether for clients, customers, employees or other individuals);
  • Updated internal data protection policies in regards to employees’ handling of personal data;
  • Drafting data retention policies;
  • Putting in place processes for responding to data subject access requests and requests for the erasure of personal data; or
  • Reviewing current contracts to ensure GDPR compliance.

What is the GDPR?

Data protection rights in the UK were covered by the Data Protection Act 1998, but from 25th May 2018 will be changed by the introduction of the GDPR (General Data Protection Regulation). Any organisation which holds or controls personal data will need to be compliant with the new regulations by 25th May 2018.

This regulation originates in the EU, but the UK Government has confirmed it will continue to apply once/if the UK leaves the EU. The UK government intends to implement legislation which may introduce further, UK specific provisions.

Why is the GDPR important?

The GDPR consolidates existing provisions and introduces some new rights and obligations. In particular, the GDPR introduces a requirement for self-reporting of breaches and increases the maximum fine which can be imposed by a supervisory authority. In the UK, the supervisory authority is the Information Commissioner’s Office (ICO).

Who does the GDPR apply to?

The GDPR applies to anyone who is a ‘controller’ or a ‘processor’ in relation to personal data.

A data controller is a person or organisation which determines the purposes and means of processing data. This effectively covers any business which holds personal data and has control of obtaining, storing and processing that data.

A data processor is a party who processes data on behalf of a data controller. This can be an individual or a business, company and so on who is contracted to provide services involving data processing. This does not include employees of the data controller.

What data does it relate to?

The GDPR relates to ‘personal data’, which effectively refers to any data specific to an individual through which they may be identified. This may include contact information, bank details, information about health and cultural identity and so on.  

Data should not be held or processed unless there is a specific lawful basis for doing so.  

The GDPR generally covers information held by organisations in respect of employees and customers, clients or service users, and potentially suppliers and contractors if they are individuals. It will not apply to individuals who obtain data in the course of their own personal or household activities.

Data Protection Principles – the Principle of Accountability

Since the introduction of the Data Protection Act 1998, there have been eight key principles which should be observed when processing personal data of individuals. These are that personal data should:

  • be processed fairly and lawfully and not be processed unless specific conditions in the legislation are met.
  • only be obtained for one or more specified and lawful purposes and not processed for any other purpose;
  • be adequate, relevant and not excessive in relation to those purposes;
  • be accurate and, where necessary, kept up to date;
  • not be kept for longer than is necessary for the relevant purposes;
  • be processed in accordance with the rights of data subjects under the Act.
  • Be subject to appropriate security measures to avoid against loss, damage, unauthorised disclosure and so on;
  • not be transferred outside the European Economic Area unless the destination country ensures an adequate level of protection for data.

The GDPR introduces a new principle of accountability, which will require organisations to be able to demonstrate how they comply with the principles above.

Enforcement

Under the Data Protection Act 1998, the maximum fine for non-compliance is £500,000. The GDPR significantly increases this. For violations relating to matters such as internal record keeping, data security and breach notification, fines can be up to 2% of annual worldwide turnover or the equivalent of 10 million euros, whichever is the greater. For breaches of the data protection principles, conditions for consent and data subjects’ rights, this is increased to 4% of annual worldwide turnover or 20 million euros, whichever is greater.

The ICO has various other enforcement (or ‘corrective’) powers short of financial penalties, with other sanctions they can impose including reprimands and warnings, orders for compliance or restrictions on processing.

Individuals also have the right to compensation from a data controller or processor for damage caused by infringement, which may be awarded following a complaint to the ICO.

Reporting breaches

The GDPR introduces a mandatory duty to report personal data breaches. This means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data.

Privacy notices

The GDPR requires that individuals must be given information about the processing of their data at the time it is collected. This information should be in clear, plain language and be transparent and easily accessible. The required information includes the purposes of processing their data, what their rights are, how long the data is retained and who it might be disclosed.

What is the basis for holding personal data?

Under the GDPR, there must be a justification for processing personal data. For personal data which is not in a special category, the bases for processing are:

  • The data subject’s consent;
  • that the processing is necessary for the performance of a contract;
  • it is necessary for compliance with legal obligations;
  • it is necessary to protect the individual’s vital interests;
  • it is necessary to perform official functions or a task in the public interest; or
  • it is necessary for the legitimate interests of the data controller/processer or a third party and there is no overriding reason to restrict processing.

Organisations will require to be clear about which of these justifications they are relying on in processing data.

Record keeping

Organisations will be required to keep written records about data processing activities. The ICO may request access to these. Records must be kept up to date and reflect current activities. Data controllers must document various pieces of information in relation to the data held, included what data is held, the purposes of processing it and the security measures in place. Further records beyond those required may be kept in order to demonstrate compliance with the GDPR.

Right to be forgotten

The GDPR introduces a new right to erasure or the ‘right to be forgotten’. This gives individuals the right to ask for data held about them to be erased in certain circumstances, such as where it is no longer necessary or it is being processed unlawfully. There are exceptions to this, such as where it is necessary for the controller to comply with legal obligations.  

Data Portability

The GDPR introduces a new right to ‘data portability’ which allows individuals to access copies of their personal data and reuse this for their own purposes or transmit it to another data controller. The aim is to allow the copying or transferring of data in a secure way. This only applies to electronic data. There are some restrictions on when it applies.

Subject Access Requests

Individuals have the right to make a subject access request, which means the organisation to which the request is made must provide copies of all the data they hold in relation to that person.

The GDPR removes the £10 fee for individuals to make a request, although a fee may be charged for excessive requests, and reduces the timescale for compliance to without delay, but no later than one month.

Profiling and Direct Marketing

The GDPR introduces a right for individuals to object to their data being used for automated decision making, including profiling. This refers to decisions being made without human intervention which have a legal or similar effect. Profiling refers to using data to analyse and evaluate an individual, for example to evaluate their preferences, interests, behaviours, reliability and so on.

Individuals also have the right to object to data being used for direct marketing, whether by phone, post, email or through social media. The GDPR will require that opting out of receiving such communications should be easy and options should be clear.

Miller Samuel Hill Brown can assist with further advice on the GDPR and how it might affect your business, and in providing contracts and policies which might be required. Please get in touch on 01412211919 to discuss how we can help you.

Get Legal Advice, call: 01412211919

Complete our online form Make an enquiry

Get Legal Advice, call: 01412211919

Online Enquiry

Please let us know your name.
Please let us know your email address.
Invalid Input
  • Nature of enquiry(*)
    Invalid Input
  • Please let us know your message.
    Invalid Input
    Please tick the box below
    Invalid Input