06 June 2019

GDPR made simple

The General Data Protection Regulation (GDPR) came into effect in May 2018 - one year on, many business owners and managers have been reflecting on its impact. In the below article, Commercial Solicitor Sarah Briscall answers questions on how businesses can be truly transparent under GDPR.

Note: Extracts of this article first appeared in "GDPR: How to be transparent" published on the RBS ContentLive website, 13 March 2019.

What exactly does it mean to be transparent in terms of GDPR?

Being transparent is twofold. It is about allowing individuals to know exactly what data you hold on them, how you obtain it, what you intend to use it for, and how long it will be stored before it will be deleted. It is also about an organisational culture of only collecting and using personal data for a specified purpose rather than looking to exploit personal data for commercial gain without an individual knowing.

Transparency ties in with the seven key principles set out in the GDPR and according to the Information Commissioner’s Office (ICO) “these principles should lie at the heart of your approach to processing personal data”.

One of the principles under GDPR requires data minimisation. This means a company should ensure the personal data processed is adequate – sufficient to properly fulfil their stated purpose; relevant – has a rational link to that purpose; and limited to what is necessary – a company should not hold more than is needed for that purpose.

It is also about being accountable – another principle under GDPR, but one which is a new concept in UK data protection legislation.  A company needs to be able to take responsibility for what it does with personal data and how it complies with the other principles. It must have appropriate measures and records in place to be able to demonstrate compliance.  A company also needs to be open about its mistakes by reporting breaches to the ICO and affected individuals in some situations.

Being transparent is an ongoing and evolving obligation and starts at the initial interaction with individuals, continuing until personal data is no longer relevant or required to be held by law and deleted.

Please explain what companies need to do to be sure they are fully transparent...

1. Understand what data your company holds

Firstly, identify what data your organisation holds and how much of this is personal data. The types of data will range from company to company but could include customer data and employee data. Any out-of-date data or data for which you can’t identify its purpose should be deleted immediately. Remaining data should then be streamlined to ensure only relevant data for each individual is held. Simply because a company needs some personal data about an individual does not mean it needs to collect and hold an individual’s full data profile.  If you do not understand what data you hold and what you use it for, you will find it very hard to explain this to data subjects.

2. Look at how you obtain data

The stage where a company is looking to capture new data is the easiest at which to demonstrate their focus on being fully transparent. By simply requesting only the data that is essential and having a clearly signposted privacy policy, the data subject can easily see that their data is valued and match the purpose of processing to the data requested. When looking to obtain consent at this stage for marketing or onward transmission of personal data, transparency is a must. The GDPR has been very clear that the use of pre-ticked generic opt-in boxes for use of data by the company and anonymous third parties is no longer acceptable.

Whilst there is not a blanket ban on the transferring of data to third parties it must be very clear, prior to any consent being given, who these third parties are and for what purpose the data is being transferred. Consent in these circumstances should be specific, granular and freely given. What this means is that consent should not be all encompassing. An individual may want to receive your monthly newsletter but may not be interested in hearing from third parties. Importantly, a requirement for an individual to accept certain terms and conditions cannot be held to be conditional on accepting that their data is used in a way that they would not otherwise consent to.

3. Be clear about the company’s purpose for processing

A clear privacy policy should be put in place which allows an individual to make an informed decision about handing over their data. It is important that this privacy policy remains up to date and consistent with the activities the company carries out. It is also about ensuring the individual’s data is up-to-date and remains relevant to the purpose for which you hold it. Where an individual’s data is no longer needed or up-to-date it is important to have procedures in place to ensure such data is deleted in a secure manner from all sources.

A comprehensive privacy policy that is fully understood by all in the business is key. As well as informing individuals outside of the company about how their data will be collected and used, it acts as a guide for employees when carrying out their roles and any interaction with data that they might have.  It is helpful for this privacy policy to be worded in such a way as to be understandable by data subjects rather than as a dense block of legalese.  This means that it may be helpful to use clear English or an FAQ style, for example.

4. Keep all data secure

Internal measures should be put in place to ensure only those who need access to data have access. Data should be protected by password where appropriate and should be capable of segmentation ensuring that only data relevant to a specific type of processing is available when requested. For example, an individual engaged in sales may need to access the name and telephone number of a customer but would not need access to his colleagues HR file to carry out his day-to-day role.

A culture which fully embraces GDPR and being transparent is also important. In a culture like this where mistakes or gaps in compliance can be brought to light without fear of reprimand, the likelihood of serious issues decreases. We know that a high number of data breaches are linked to human error but a recognition of this, and focussing on doing the right thing, may prevent what is potentially a small issue escalating into something more serious. It is these serious issues and ones which look to the public like a company has tried to cover up which may seriously jeopardise a company’s reputation and financial position.

5. Dealing with data breaches

It is important for companies to have procedures in place to deal with breach scenarios. Knowing who to call on within the company, identification of third-party advisors and the deadlines involved (72 hours to report a notifiable breach to the ICO) ensures the matter can be dealt with in the most effective way. Where there has been a breach that requires notification to the ICO and where a decision is made to notify the affected parties, do so promptly and with openness. Holding your hands up to your mistakes and being accountable to individuals is more beneficial to your company and its reputation than trying to hide behind or cover up mistakes.

6. Dealing with data subject rights

Data subjects have a number of rights, including the ability to make a subject access request to find out what information a company holds on them.  It is important to recognise these requests and to deal with them within the timescales set down by law as data subject rights are an important part of the transparency obligations.

Please give examples of tweaks you have helped companies make so that they are more transparent and can avoid fines or penalties.

One of the first tasks when assisting companies to be more transparent is altering their mindset towards data. Historically, volume of data has been a benchmark of value but quantity does not guarantee quality. The approach of buying up large data lists is no longer viable and instead a company should understand that relevant and up-to-date data is key. Embracing this approach can increase customer engagement for an organisation with whom they trust.

We then recommend that companies fully consider all data that they hold. For some this has meant that historic, out-of-date and unsecure data has been highlighted. We have worked with companies to streamline this data, suggesting that they delete out of data and move unsecure data to a digital and secure platform.

We have worked with a number of businesses to implement or update their privacy policy and this has been a key driver in allowing companies to understand the data they hold and the purposes for which they wish use it.

There is a requirement under the GDPR to carry out Privacy Impact Assessments and working with companies to do this and set up a review system for future assessments has been important.

Any straightforward advice and tips to simplify the transparency process, please?

Quality of data is more important than quantity. Only hold the data you require for your stated purposes.  This will make it easier to explain why you need the data you are asking for.

If in doubt, seek advice. You can obtain a lot of guidance from the ICO website (www.ico.org.uk).

Understand that mistakes do happen. Be confident that where your company is taking ongoing steps to be GDPR compliant and has processes for when things could go wrong, the steps in dealing with a breach should be much more manageable.  Trying to cover things up can make the situation a lot worse.