Navigating the Complexities of GDPR and Data Protection
Dealing with the complexity of the current data protection regime can be incredibly daunting; the need for specialist advice has never been more important.
GDPR and the Data Protection Act 2018
The General Data Protection Regulation (GDPR), as implemented in the UK by the Data Protection Act 2018, is the most important and robust piece of data protection legislation ever enacted in the UK. It has been in force for a number of years now and will continue to be maintained post-Brexit. Failure to comply in full is simply not an option for any business.
The GDPR relates to personal data: that is, information relating to an identifiable living person. The aim of the GDPR is to make the handling and protection of personal data about customers, employees, suppliers or other individuals central to the way all businesses and organisations in the UK operate going forwards. The GDPR is based on the following core data protection principles, that must be complied with when processing ANY personal data:
- Lawfulness and transparency (which includes the requirement for privacy notices when collecting data);
- Purpose limitation (collect data for specific, identified purposes, and do not further process the data in any manner incompatible with these purposes);
- Data minimisation (only keep what is relevant and necessary);
- Accuracy (keep it up to date);
- Storage limitation (only keep it for as long as is necessary);
- Integrity and confidentiality (put in place appropriate technical/IT security measures).
Compliance with the GDPR is non-negotiable. Draconian fines of up to £17.5 million or 4% of worldwide annual turnover can be levied by the Information Commissioner’s Office (ICO) for non-compliance. Failure to comply leaves you exposed to these sanctions as well as reputational damage, and the risk of being sued directly by individuals (data subjects).
Compliance with GDPR
The following is an outline of some of the key steps to take to ensure compliance with GDPR and the Data Protection Act 2018:
1. Review Information
Make sure that you understand, and ensure that you audit:
- All of the personal data that you hold
- How the personal data is collected
- What you use that personal data for
- With whom that personal data is shared
2. Lawful basis of processing
Once you have understood the personal information that you hold, you need to consider, and identify in your data protection documentation, the lawful basis upon which you process that personal data. You must document the decision making and the policies and procedures you adopt to ensure compliance. The only lawful bases for processing personal data are:
- Necessary for performance of a contract
- Legal obligations (i.e. processing under a legal obligation to do so)
- Vital interests (i.e. necessary to protect the data subject’s vital interests)
- Public interest (i.e. under official authority)
- Legitimate interests
The legitimate interests basis will be a key basis for many businesses as this includes many ordinary honest business practices and can include direct marketing; but it must be balanced against the interests of the data subject concerned.
Whilst consent was commonly used as a lawful basis pre-GDPR, it is harder to rely on going forwards, not least because consent can be withdrawn at any time. Any consents obtained pre-GDPR must now meet the higher GDPR standards, otherwise they cannot be relied upon. You should review how any consents were previously obtained and, if necessary, consider refreshing them or relying on another lawful basis of processing.
3. Update privacy policies
You need to ensure that your written privacy policies and notices tell people how their data will be used, so as to evidence your compliance with the data protection principles. For example, you need to identify in those notices the basis on which you process personal data, and any data retention periods.
4. Data subject rights - subject access requests and data breaches
You need to ensure that you have systems in place that allow you to swiftly locate all personal data you hold, so that you can respond to requests by data subject to exercise their rights in respect of their personal data – including subject access requests (SARs) - within tight timescales.
In the event of a data breach you may need to notify the data subject(s) concerned, and/or the Information Commissioner’s Office, within very short timescales. Policies and procedures will need to be in place to ensure you can do this.
How can LCF help you?
We regularly advise clients in relation to data protection issues including:
- Advising on procedural compliance with the GDPR and Data Protection Act 2018.
- Drafting bespoke privacy policies and other data protection policies and documentation.
- Advising on data processing agreements and data processing clauses in commercial contracts.
- Providing support in respect of handling and responding to subject access requests.
- Drafting, reviewing and amending employment contracts to comply with data protection legislation.
- Providing support in the event of a data breach and, if necessary, an ICO investigation.
- Advice on related issues such as compliance with the Privacy and Electronic Communication Regulations.
James Sarjantson has dealt with Data Protection matters on behalf of clients for many years and is able to provide practical and commercial solutions to issues raised by the GDPR and Data Protection Act 2018, and advise on the steps that businesses can take themselves to move towards compliance.
Call Us Now
Our solicitors are ready to help you. Click on Contact Us, use the Contact form above, or send a message direct to one of the team working in this area from their business cards below.