What the ‘new era’ of Privacy Regulation means for your Business and your Website
In May 2018, businesses who are involved in the collection and processing of data from clients, customers, and consumers, will have to adapt to new legislation that is changing the way that we look at consent, data minimisation and security/infrastructure.
The rules are changing from a 20 year old directive that was poorly enforced to the much more stringent and defined General Data Protection Regulation.
There will be no room for uncertainty for courts, consumers or businesses and, although strict, these new regulations will help redefine public perceptions of “data-mining”, as it’s detractors call it.
This will help you shake the stigma surrounding data collection, re-engage with your client-base and build trust in a way that was impossible before.
It is vital that you understand these changes to law, and adapt your communications to reflect them, which is why we have compiled this report, as well as links to interactive online resources you can use, to simplify the transition.
What is The General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is an update to the existing legislation, the data protection directive 1995 (AKA Directive 95/46/EC), and regards data processing and movement in the commercial sectors. GDPR was passed and voted in by EU member states (including the UK) in 2016 for immediate legal enactment on 25th May 2018.
Given the preceding directive was ratified over 20 years ago, the GDPR attempts to reflect the changes that online businesses and client/customer data handling have been subject to in that time.
Is it still going to be relevant and legally enforced in Post-Brexit Britain?
Yes, it is more than likely that the GDPR will exist in exactly the same way, post-brexit. Political commentators have speculated that the UK’s adherence to the new data regulations may be key in demonstrating UK businesses’ ability to stand alone financially and trade ethically, thereby securing the UK’s right to a place within the EU’s single market. If the GDPR is rewritten and re-processed by Parliament, it will probably differ in name only and little else.
Secretary of State Karen Bradley commented in Parliament:
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
Being an internationally applied piece of legislation, the governing bodies of the GDPR will be that country’s leading information authority. In the UK, that body is the Information Commissioner’s Office (ICO), who will oversee matters of compliance as well as having a central role in some of the directives.
ICO are advising international businesses to locate where their most significant processing decisions are made and to elect that country’s authority as their main point of contact for GDPR compliance issues.
What kind of data is being referred to here?
Officially, it is referred to as “Personal Data”. The definitions of personal data have not been changed and are, as referred to in the 1995 data protection act:
“data which relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.“
Collected Business data is exempt from these regulations, however sole traders are considered living individuals rather than businesses and are covered by the GDPR.
What did the previous legislation say about data protection/data processing?
The data protection directive 1995 was applied internationally and built on seven recommended principles:
– Notice: giving notice to data subjects;
– Purpose: to use data only for the purpose stated (see section on Data Minimisation);
– Consent: not to disclose data without consent from the subject
– Security: data kept secure from potential abusers
– Disclosure: subjects informed who is collecting/receiving data
– Access: data subjects can access and amend inaccurate data
– Accountability: data subjects can hold collectors accountable for not following the above principles
As time went on, the directive’s advisory principles were adapted and edited depending on the country’s preference – the EU member states, however, loosely adopted all seven principles.
The immovable key principles of the legislation that had to be adhered to in order to legally process personal data were boiled down into three categories:
Data can be processed only when; the data subject has given consent; submitting to processing is a contractual obligation; the processing is a legal obligation; processing is necessary for a task carried out in public interest or by an official authority; processing is necessary in the interest of the data controller themselves, provided none of the subjects’ fundamental rights to privacy are breached.
– Legitimate Purpose:
This ties in with the last point mentioned in Transparency. Legitimate Purpose can be classified as a number of things: commercial, societal, even individual interest. However, should there be a less intrusive way to achieve the same results or data then a company has no legal right to process or use the data. In circumstances when citing Legitimate Purpose, data processing should have been the last resort.
This relates to how far the data processing into the data subject can go. It must be accurate, up-to-date, relevant and not excessive in relation to the stated purpose for collection. The data subject can object at any time to the processing of their data for direct marketing purposes. Sensitive information (such as religious belief, politics and sexual orientation) is subject to heavier restrictions.
What is different about the GDPR when compared to previous legislation?
Consent has changed:
The GDPR only recognises consent with a double ‘opt-in’ process. This is practicable by using clear and understandable language about permissions in a standard check box when a person agrees to sign up for a company’s services. This will then be followed by a secondary process, for example an email notification with a call to action for final registration of the subject’s consent.
Children Under 16 will require a Parent or Guardian to give consent
This sits with the double opt-in process. To properly obtain consent to data of a minor, the consent must be signed off on by that subject’s legal guardian. The content for notifying a person that data processing will take place, what data, why it is processed and how to opt-out must be adapted to be understood by a younger audience or it will not be considered legitimate.
Consent must now be managed
Consent for data processing must be properly recorded, reviewed and managed. This involves reviewing consent to ensure the circumstances under which it was given are still applicable. Processes must be available to you in order to “refresh” consent at ‘appropriate intervals’. All information regarding the changing of relevant terms as well as guidelines on how to remove consent must be clearly published and available to the subject
Rules on ‘opting-out’ have changed
Implied consent on data processing as well as giving clients the option to ‘opt-out’ is no longer applicable. By law, the data subject can opt out at any time and the processor/controller must oblige or properly investigate and respond. Previously, a person could object to their data being used for marketing, but now all data processing can be objected to.
The initial “guidelines” of the ‘95 act will now be key
The GDPR ratifies, in part, the advisory principles highlighted in the first part of the section ‘What did the previous legislation say about data protection/data processing?’. Any data subject now has the legal right:
– To be informed
– To access their own data
– To rectify their own data
– To erase their data
– To restrict processing
– To move their data from one company to another (data portability, see below)
– To object to processing
– To not be subject to automated decision-making in regards to their data
The data subject’s right to take one’s own data from one company to another at any point is new and it applies to: data personally submitted to a company by a person; data processed that required consent; data collected as part of a contractual agreement; and data that is collected through automated means.
The data must be provided by a company in a format that is commonly readable and must be submitted for free. When a request is made, you must act on it within a month. With proper consent having been given, you can refuse or charge for requests that are unfounded or excessive – but you must inform the person as to why you have refused, and inform them that they have the right to complain to the governing body (Information Commissioner’s Office in the UK). This final stage must be completed within one month of the decision.
Breach of data/security infrastructure is now heavily regulated
This, more than likely, will not be a surprise to you given the regular occurrences of hacking and data-leaks on a corporate level in the media. As a data processing company you now legally have to have procedures in place to detect, report and investigate security breaches. The reports can largely remain internal, however you must legally notify the ICO if any one of the following applies to the data lost:
– It risks a person’s rights or freedoms
– Has the potential to subject them to discrimination
– Can cause damage to reputation or financial loss
– Concerns loss of confidentiality
– If high risk info is lost (such as medical or criminal records) both ICO and the data subject must be notified immediately
Data Minimisation is now mandatory
Data Minimisation is basically what people refer to when talking about data protection. Data Minimisation states that collected and processed data should not be used in any other way, or spread any further, than the stated objective of the company/project at the time of collecting the data. This was initially a principle of the 1995 directive, though it wasn’t very well observed or enforced. After the implementation of the GDPR – it will be.
In the cases of companies who handle sensitive information and high risk information on a large scale, Data Protection Impact Assessments will be mandatory. (see below for more info)
Larger Companies need to assign Data Protection Officer(s) or departments
It is likely that this will not apply to you, although whether it does or it doesn’t, we highly recommend someone in your business is clued up on what the General Data Protection Regulation is for reasons of legal compliance and communication with the authoritative body. Companies that will require this legally are: any public authority (excluding courts); any company that carries out regular, systematic and large-scale monitoring of individuals; any company carrying out large scale processing of specialist data (i.e. health records).
How can my business keep up with change across the company and ensure we are operating legally?
The Information Commissioner’s Authority is opening its doors completely to UK businesses seeking advice and are emphasising that it is important to do so. As well as that they offer in depth information on the nature of data and the rules for handling it on their website, complete with easy to follow checklists, and condensed information suitable for internal communication:
Microsoft Advice Centre is hosting interactive GDPR assessments on their website, as well as several articles on the new regulations for data processing: (https://www.microsoft.com/en-us/trustcenter/privacy/gdpr/get-started
*all information provided on this page has been researched but in no way does Easytech Solutions Ltd provide practical advice – Please consult your solicitor or lawyer .