General Data Protection Regulations (GDPR)

Introduction

The introduction of GDPR regulations presents a number of challenges and opportunities for businesses over the months before it becomes effective in May 2018.

Cantata is already working with a number of clients to ensure a smooth and compliant transition for their business. With this experience, we thought it was useful to publish a series of blogs over the next few weeks highlighting key challenges and experiences which may be useful to others.

The series of articles is planned to contain the items listed here but may be amended as experiences are shared and further clarification is issued. The articles are general guidelines to aspects of the legislation and business impacts based on the current understanding of the Cantata team. Nothing in the articles should be relied upon as a definitive statement of legal position.

For now, the key point to remember is that GDPR is primarily a business challenge rather than a technology one, although we have seen how it can have significant implications for our clients’ technology base. As ever, your systems are there to support and enable the business function not to lead it and you will need processes and training – potentially also introduction of new roles in the organisation – quite separate from any technology changes.

The start point for most organisations is simple – understanding what data you hold and why you hold it. Surprisingly few are currently clear on this and it makes a massive difference to the approach to achieving overall compliance with GDPR so make this top of your priorities for 2017 to enable whatever is needed in 2018

Topics in this series of blogs will include:

  • The basics – what is covered and for who?
  • Consent – what it means and who can give it
  • What do organisations have to do – and how should they demonstrate that?
  • Removing data – the right to be forgotten
  • Transferring data
  • Security of your data

The basics – what is covered and for who?

The GDPR regulations apply to any organisation providing goods/services inside the EU which store and/or process personal data and sensitive personal data be that in electronic form or paper filing systems. GDPR applies to data held by or processed for not-for-profit and charitable organisations as well as more commercially focussed ones and to data held for all purposes.

If you are storing, collecting, using or deleting personal data about your individual customers, staff, members, supporters, suppliers, or any other contacts, including individuals who work for organisations you deal with you are processing personal identifiable information. GDPR regulations do not only apply to data used for Marketing purposes – and they extend the definition of personally identifiable data to sole traders and partnerships as well as individuals.

If you are or sharing or transferring such data to other organisations you need to consider the additional requirements to cover this aspect of the regulations.

Further, if the information you hold and process includes sensitive personal data you need to consider the additional responsibilities which apply. Sensitive personal data is described as information on:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  •  genetic data
  • biometric data
  • data concerning health
  • data concerning a person’s sex life or sexual orientation

It’s worth looking at why you hold this data and the additional value you may derive from it.

Legitimate reason

There’s been much talk of the need to get explicit customer consent to hold data – and it’s important to do so in most cases but there are exceptions for data which is essential for specific purposes outlined below. But don’t assume you can then use that for any other purpose!

“Legitimate reason” covers several circumstances where it is essential to hold and process personal information.

  • During a purchase basic information is necessary to fulfill a transaction e.g. contact and address information must be recorded to arrange delivery of the item. The seller will also have to record the transaction and the individual to who they supply the goods.
  • Sometimes there is a legal obligation to collect and process personal data. For employees there is an obligation on the employer to record and process payroll information and report details to HMRC. As this is a legal requirement there is no need for explicit consent of the individual to do this.
  • Processing may be necessary to protect the “vital interests” of an individual, that is effectively matters of life or death.
  • Holding and processing the data is necessary to comply with a UK legal obligation or to enable performance of a task carried out in the public interest.

Apart from that

It’s wise to consider that you will need EXPLICIT consent to hold and use the data – and this is very different from the historic approach to data gathering in many organisations.

Future posts will review what consent really means and how to approach gaining the agreements you need.