Data protection issues have been put firmly into focus with the enactment of the Data Protection Act 2018 on Thursday 24th May 2018. This enacts the GDPR in the UK. The updated laws mean it is essential for organisations who will hold and process personal data relating to individuals to be fully compliant with the principles and obligations set out in the GDPR. Miller Samuel Hill Brown can assist you in ensuring compliance, whether you require general advice or whether you need assistance in putting in place the required documents or policies all organisations now require to have to fulfil their data protection obligations. This includes:
Data protection rights in the UK were covered by the Data Protection Act 1998, but from 25th May 2018 will be changed by the introduction of the GDPR (General Data Protection Regulation). Any organisation which holds or controls personal data will need to be compliant with the new regulations by 25th May 2018.
This regulation originates in the EU, but the UK Government has confirmed it will continue to apply once/if the UK leaves the EU. The UK government intends to implement legislation which may introduce further, UK specific provisions.
The GDPR consolidates existing provisions and introduces some new rights and obligations. In particular, the GDPR introduces a requirement for self-reporting of breaches and increases the maximum fine which can be imposed by a supervisory authority. In the UK, the supervisory authority is the Information Commissioner’s Office (ICO).
The GDPR applies to anyone who is a ‘controller’ or a ‘processor’ in relation to personal data.
A data controller is a person or organisation which determines the purposes and means of processing data. This effectively covers any business which holds personal data and has control of obtaining, storing and processing that data.
A data processor is a party who processes data on behalf of a data controller. This can be an individual or a business, company and so on who is contracted to provide services involving data processing. This does not include employees of the data controller.
The GDPR relates to ‘personal data’, which effectively refers to any data specific to an individual through which they may be identified. This may include contact information, bank details, information about health and cultural identity and so on.
Data should not be held or processed unless there is a specific lawful basis for doing so.
The GDPR generally covers information held by organisations in respect of employees and customers, clients or service users, and potentially suppliers and contractors if they are individuals. It will not apply to individuals who obtain data in the course of their own personal or household activities.
Since the introduction of the Data Protection Act 1998, there have been eight key principles which should be observed when processing personal data of individuals. These are that personal data should:
The GDPR introduces a new principle of accountability, which will require organisations to be able to demonstrate how they comply with the principles above.
Under the Data Protection Act 1998, the maximum fine for non-compliance is £500,000. The GDPR significantly increases this. For violations relating to matters such as internal record keeping, data security and breach notification, fines can be up to 2% of annual worldwide turnover or the equivalent of 10 million euros, whichever is the greater. For breaches of the data protection principles, conditions for consent and data subjects’ rights, this is increased to 4% of annual worldwide turnover or 20 million euros, whichever is greater.
The ICO has various other enforcement (or ‘corrective’) powers short of financial penalties, with other sanctions they can impose including reprimands and warnings, orders for compliance or restrictions on processing.
Individuals also have the right to compensation from a data controller or processor for damage caused by infringement, which may be awarded following a complaint to the ICO.
The GDPR introduces a mandatory duty to report personal data breaches. This means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data.
The GDPR requires that individuals must be given information about the processing of their data at the time it is collected. This information should be in clear, plain language and be transparent and easily accessible. The required information includes the purposes of processing their data, what their rights are, how long the data is retained and who it might be disclosed.
Under the GDPR, there must be a justification for processing personal data. For personal data which is not in a special category, the bases for processing are:
Organisations will require to be clear about which of these justifications they are relying on in processing data.
Organisations will be required to keep written records about data processing activities. The ICO may request access to these. Records must be kept up to date and reflect current activities. Data controllers must document various pieces of information in relation to the data held, included what data is held, the purposes of processing it and the security measures in place. Further records beyond those required may be kept in order to demonstrate compliance with the GDPR.
The GDPR introduces a new right to erasure or the ‘right to be forgotten’. This gives individuals the right to ask for data held about them to be erased in certain circumstances, such as where it is no longer necessary or it is being processed unlawfully. There are exceptions to this, such as where it is necessary for the controller to comply with legal obligations.
The GDPR introduces a new right to ‘data portability’ which allows individuals to access copies of their personal data and reuse this for their own purposes or transmit it to another data controller. The aim is to allow the copying or transferring of data in a secure way. This only applies to electronic data. There are some restrictions on when it applies.
Individuals have the right to make a subject access request, which means the organisation to which the request is made must provide copies of all the data they hold in relation to that person.
The GDPR removes the £10 fee for individuals to make a request, although a fee may be charged for excessive requests, and reduces the timescale for compliance to without delay, but no later than one month.
The GDPR introduces a right for individuals to object to their data being used for automated decision making, including profiling. This refers to decisions being made without human intervention which have a legal or similar effect. Profiling refers to using data to analyse and evaluate an individual, for example to evaluate their preferences, interests, behaviours, reliability and so on.
Individuals also have the right to object to data being used for direct marketing, whether by phone, post, email or through social media. The GDPR will require that opting out of receiving such communications should be easy and options should be clear.
Miller Samuel Hill Brown can assist with further advice on the GDPR and how it might affect your business, and in providing contracts and policies which might be required. Please get in touch on 0141 221 1919 or fill in our online contact form to discuss how we can help you.
The Information Commissioner (ICO) has recently published an enforcement decision which resulted in a fine of £77,000 being imposed on BT (British Telecommunications plc) for sending unsolicited marketing emails.