To receive our quarterly e-newsletter filled with the kind of news you can use, register here.
It's understandable that businesses might panic when there are significant changes to the law. The EU General Data Protection Regulation (“GDPR”) has been no exception, not helped by the alarming number of articles written about the equally alarming increases in fines.
With so much being written about GDPR it can be difficult to know where to start. So we asked one of our clients, Andy Harris, partner in the commercial law firm MBM Commercial, to help. This short article can't cover everything that a business may need to do to be GDPR compliant. However it should help explain some of the key issues that businesses need to be considering. And hopefully it may help reduce the panic too…
Personal data audit
The starting point for any business is a clear understanding of what personal data it holds, how it obtained it and how it uses it. A key change under GDPR is the new “accountability” principle, which requires data controllers to be able to demonstrate compliance with the other data protection principles. Without an audit of your personal data it's going to be very difficult to do this. After all, if you don’t know what you have, how you got it and what you do with it, how can you prove that you are complying?
The consent myth
There is often a mistaken belief that data protection compliance requires consent of the individual to the processing of his/her personal data. However, consent is only one of various ways that a data controller can show that their use of personal data is fair and lawful. For example, a data controller can process an individual’s data where this is necessary for the performance of a contract with that individual. When you buy something online your name and address will often be passed to a delivery company. That is part of your contract with the seller, as you want the goods delivered. The seller doesn't need your consent to do this. It has to use your data in this way to comply with the contract.
Another example is where personal data is processed for the purpose of a “legitimate interest” of the data controller. However this is only possible where this interest is not overridden by the interests, rights or freedoms of the individual. So you can't just decide to use personal data for whatever purpose you want. You have to balance the benefit to you against the risks to the individual. So passing details of a non-paying customer to a debt recovery firm is fine: selling your customer’s personal data to a direct marketing company is not, regardless of the fee involved.
GDPR compliance is therefore not simply about ensuring you have consent. You may well be entitled to process personal data without it. But you will need to be clear why.
Justify your use
Although under existing legislation you must have a valid reason for using an individual’s personal data, a key change under GDPR is that you must tell the individual what that reason is.
Therefore, having checked what data you have and what you use it for, you then need to assess what the legal basis is for that use. This won’t necessarily be the same for all cases. For example, some uses might be justified by contract, while other uses might be based on your legitimate interests or on consent. Whatever justification you are relying on however, you need to explain this clearly to the individual whose personal data you're using.
If you are relying on consent it is important to note that GDPR requires consent to be unbundled and freely given. A lot of businesses will be basing their ‘consent’ on the fact that the individual ‘agreed’ to the use of personal data because it was set out in their terms and conditions. However this approach is not likely to find favour under GDPR as it does not involve freely given, unbundled consent. Individuals have no choice in the matter. If they want to use the goods or services on offer they have to sign up to the terms they are presented with. They are effectively being told how their data is being used rather than freely consenting to that use.
As mentioned above, consent is not mandatory and in fact consent can be problematic as it comes with additional rights for the individual, and of course can be withdrawn. It is therefore better to justify your processing on another basis if you can. If you can’t then you need to make sure the consent is indeed freely given in relation to the particular processing concerned – and not bundled up in a non-negotiable contract.
Don’t believe all you read about fines…
This doesn’t mean fines won’t increase. They will. Just as they did when the previous fining power went from £5k to £500k. However the increase doesn’t necessarily mean that the vast fines possible under GDPR will be imposed or that massive fines will become commonplace, despite the number of articles suggesting precisely this type of data breach Armageddon. We have to remember that to date, the existing maximum fine has never been imposed (80% of the maximum is the current record). It should also be kept in mind that last year the Information Commissioner’s Office (“ICO”) imposed fines in only 16 of the 17,300 cases it concluded. The ICO has also been at pains to address the concern over fine increases and has recently reaffirmed that it remains committed to guiding, advising and educating companies and other organisations on how to process and handle personal information, with issuing fines being a last resort.
There may be a lot of work ahead and your customers and suppliers may start asking you about your plans for GDPR compliance if they haven’t already. If you haven’t started any meaningful review of how you are going to meet the enhanced data protection requirements under GDPR, now is the time to do so.
For more information on GDPR contact firstname.lastname@example.org.