The ultimate guide to GDPR

Richard Glynn
Business Development Consultant
8th October 2019

 

What does GDPR stand for?

GDPR stands for General Data Protection Regulation and this is a European Union law governing data privacy and protection. GDPR was implemented to safeguard the personal data of citizens of the EU and citizens of the European Economic Area (EEA). GDPR replaces the Data Protection Directive.

What is GDPR?

GDPR is the EU’s General Data Protection Regulation, the directive lays out one set of data protection rules, for all organisations that operate within the EU.

GDPR applies to any entity that operates in the EU, regardless of where they are based. This means that businesses located outside of the EU must also comply with GDPR if they wish to bring services or products to EU citizens.

The purpose of GDPR is to enforce a stronger set of rules governing data protection, giving people greater control over their personal data. GDPR replaces the Data Protection Directive 95/46/EC.

Under GDPR governance, all businesses operate on a level playing field. Businesses must have a concrete consent management process and an effective data rights management system.

General Data Protection Regulation brings into effect new rights for people, such as:

  • The right to be forgotten – Organisations must delete a person’s data, under certain circumstances, on the request of an individual.
  • The right to access – Organisations have to supply users with a copy of all data that they have collected on them.
  • The right to data portability – Under certain circumstances, an organisation must transfer user data to another organisation of the user.
  • The right to rectification – Organisations must update inaccurate or incomplete data.
  • A legal basis for data processing – Organisations must clearly justify the need to process data. There are several legal bases for this, outlined in Article 6, Lawfulness of Processing.

Under Article 6, the processing of data by organisations is only lawful if one of the following applies:

  • If a person has given explicit consent to process their data for a specific purpose.
  • If processing is necessary to comply with legal obligations.
  • If processing is needed to perform a contract, or prior to entering a contract, with the individual.
  • If processing is needed to protect the vital interests of the person or another natural person.
  • If processing is necessary for performing tasks carried out in the public interest or by an official authority vested in the organisation.
  • If processing is required for a legitimate interest of the organisation, or a third party, except in the case where interests override the freedoms, fundamental rights, or interests of the person.

When did GDPR come into force?

The debate and preparation for GDPR took place over four years. GDPR was approved by the EU Parliament on the 14th of April 2016. GDPR came into force on the 25th of May 2018.

What is GDPR compliance?

GDPR compliance is a regularity standard that organisations must meet if they control or process the personal data of EU residents. There are two main areas to consider to ensure your organisation is compliant, including cookies and an information audit.

Cookies: Cookies are a useful tool for companies and can give them insights into their users’ activity online. Cookies are small text files that are put on a user’s device when they browse a business’s website. They are stored and processed by the user’s web browser.

Cookies are easy to view and delete and they serve a vital function. They are harmless and businesses use them to track the online activity of users, with the purpose of targeting the user with specific adverts, relevant to what they search for.

Under GDPR, cookies can be considered as personal data. This is due to the amount of information that they may contain, which could potentially identify a user, without their consent.

Organisations can process this data if they acquire cookie consent. This is usually achieved by adding a pop-up, as laid out in the ePrivacy Directive (EPD), known as the cookie law.

For GDPR cookie compliance, organisations must:

  • In plain language, provide specific and accurate information on the data each cookie tracks prior to receiving consent.
  • Acquire a user’s consent prior to using any cookies, except those that are strictly necessary.
  • Make withdrawing a user’s consent as easy as giving consent.
  • Document and save consent from users.
  • Permit users to access their services, regardless of if they give cookie consent.

The rules that govern cookies are changing and being adapted all of the time. Because of this, maintaining compliance under GDPR will be a continuous job.

Information audit: If your organisation conducts higher-risk personal data processing or has more than 250 employees, then it should conduct an information audit. These companies should keep an up-to-date list of processing activities they undertake. They should be ready to show their processing activity list to regularity authorities at any time.

One of the easiest ways to achieve GDPR compliance is to make a data protection impact assessment (DPIA). If your business introduces new projects that involve high risks to personal data, then an additional DPIA should be conducted.

If your business is unsure as to whether it needs to conduct a DPIA, then the list below gives examples of when a DPIA is needed:

  • You track people’s behaviour or their location.
  • You are introducing new technologies.
  • You are monitoring, on a large scale, a publicly accessible place.
  • You are processing children’s data.
  • You are making automated decisions by processing people’s data that could have legal effects.
  • You process data that could result in physical harm to a person if the data is leaked.
  • You process data such as ethnic origin, racial origin, religious beliefs, political opinions, philosophical beliefs, genetic data, union membership, or biometric data, for the purpose of identifying a natural person. Health data and sexual orientation also fall under this condition.

A DPIA should include several elements that are outlined in Article 35 of GDPR. These elements include:

  • An assessment of the proportionality and necessity of the data processing to the purpose.
  • An assessment of the risks to the freedoms and rights of data subjects.
  • A description of the processing operations and the purpose of processing the data. This should include, where relevant, the legitimate interest pursued by the data controller.
  • What security measures are to be put into place to safeguard personal data. This should show compliance to GDPR and take into account the interests and rights of the data subject.

It is vital to ensure that your DPIA is prepared before you start any type of data processing. The DPIA should form part of your project planning and if you have a data protection officer (DPO), then they should be included.

The Information Commissioner’s Office, who are the UK’s regulatory authority overseeing GDPR, has produced a handy template. You can view the Data Protection Impact Assessment Template and this will help your company decide if your processing activities require a DPIA. The template includes a series of questions that you consider, to help you determine the security protections you should put in place.

Does GDPR apply to individuals?

GDPR does not apply to data processing carried out by individuals, solely for household and personal activities. This means that you can keep personal contacts’ information on a computer or a smartphone. You can also store footage from CCTV cameras, that you may have placed on or in your house to deter intruders.

GDPR compliance is only required for any company, business, or organisation that holds or processes personal data in some way. It does not matter if these organisations are located in the EU. If they hold or process the personal data of an EU citizen, then GDPR applies.

Who is responsible for enforcing GDPR?

Every EU Member State has designated an independent public authority, to be responsible for enforcing GDPR compliance. The authority is known as a DPA (Data Protection Authority) or supervisory authority.

The DPA in each country is tasked to do the following:

  • Monitor and enforce GDP compliance.
  • Promote awareness of the obligations of processors and controllers.
  • Publicly promote the data subjects’ risks and rights.
  • Manage and investigate complaints.
  • Document GDPR infringements and what corrective actions are given.
  • Cooperate with other data protection authorities.
  • Exercise corrective and advisory power.
  • Investigate GDPR application in the form of data protection reviews and audits.

In the UK, the ICO (Information Commissioner’s Office) is an independent body that has been set up to uphold information rights. The ICO works with the European Commission and the European Data Protection Board to implement and enforce GDPR compliance.

Businesses and public authorities that have core activities centred on the regular processing of personal data are required to have a DPO (Data Protection Office). The DPO is responsible for managing the business’s GDPR compliance.

Does GDPR apply to me?

If your organisation processes the personal data of EU residents, then GDPR applies to you. GDPR applies to any business that processes, stores, or shares personal data. It is vital to recognise that GDPR applies to companies located anywhere, including companies outside of the European Union. It essential affects any entity that is engaged in economic activity within the EU or with EU citizens.

Companies of all sizes are expected to comply with the EU’s GDPR. However, there are a few exceptions for organisations that have less than 250 employees. Firstly, organisations with less than 250 employees are not required to keep a record of processing activities unless:

  • The processing of data is not occasional.
  • The processing of data could result in a risk to people’s rights and freedoms.
  • The data being processed includes special categories of data, such as offenses and criminal convictions.

The EU’s GDPR also does not apply to people who process personal data at home and exclusively for household activities. An excellent example of this is the data captured by CCTV cameras, as a deterrent to criminals.

If GDPR applies to your organisation, then you must find out what your obligations are, to achieve GDPR compliance.

Does GDPR replace DPA?

Replacing the Data Protection Act 1998, DPA 2018 modernises and lays out a framework for the UK’s data protection law. GDPR does not replace DPA 2018 but instead sits alongside side it, defining how GDPR applies in the UK. Both the DPA and GDPR were introduced on the 25th of May 2018.

The DPA affects many things, such as exemptions, and it sets out the powers and functions of the Information Commissioner’s Office (ICO). The ICO is the UK’s independent body that is tasked with upholding information rights.

The Data Protection Act 2018 covers several functions that GDPR does not, making it a necessary bill. DPA includes legislation that is solely specific to the United Kingdom. This means that it applies rules to the parts of GDPR that are left up to the individual EU Member State.

DPA 2018:

  • Provides certain exemptions from GDPR.
  • Allows children aged 13 to consent to data processing, instead of 16, as set out in GDPR.
  • Gives different rules to law enforcement authorities.
  • Extends data protection to national security and defence.
  • Sets out the powers of the UK’s Information Commissioner’s Office (ICO).

What does GDPR cover?

GDPR affects charities, businesses, and startups that process, collect, or control personal data of EU citizens. A controller is an organisation that determines the means of and purpose of processing personal data. A processor is an organisation that is responsible for, on behalf of the controller, processing data.

Personal data is any piece of information that can be used to identify a living person. Examples of personal data include:

  • Name or surnames
  • Home addresses
  • Location data
  • Identification card numbers
  • IP (Internet Protocol) addresses
  • Cookie IDs
  • Data held by doctors or hospitals
  • Advertising identifiers on phones

GDPR also covers sensitive personal data, such as sexual orientation, political views, and religious views.

GDPR does not cover data such as company registration numbers, anonymised data, and generic business email addresses (info@yourcompany.com). GSPR also doesn’t cover data processed for personal reasons, in one’s home, where there isn’t a connection to commercial or professional activity.

GDPR changes the rights of EU citizens giving them the right to:

  • Information on the processing of their personal data.
  • Object to the processing of their data for marketing purposes.
  • Restrict the processing of their personal data under certain circumstances.
  • Obtain access to the personal data that is being held.
  • Request that their personal data be corrected if it is incomplete or inaccurate.
  • Request for their personal data to be deleted, when it isn’t needed any longer for processing.
  • Request their personal data in a machine-readable format, and send it to another controller.
  • Request that decisions made using automated processing be made by natural persons and not just by computers.

What is a privacy notice GDPR?

Also known as a privacy policy, the privacy notice performs an essential role in your company’s GDPR compliance. A privacy notice is mandatory to have, if your organisation processes, collects, or uses the personal data of EU citizens.

Your EU General Data Protection Regulation privacy policy must:

  • Inform EU citizens about how you will use, process, and collect their personal data.
  • Be presented at the first point of data collection.
  • Use clear, transparent, and plain language, be free of charge and be created in an accessible format.

If you collect personal data then you must create a privacy notice that includes the following elements:

  • The legal basis and purpose for processing the citizen’s personal data.
  • The identity and contact details of the data controller.
  • If you are required to have a data protection officer (DPO), the details of this person.
  • The length of time that you will hold the citizen’s personal data.
  • What the legitimate interest is for legally processing the citizen’s data.
  • The right of the citizen to withdraw consent at any time.
  • Who, including categories of recipients and named parties, you will share the citizen’s personal data with.
  • Any third-countries that you may transfer data to, and what safeguards are in place.
  • The right of the citizen to make a complaint to the Information Commissioner’s Office (ICO).
  • The existence of the individual’s rights also referred to as data subject rights.
  • If you carry out automated decision making, such as profiling, how these decisions are made, their significance, and any possible consequences.
  • Contractual or statutory requirements, if they exist, for the citizen to provide their personal data and any consequences of not proving their data.

If you happen to collect data from a third-party (any source other than the data subject), then in your privacy notice, you must also include:

  • The data source and if that source is publicly available.
  • The categories of personal data.

Your organisation’s GDPR privacy notice should be located on your website. You must link to this whenever you ask an EU citizen to register with your service, sign up to a newsletter, or provide any personal information, in any other way. You should also be aware that your GDPR privacy notice must be available orally, to ensure comprehension and to assist the visually impaired.

When you create a privacy notice for your organisation, you should answer the following questions and cover the following topics:

  • What data do we collect?
  • How do we store your data?
  • How we use your data?
  • How we collect your data?
  • What are cookies?
  • How we use cookies?
  • What types of cookies do we collect?
  • How to manage your cookies.
  • What are your data protection rights?
  • How to contact the appropriate authorities.
  • Marketing.
  • Changes to our privacy policy.
  • The privacy policies of other websites.
  • How to contact us.

The EU’s GDPR guidelines also suggest a series of phrases that you either shouldn’t use or you should add an explanation to, in order to clarify what and why. These words include research, services, and personalisation.

Does GDPR apply to business contacts?

EU GDPR compliance is a must for any organisation that is a controller or processor of personal data. GDPR covers the personal data of EU citizens and there is no difference between business-to-customer and business-to-business personal data.

What we mean here, is that business contacts are still covered by the GDPR guidelines, if the details include those of a natural person. For example, there is no difference between email addresses such as firstname@gmail.com and firstname@omnicybersecurity.com. This is because both types of email address include the name (personal data) of the person who uses that email address.

However, if the email address does not identify a person, then it is not covered by GDPR. For example, info@omnicybersecurity.com, does not include a person’s personal details. This email address could be for anyone within the company.

Does GDPR apply to sole traders?

Sole traders must also comply with GDPR. All businesses that handle personal data are advised to designate a person to oversee GDPR compliance. Compliance is required because all businesses, including sole traders, are vulnerable to data breaches. These breaches can be of a malicious nature or may simply occur because of minor negligence.

Cybercriminals often attack small business and sole traders, because their cybersecurity may be weak. Businesses must report any breach to the authorities within 72 hours.

The breach notification must include:

  • The type of breach and the number of personal data records that are affected.
  • A description of the consequences that might occur, due to the breach.
  • The name and contact information of the person responsible for overseeing GDPR compliance.
  • A description of the proposed measures or the measures already taken to respond to the breach.

How many GDPR principles are there?

Under GDPR, organisations must follow seven principals (sometimes referred to as six plus one) when collecting, managing, or processing the personal data of EU citizens. GDPR must be followed regardless of where the organisation is located. Many of the principals are like those outlined in the Data Protection Directive (DPD), so some organisations will simply need to make adjustments to fall in line with GDPR compliance.

The GDPR principles offer companies a fundamental guide to their data protection responsibilities.

The principles outlined in Article 5 of the regulation include:

  • Lawfulness, fairness, and transparency – Personal data must be processed lawfully, fairly, and with transparency, in relation to the data subject.
  • Purpose limitation – Personal data should be collected only for an explicit, legitimate, and specified purpose, while not being further processed in a manner that is incompatible with the initial purposes.
  • Data minimisation – The personal data that is being collected must be limited, relevant, and adequate only for the purposes of which the data is being processed.
  • Accuracy – Personal data must be accurate and kept current. Your organisation will need to make every reasonable step to ensure the data is accurate. Regard for the purpose of which data is processed should be considered and data should be rectified or deleted without delay.
  • Storage limitation – Personal data should be kept in a form that makes the identification of data subjects possible, for no longer than is necessary, for the purposes of the processing. However, personal data may be stored for longer when it is needed for archiving purposes that are in the public interest, historical or scientific research or for statistical purposes. This should be in accordance with Article 89(1) and subject to proper safeguarding of the rights and freedoms of the data subject.
  • Integrity and confidentiality (security) – Personal data should be processed in a way that guarantees the security of personal data. This should include protection against accidental loss, unlawful and unauthorised processing, and damage and destruction, using appropriate organisational and technical measures.
  • Accountability – The controller (the organisation that decides what and how data is processed) is responsible for and must able to demonstrate compliance as defined under paragraph 1.

How to report GDPR breach?

Personal data breaches under GDPR compliance must be reported within 72 hours of your company becoming aware of the breach. GDPR breaches must be reported to the appropriate authority, which is the ICO in the United Kingdom.

Individuals must be informed of the data breach without delay if the breach is likely to result in a high risk of negatively affecting their individual freedoms and rights. Your organisation should retain a record of any personal data breach, even if you are not required to report it.

For GDPR compliance, your organisation must have robust breach detection, reporting, and investigation procedures. This will aid the decision-maker as to whether or not the breach should be reported to the affected individuals or the supervisory authority (ICO).

In order to prepare for a GDPR personal data breach your organisation should:

  • Understand that a breach isn’t solely about the theft or loss of personal data.
  • Know how to identify a personal data breach.
  • Have allocated the responsibility for the management of data breaches to a dedicated team or person.
  • Have prepared a response plan for handling personal data breaches.
  • Have trained your staff to know how to escalate a security breach to the appropriate team or person in your company that determines if a data breach has occurred.

There are several things you will need to know or put in place, for responding to a personal data breach. You should:

  • Have a process in place to assess the possible risks to individuals affected by the breach.
  • Know who the supervisory authority is for your processing activities.
  • Know what information you will need to give to the supervisory authority, regarding the breach.
  • Have a process in place that will inform the ICO within 72 hours, even if your organisations doesn’t yet have all of the details.
  • Have a process in place that will inform affected data subjects about the breach and what is likely to be the result, when there is a high risk to their freedoms and rights.
  • Know what information to provide to individuals in the case of a breach. You should also be able to provide the individual with advice on how they can protect themselves, from the effects of the data breach.
  • Be prepared to establish which European data protection authority to report to when the affected individuals are from different EU countries.

What is a data controller GDPR?

GDPR specifically defines a data controller as “a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.” This means that the data controller is the entity that determines the means by which and the purpose for which personal data is processed.

If your business decides how and why personal data is processed, then it is the data controller. Employees are not data controllers, they simply process personal data within your company to complete the tasks your company has set out, as the data controller.

Your organisation might also be classed as a joint controller. A joint controller is an organisation that, along with another organisation, jointly determines how and why personal data is processed. If the joint controller label fits your company, then you must enter into an arrangement that clearly sets out the respective responsibilities for GDPR compliance. It is the main aspects of this arrangement that should be communicated to the person whose personal data is being processed.

An organisation may fit into a third group known as the data processor. A data processor only processes the personal data of EU citizens, on behalf of a data controller. Data processors are typically third-party external companies.

The data processor’s duties toward the data controller should be set out in a legal act or a contract. The contract should clarify certain important points, such as what happens to the data if the contract between the controller and the processor is terminated. It is vital to recognise, that if your company is a processor, then written authorisation is needed from the controller under certain circumstances. This could be if personal data is to be processed by a further sub-contractor or if the processor wishes to appoint a joint processor.

What is GDPR training?

Following the GDPR coming into effect, the need for training to help companies fully understand and become compliant has become necessary. Many companies offer training courses, or you can provide training to your staff members in-house. Ensuring staff are trained appropriately and have a more comprehensive understanding of GDPR will reduce the risk of non-compliance.

Staff training has become an essential part of GDPR; these will be the people collecting and processing data from individuals. Not all staff members will need to know the full legislation of GDPR. It is essential, however, to make sure that all staff members know about GDPR and data protection issues.

GDPR training will usually cover the rights of the individuals that the data is about, the data controller’s responsibilities, and compliance rules. Each company will have different requirements when it comes to GDPR training. An assessment of which staff members will need training and the depth of knowledge and understanding required will have to be determined.

The person who will ultimately be responsible for overseeing compliance should also be considered. Any training carried out for staff members should cover:

  • Basic concepts of GDPR
  • Key staff members obligated under GDPR
  • Data subjects rights
  • Compliance measures
  • Liabilities

Providing GDPR training will help to reduce the risk of data breaches as each member of staff is made aware of their responsibilities within the regulations. Not only this, but training will also be a demonstration of compliance with GDPR. A record of training will show that the necessary steps have been taken to prevent a data breach. Should a problem occur, a training record will prove that GDPR was taken seriously within the organisation.

Empowering staff with the appropriate training will help them to identify and report any potential GDPR issues in the day-to-day handling of data. GDPR training can be completed using online tools initially; however, face-to-face training is recommended to make sure staff members fully understand. Following up with this kind of training will allow employees to ask any questions relating to their specific job role and the daily scenarios they encounter.

While it may take time to train all staff members, it’s essential to make sure that the organisation is working towards GDPR training for everyone. Members of staff more directly involved in collecting and processing of data should be the priority. As a whole, companies should make sure that staff members have a general understanding of GDPR. This should include their responsibilities related to these regulations, and what they need to do if they believe there is a problem.

How does GDPR affect small business?

The implementation of GDPR affects all businesses data practices, whether big or small. These new regulations will determine how big or small businesses collect, store, and use personal data. However, the GDPR does recognise the fact that not all activities are the same.

Smaller companies are not bound by GDPR if:

  • The business has 250 employees or less, and
  • No sensitive data is handled, and
  • Data processing doesn’t affect the freedoms and rights of individuals

A company would have to fit all of these criteria to be exempt. For example, if a business has less than 250 employees and collects individuals sensitive data, it would have to be GDPR compliant.

If a company has more than 250 employees, they are automatically included in GDPR and will have to appoint a Data Protection Officer (DPO). The DPO can not work in certain professions, such as IT or Marketing, as this will be considered a conflict of interest. Within these roles, employees are involved in the processing of data, and a DPO can’t be involved in both handling and protecting data.

While conducting the daily operations of a business, employees, and the departments within a company will likely be collecting and processing information.

The GDPR covers sensitive information; a company will have to be GDPR compliant if it collects:

  • Genetic data
  • Health information
  • Religious information
  • Sexual orientation or activity
  • Ethnic or racial origin
  • Trade union membership
  • Biometric identification information

There are some exceptions, such as non-profits, customer service, or public health.

The “Rights and freedoms” of individuals is a primary focus of GDPR. The regulations are designed around protecting the rights and freedoms of individuals with regards to their personal data and the protection of their information. Any business conduct in regards to personal information that will affect a person’s rights and freedoms would be a GDPR violation.

GDPR compliance is an ongoing process for each business and will require diligent monitoring. The regulations enforce serious consideration to individuals data protection, and this will affect small businesses too.

How long can personal data be stored under GDPR?

The main elements of the GDPR focus on minimising data held both in regards to the volume of information and the length of time the data is stored. Article 5 (e) of GDPR covers the amount of time that data is permitted to be held about individuals. This part of the GDPR states that personal data can only be stored for the necessary amount of time for which it is being processed. Some circumstances allow data to be stored for more extended periods such as for scientific research purposes or for archiving in the public interest.

Personal information should be stored for a strictly limited amount of time. The data controller of a business will need to determine the time limit for data storage. When this time has lapsed, organisations have a duty to ensure that the data is securely erased. These imposed limits and strict timetables are aimed at reducing the risk of data becoming irrelevant or inaccurate.

Although this may seem a vague ruling when it comes to time periods that data may be kept for, there are reasons for this. “No longer than necessary” simply means that organisations can only process and save data for the amount of time it takes to complete the process for which it has been collated. This can present some challenges as data is not always collected for a single purpose that is completed within a defined time.

Online retailers, for example, may collect order and payment data for an individuals purchase. Once the order has been dispatched, and the customer receives the goods, the process is essentially completed. However, if the retailer was to delete the information, it could cause potential problems. The customer may have a complaint and request a refund, or the records may be needed for accounting purposes.

Other information such as HR records or sales records for marketing purposes will also need to be kept for various periods. Data retention has to be assessed on an individual basis with each organisation looking at what reasons they will have to keep any data. These will have to be acceptable justifications under the GDPR. Each business will have to create a data retention plan that will be applicable to any personal information collected.

Is my website GDPR compliant?

The EU’s GDPR Is relevant to all websites that have users residing in the EU. If your website isn’t GDPR compliant, then it may be subject to hefty fines.

There are two main messages that GDPR gives to organisations:

  • Organisations should make marketing communications as clear as is possible.
  • Organisations need to secure customer data.

Not sure your website is GDPR compliant? Contact Omni Cyber Security.

Do you want to join the conversation?

Sign up here

  • Join the Chamber

    Connect, share & grow - raise your business profile locally & nationally through the largest membership organisation in the South West.