GDPR in a Nutshell
- AuthorJonathan Rathbone
“Not another article on GDPR!” I hear you cry. Businesses are increasingly aware that they need to be GDPR compliant by 25 May 2018 and are trying to work out what that means for them. There is plenty of information out there, but it is often vague, confusing or too long. With this in mind we have come up with a straight forward list of “GDPR Do’s and Don’ts” for most small and medium sized businesses:
1. Under GDPR, you need to be able to demonstrate that you are compliant. This means that you should carry out a data audit, to establish:
a. What personal data you hold (it should be relevant, limited to what is necessary and where applicable kept up to date);
b. Do you hold any sensitive data i.e. health, sexual preference, religious belief etc. (you may need explicit consent if you do);
c. On what lawful basis you are processing it (see para 2 below);
d. Where you are holding it (you have to keep it secure and so should not be holding it in more places than you need to);
e. How long you hold it for (you should only be holding it as long as you need it);
f. Who you share it with (you need to tell the data subject who you share it with);
g. Where you got it from;
h. If any data is being processed outside Europe i.e. on the cloud (if so, you need to check it is compliant and tell the data subject);
i. What you have told the data subject about it (see para 5);
j. Do you hold any data on children under the age of 13 (if so, you must give clearer, age specific, privacy information and, if you are providing social networking services, their parents need to consent).
2. You should only process data if you have a lawful basis for doing so, examples of this may include:
a. You need to process the data to perform a contract i.e. you need their name and address to send them the product;
b. You have a legitimate interest to process that data, the data subject would reasonably expect you to process the data in that way and it is not unfair for you to do so; or
c. The data subject has given their consent.
3. Consent is much harder to demonstrate under GDPR. It cannot be given as part of the terms and conditions. You cannot use a pre-ticked box and you need to have a record of exactly how the consent was given. This means that most consents given pre-GDPR will not be compliant and new consents will be required.
4. You can use “legitimate interests” instead of consent as the basis for sending direct marketing (e-mail, phone and mail). However, you would have to be sure that the recipients would expect you to contact them in that way and it must be proportionate. It should be noted that you cannot send direct marketing e-mail to consumers unless:
a. They have given their consent; or
b. (i) You received their details when they purchased or were looking to purchase goods or services from you (ii) you are sending them marketing information about similar products and services and (iii) you gave them an opportunity to opt out of receiving those e-mails when you first sold/offered them the goods or services and they have had the option to unsubscribe in each subsequent e-mail communication.
5. You need to include updated privacy notices on your website and link to that notice in e-mail footers. The privacy notice should set out amongst other things:
a. the purpose for which you are processing the data;
b. The legal basis on which you are the processing the data (i.e. consent/ performance of contract/legitimate interests);
c. How long you are holding the data for.
This means that you will need different sections in your privacy notice to cover the different types of data and different ways you process the data (i.e. a different section for customers, prospects, suppliers, prospective employees, website visitors).
If you collect data from someone other than the data subject, you should provide the privacy notice to the data subject within a month of it being collected.
6. Any contracts where you process data on someone else’s behalf or vice versa should include specific provisions set down by GDPR on how the data is being processed.
The date that GDPR comes into force, 25 May 2018, is drawing ever nearer, however, there is still time to get your procedures compliant. Jon Rathbone and Danielle Isaac in the corporate and commercial team at Hughes Paddison can help you with these matters. If you'd like to discuss GDPR and better understand your obligations give us a call on 01242 586354.