This page explains some of the main points of GDPR and how it could affect your business.
Whilst it serves as a general introduction to GDPR you must still check how it will affect your particular business and what your specific obligations are.
Further details of how to do this can be found at the end of this page.
The GDPR requires any organisation that deals with individuals living in the EU to fully protect personal information belonging to those individuals, and to have documented proof of such protection.
Examples of personal data you hold could relate to customers, leads, suppliers, or employees.
Financial penalties for failing to comply with GDPR are severe – with fines of up to 4% of annual turnover.
Why do we need GDPR ?
Data privacy breaches are a serious problem and the GDPR hopes to protect your data in a more efficient way in the modern connected world.
What have Blackburn and Blackburn done about GDPR?
- We have created a GDPR compliance plan and are working through our obligations and requirements.
- We have introduced a structured training plan for our staff.
- We have assessed the systems we use to store or process personal data and the reason why that data is stored.
- We are issuing new and more appropriate engagement letters to all clients to reflect the changes brought about by GDPR.
Main points to GDPR
Under GDPR businesses have to show what information they hold about a person and explain what they use that personal information for.
The GDPR places great emphasis on documentation to demonstrate accountability.
Personal data must be:
- Processed lawfully, fairly and in a transparent way
- Collected for specified legitimate purposes
- Adequate, relevant and limited to what is necessary
- Kept in a form which permits identification of data subjects for no longer than is necessary
- Processed in a manner ensuring appropriate security including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
You must identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice accordingly. You also have to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think you are handling their data incorrectly.
Any consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity. Consent must be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person. This definition provides for a wide range of personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Lawful basis for processing data
There are six available lawful bases for processing. No single basis is more important than any other.
Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
You must determine your lawful basis before you begin processing, and must document it.
Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
At least one of these lawful bases must apply whenever you process personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
How to decide which lawful basis applies
You might consider that more than one basis applies, in which case you should identify and document all of them.
When to decide on a lawful basis
Under GDPR you must determine your lawful basis before starting to process personal data.
How to document the lawful basis
You must be able to demonstrate you are complying with the GDPR, and have appropriate policies and processes.
You must be able to show you have properly considered which lawful basis applies to each processing purpose and be able to justify your decision.
You must keep a record of which basis you are relying on for each processing purpose, and a justification for why you believe it applies.
There is no standard format for this, as long as you ensure that what you record is sufficient to demonstrate that a lawful basis applies.
It is your responsibility to ensure that you can demonstrate which lawful basis applies to the particular processing purpose.
What to tell people
You need to include information about your lawful basis in your privacy notice.
Under the transparency provisions of the GDPR, the information you need to give people includes:
- your intended purposes for processing the personal data; and
- the lawful basis for the processing.
Accountability for smaller organisations
One of the biggest changes introduced by the GDPR is accountability.
Smaller organisations, amongst other things should:
- ensure a good level of understanding and awareness of data protection amongst staff;
- implement comprehensive but proportionate policies and procedures for handling personal data; and
- keep records of what is done and why.
Further advice and information for our clients
The information above is intended to help prepare our clients for the GDPR in the context of our services and should not be taken as legal advice. Additionally, there may be other parts of the legislation that affect other areas of your business as well.
Whilst this page offers a basic introduction to the GDPR we advise clients with questions about GDPR and how it applies to you to make the Information Commissioners Office website your first point of reference (see below).