The GDPR is the gold standard for data protection around the world. In fact, we’re seeing many countries adopt GDPR-style laws. The UK incorporated GDPR into in 2018 and has created a “UK GDPR” regime that will closely align with “EU GDPR”, so whether you have customers, contacts or operations in the EU or not, your UK business will still need to fulfil GDPR requirements.
GDPR takes cybersecurity, data lifecycle management and vendor management best practices and maps them onto fair information principles to make data protection business-as-usual. Failure to meet GDPR requirements can result in steep fines, enforcement action and even litigation. But what exactly does getting GDPR right entail? We’ve distilled its 99 articles, 173 recitals, regulatory guidance and legalese down into 10 Golden Rules to make it easier to understand what your business needs to do to comply.
Register with the ICO and appoint a DPO and a Representative (if required)
You may need to register with the ICO and pay a fee. You may also be legally required to appoint a Data Protection Officer (DPO) who has the expertise, knowledge, and independence to properly advise and report to the highest level of the business on your data processing activities. They can be internal or external, as long as there is no conflict of interest. Even if you don’t require a DPO, you should appoint a privacy lead who can keep you on track in this ever-evolving compliance area.
If you are outside the UK or EEA but target goods or services to or monitor the behaviour of UK or EEA residents, you may need to appoint a UK Representative or EU Representative or both. If you have a presence in the EEA, such as a branch office, confirm your Lead Supervisory Authority, as they will have oversight over your cross-border EEA activities, while you will be answerable to the ICO for UK-related processing activities.
Know your data
You need to know what personal data you hold, where you store it, what you do with it, who receives it and more in order to properly protect it. Under GDPR, you need to document this in an evergreen Record of Processing Activities. Pay close attention to special category data, criminal offence data, and children’s personal data, as they require more protection. Visually mapping your data flows make it easier to get a handle on your processing activities, flag high-risk data and issues, and gain deeper insights into your data.
Confirm you can, decide if you should
You can only process personal data if you can demonstrate you meet the conditions for the appropriate lawful basis. Consent is just one of six lawful bases. Make sure you choose the right one. Getting it wrong could be costly or frustrate your business objectives. You’re expected to strike the right balance between your objectives and the interests of the people whose data you process. If they wouldn’t reasonably expect you to use their personal data in the way you’re contemplating, you’ve probably breached the fairness principle. Using deceptive practices, pressure tactics or “dark patterns” to trick people into sharing their data will also be considered unfair.
PECR creates special rules for marketing, website / app tracking and telecommunications that determine which lawful basis applies. For example, you generally need GDPR-level consent to direct marketing and cookie or tracker use, unless an exception applies. And GDPR’s stringent transparency requirements apply to the entire digital marketing journey, from gathering website or video analytics to email marketing and cold calls.
Say what you’ll do, do what you say
There is a long laundry list of privacy information you must provide to people whose data you process, even if you get it from someone else. You’re expected to deliver the information in a clear, concise, and intelligible manner. Unless an exception applies, you can only use personal data for the purposes you’ve described in your privacy notice. For example, if you collect mobile numbers of account holders for two-factor authentication, you can’t then use them for SMS marketing or location-tracking unless you let them know in advance and they consent (or don’t object if you can rely on legitimate interests).
Be a minimalist and when in doubt, throw it out
Under GDPR, you’re not allowed to collect or keep personal data just because you think it may be useful later. You may only use the amount of personal data that is reasonably necessary, relevant and adequate for your purposes. And you can only keep it for as long as required for those purposes or by law. After that, it must be deleted.
Assess and address risks and build in controls
The GDPR is risk-based, principled and outcomes-focused. The greater the risk to the personal data in question, the greater the protection. You’re required to assess and mitigate the potential risks to individuals of your processing activities and implement “appropriate technical and organisational measures”. Formal assessments are required in certain cases:
- Legitimate Interests Assessment: if you rely on legitimate interests for a processing activity.
- Data Protection Impact Assessment: for higher risk activities.
- International Transfer Risk Assessment: to assess the laws and practices of a country outside the UK or EEA where you wish to transfer personal data to ensure your recipient can maintain essentially equivalent protection for the personal data, and whether you need to increase protection in others ways, e.g. through strong encryption.
You may face steep fines or other enforcement activities, like a stop order or an order to delete the data, if you fail to do so.
Keep it secure, take care when sharing
Both controllers and processors have explicit legal obligations to maintain appropriate technical and organisational measures to keep personal data they process secure in light of the risks of harm to individuals if the confidentiality, integrity or availability of their personal data were to be breached. Only those with a legitimate need-to-know should have access to or use the personal data, whether inside or outside your business, and you must not only transmit it securely but also ensure the person who receives it maintains that level of protection. You’re also responsible for ensuring personal data is complete, up-to-date, and accurate.
Detect, manage and report breaches
The GDPR introduced the strictest personal data breach reporting requirements. Reporting and remediation obligations will vary depending on whether you are a controller or processor of the data in question. If you are a controller, you must report certain breaches to the relevant supervisory authority (and to the individuals concerned in some cases) within 72 hours. Processors must report suspected breaches to their controller “without undue delay” to give them time to assess and remedy the situation within the reporting timelines. Processors must also assist the controller in breach response. Handling breaches appropriately involves a lot of advance preparation. Learn more here.
Individuals enjoy enhanced rights over their personal data under the GDPR. In addition to the right to be informed, there are seven rights, which include erasure rights, the right to object to certain processing (like direct marketing), and rights related to automated decision-making and profiling (e.g. with AI). Controllers are directly responsible for responding to rights requests (“DSRs”) within one month, while processors are required to provide reasonable assistance to their controller clients upon request. Again, knowing your data is critical to being able to meet these onerous requirements.
Protect it wherever it goes
GDPR’s protection follows the data, whether you send it to an outside vendor for processing or transfer it outside the UK or EEA. You need to ensure any vendors or third parties provide sufficient guarantees of GDPR compliance, including mandatory terms in your contracts, periodically review your due diligence, and, if your recipient is outside the UK or EEA, meet additional conditions for these “restricted transfers”. You may need to complete or assist with an International Transfer Risk Assessment, do more to protect the data, and sign Standard Contractual Clauses.
Wherever you are in your GDPR compliance journey, most UK businesses will need to make changes in light of Brexit. Speak to us to find out how we can help.
Written by Abigail Dubiniecki
Privacy Specialist at My Inhouse Lawyer
One of our values (Growth) is, in many ways, all about cultivating a growth mindset. We are passionate about learning, improving and evolving. We learn from each other, use the best know-how tools in the market and constantly look for ways to simplify. Lawskool is our way of sharing with you. It isn’t intended to be legal advice, rather to enlighten you to make smart business decisions day to day with the benefit of some of our insight. We hope you enjoy the experience. There are some really good ideas and tips coming from some of the best inhouse lawyers. Easy to read and practical. If there’s something you’d like us to write about or some feedback you wish to share, feel free to drop us a note. Equally, if it’s legal advice you’re after, then just give us a call on 0207 939 3959.
How it works
It starts with a conversation about you. What you want and the experience you’re looking for
We design something that works for you whether it’s monthly, flex, solo, multi-team or includes legal tech
We use Workplans to map out the work to be done and when. We are responsive and transparent
Freedom to choose & change
A responsive inhouse experience delivered via a rolling monthly engagement that can be scaled up or down by you. Monthly Workplans capture scope, timings and budget for transparency and control
A more reactive yet still responsive inhouse experience for legal and compliance needs as they arise. Our Workplans capture scope, timings and budget putting you in control
For those one-off projects such as M&A or compliance yet delivered the My Inhouse Lawyer way. We agree scope, timings and budget before each piece of work begins