The Ultimate Guide to GDPR

In this guide you’ll find everything you need to know about GDPR. We’ll cover topics surrounding lawful processes, the new rules and the best practices to follow to ensure you don’t break the law….

The Ultimate Guide to GDPR

In this guide you’ll find everything you need to know about GDPR. We’ll cover topics surrounding lawful processes, the new rules and the best practices to follow to ensure you don’t break the law.

So, whether GDPR rules are new to you, or you’ve already done a bit of research, our guide will offer you the tools to ensure you’re always covered.

GDPR: A definition

GDPR, or General Data Protection Regulation, was devised by the European parliament and officially came into force on 25th May 2018. The regulation has been designed to strengthen and streamline data protection laws across all EU countries and applies to all organisations which gather, hold and process information and data about residents of the EU.

As technology advances, the way companies hold and use personal data is ever-changing. GDPR was introduced to update existing legislation, like the Data Protection Act, and to ensure that people have a much greater control over how their personal information is used.

If companies are found to be processing data unlawfully, they are now at risk of being hit with large financial penalties.

What is personal data?

One of the most important aspects you need to understand when it comes to GDPR is what information is classed as ‘personal data’. We’ve outlined this below…

  • Information that can be used to identify someone: name, ID number, email address, bank details, etc.
  • Sensitive information: sexual orientation, genetic data, health records, religious or political views, sex life, etc.

What has changed?

Data protection laws are not a new thing, rules and regulations on what companies can do with data and information have been around for years. Before GDPR, personal data was governed by the Data Protection Law which means that many companies will already be close to compliance.

However, the new GDPR rules do differ in a number of ways, so it’s important you understand exactly how the new legislation has changed.

Under GDPR, when a company gathers, holds or processes personal data they must ensure:

  • The information stored is relevant
  • The data is processed lawfully, fairly and transparently
  • When information is processed there is a legitimate and explicit purpose to do so
  • Data is never stored for longer than it is needed
  • The information is correct and up-to-date
  • There is a lawful basis for using the information
  • The data is always kept secure
  • Any new and existing information has been given consent by the individual

Key changes you need to know about

  • It is now a legal requirement for companies to provide information upon requests, free of charge.
  • If you breach GDPR, the penalties are far more substantial than before. The maximum fine is, £20 million or 4% of the company’s worldwide turnover, depending on which is higher.
  • GDPR now covers biometric and genetic data.
  • The new rules also now protect children’s personal information, this is mainly due to commercial aspects of social media platforms. To process the data of a child under 16, you must gain consent from the parent or guardian, record it and present it in a way that the child can understand.
  • Consent is now defined as “the data subject has given consent to the processing of data for one or more specific purposes”, whereas, previously there was no ‘specific purpose’ needed.
  • Data that can identify an individual from a username, pseudonym or ‘handle’ is now covered by GDPR.

Exceptions

The common view that GDPR hinders companies and doesn’t allow businesses to process data or that you always require ‘consent’ to do so is false.  For organisations like the police force or the emergency services, they are required to hold and use personal data to preserve life and public safety. Therefore, there are actually 6 lawful reasons that will allow you to collect, hold and process personal data without consent.

  • Official duty or public interest – You can process personal data if it is in the public interest, or if you are duty bound to do so and there is a basis in law.
  • You gain consent – Individuals must give you their ‘explicit consent’ and positively ‘opt-in’ to allow you to use and hold their personal data. This cannot be a pre-ticked box, parental consent is required for children and you must always offer very specific actions for varying consent.
  • Contractual – It is within the law to process personal data if there is a contract between yourself and the individual. This will also cover you if you need to produce a quote or similar and don’t yet have a contract.
  • Legal obligation – You are permitted to hold and process personal information if you need to comply with statutory obligation or common law. However, if you can proceed within the law without processing the data, this basis will not be valid. You will need to keep a record of your decision with a justification and information about the law in question. This basis does not apply to contractual agreements.
  • To protect – This only applies to organisations who process personal data to protect life, for example emergency medical care. However, if the individual receiving care can provide consent, it must be obtained.
  • Legitimate interests – The most flexible lawful basis, ‘legitimate interests’ allows you to gather, hold and process personal data, providing you have considered and given evidence that there is a good reason to do so. You will need to prove that you have weighed up this legitimate interest against the individual’s rights and freedoms. This explanation must be displayed in a publicly available privacy policy.

Need to know: Legitimate Interest

While legitimate interest is considered the most flexible of the six lawful basis outlined under GDPR, it is important to note the guidelines of use. Let’s take a closer look at these.

It is lawful to process data in the legitimate interests of the data controller or third party, including personal or business-oriented interests of the two. However, the exception is when such interests are outweighed by the interests or fundamental rights and freedoms of the data subject. For example, if the data subject is a child.

As outlined in GDPR, the act of processing personal data for direct marketing purposes could also potentially fall under ‘legitimate interest.’ Direct marketing is outlined as selling to a customer using personal details to inform the approach, for example details of purchase history or address. However, when using this approach, the company has an added responsibility to consider and protect an individual’s rights, pose minimal impact to the individual and avoid the requirement for consent under Privacy and Electronic Communications Regulations (PECR).

Below we have outlined additional areas for consideration to ensure you are complying with legitimate interest guidelines:

  • What is the legitimate interest? Have you identified this?
  • What are your objectives? Is this process entirely necessary, or is there a less intrusive method?
  • Data sensitivity
  • Have you considered the rights of the data subject?
  • Data subject vulnerability
  • Ensure the data is protected and minimise risk.

Legitimate Interest Assessment

If you wish to use legitimate interest as a lawful basis, you will need to complete a Legitimate Interest Assessment (LIA).  In simple terms, an LIA is a risk assessment demonstrating all considerations and justifying your case.

It is important to use effective configuration techniques to ensure your LIA is up to date and fully compliant. Any alterations to the case must be justified. Be sure to update your privacy policy to include a full account of the legitimate interest in a clear and transparent way.

Sales, marketing and GDPR

You may be wondering, will my sales and marketing functions still be a success under GDPR? The answer is, yes! In both marketing and sales, companies can use legitimate interest and individual consent as a lawful basis for using personal data. By using an effective CRM system and a segmented target database, these professions should not be hugely impacted by GDPR. However, to help out, we’ve highlighted some areas for consideration to ensure you and your team remain fully compliant.

  • Privacy policy – Create a clear and simple privacy policy. Be transparent with your customers and ensure that they know exactly what data you require and how it will be used. There should be no confusion for individuals and if they have questions, you should always offer a valid response.
  • Data gathering – Under the new GDPR rules you are only legally allowed to gather data for the purpose specified in the case. It is no longer possible to gather any available information, regardless of relevance. Instead, all data must be considered fully aligned with the data processing purpose to be compliant.
  • Data transfers – A data subject has the right to request a data transfer of their identifiable information. This service must be provided free of charge via a standardised electronic format within 30 days.
  • Legitimate interest over email – It is important to keep records of individuals’ interest fully up to date to avoid a breach. An email that you sent out may have legitimate interest one week, but the following it may be invalid. For instance, if a person’s job role has changed then their interests may shift considerably and your targeted email is no longer of legitimate interest.
  • Human intervention to protect individuals – It is possible to request human intervention when decisions are made, as opposed to these decisions being made by automation systems. This improves the control that data subjects have over their data, and removes risky assumptions being made by algorithms.
  • Access requests – It is possible for data subjects to request every detail you hold about them and it is mandatory to respond to each request within 30 days. If upon viewing their information, the individual finds incorrect or incomplete data then they can request rectification, again within 30 days of receipt.
  • The right to be forgotten – Upon request an individual has the right to have their personal information removed from your database, including any suppression lists that may continue to hold information, such as email addresses.

While it is clear that GDPR will change some business processes and how you handle your data, it also presents great opportunities for your company to reconsider your strategies, strengthen your approach and get ahead of your peers.

For further information with regard to GDPR head to: https://ico.org.uk