Last reviewed 20 September 2018

For most businesses, the General Data Protection Regulation (GDPR) will have an impact on how companies manage customer data. Dave Howell explains what GDPR is and how business can ensure full compliance, with some frequently asked questions.

GDPR — the key concepts

On 25 May 2018, GDPR came into force. There has been some confusion for companies on their responsibilities regarding the data they collect, store, manipulate and exchange.

In essence, GDPR gives individuals more control over the personal information they give to businesses in exchange for the goods or services they buy. GDPR is a statutory right, so your business must comply. If you already have a data controller under the Data Protection Act, your business is likely to need an overhaul of how it manages the data it collects. Under GDPR, you may need to appoint a Data Protection Officer (DPO).

Your customers now have the following right to:

  • know what data you are collecting about them

  • know how their data is explicitly being used

  • see a copy of the data you hold about them on demand

  • have any data you hold about them deleted on demand — the “right to be forgotten”

  • have any inaccurate data corrected on demand

  • know whom you share their data with and what is being done with this information.

How fundamental is the shift in how we use and process data under GDPR?

Under the new regulations, the data controller needs to understand why data is being collected and how it will be used. The data collected must be done so with a clear reason. Your business cannot, for instance, use your marketing email list for other data processing. The owners of the data must give their explicit permission if your business wants to do something else with their information that they have not yet given their permission for. Consent — and showing with evidence that this consent has been given — is a foundation of GDPR.

I have asked my customers for permission to send them marketing materials via email. Do I need to ask their permission again under GDPR?

Generally no, however, businesses could be asked to show that every individual on their mailing list did give their permission in the past. A business must be able to prove this and show how they have collected and stored this information. This is why many businesses are asking for those permissions again to ensure they have evidence if a data breach occurs, or an individual’s data is used for something they did not give their permission for. The onus is on your business to ensure it has always asked for explicit permission and can show with evidence that this permission was granted.

Will my business still need to comply with GDPR after Brexit?

In last year’s Queen’s speech, the new Data Protection Bill was outlined. It is the Government’s stated desire to include the main components of GDPR in the new Act, as this would ensure data could freely flow between the UK and EU after Brexit. During the transition period, businesses will be able to see the practical impact the new Data Protection Act will have on their data compliance responsibilities, and how far GDPR will be integrated into the new Act when it becomes law.

In essence, is GDPR more about consent when it comes to what data we collect and how we use it?

Yes — this is the key point about GDPR. Simply ticking a box on your website or in an email you send to your customers might not be enough. You need to tell your customers or suppliers what exactly they are agreeing to when they give you their information. Each time your business processes this data in a different way, you must ask for consent before you carry out the work. More importantly, this applies to your suppliers and commercial partners and not just your customers.

What are the practical steps our business must take to ensure full GDPR compliance?

Any sign-up forms you already use that ask the customer to agree with your terms and conditions, and that ask for permission to send email communications from time-to-time can be kept. If you pre-tick any options, this would need changing, as you need to ask for explicit consent. When you receive replies to these forms, these must be stored securely as you may need to evidence that an individual gave their permission.

The next area to look closely at are your terms and conditions, as well as your privacy policy. The latter, in particular, will need updating to state that the users of your website have the right to see their data, have it erased and that they will be asked each time their data is used in a process they have not yet agreed to. Creating a link from your privacy policy to a web form that can be used to ask for the right to be forgotten, or for a request to see what personal data your business is holding, is enough to comply with this aspect of GDPR.

As the Information Commissioner’s Office (ICO) states, individuals have the right to have their personal data erased if:

  • the personal data is no longer necessary for the purpose which you originally collected or processed it for

  • you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent.

  • you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing

  • you are processing the personal data for direct marketing purposes and the individual objects to that processing

  • you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the first principle)

  • you have to do it to comply with a legal obligation

  • you have processed the personal data to offer information society services to a child.

Can you define what is meant by “personal” — if our business is collecting this information from our customers and suppliers?

Under GDPR, “personal data” is defined by the ICO as follows.

  • Personal data is information that relates to an identified or identifiable individual.

  • What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.

  • If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.

  • If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.

  • Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it “relates to” the individual.

  • When considering whether information “relates to” an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.

  • It is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another controller.

  • Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR.

  • Information which is truly anonymous is not covered by the GDPR.

  • If information that seems to relate to a particular individual is inaccurate (ie it is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual.

What about the security aspect of the data we are collecting and holding?

This is a critical component of GDPR, as failure to comply could attract heavy fines for any business or organisation that does not take all practical steps to protect the data they hold. The fines that a business could be liable for could be up to €20 million, or 4% of annual global turnover of your business, whichever is greater.

Ensuring your business’s website has all the recommended security protocols in place is vital. Ensuring your site uses https, is a fast and easy way to increase the security across your business’s website.

Furthermore, GDPR makes it mandatory for your business to inform everyone whose data has been compromised of the data breach within 72 hours of the event. Best practice would be to act as soon as this occurs, for example, a serious data breach of financial details should be communicated to all those affected immediately. If a delay occurs, this could attract a fine.

Finally, could you summarise the basic steps my business should carry out to ensure full compliance with GDPR?

Audit your data

To ensure full compliance with GDPR your business needs to know which data it has collected, where this is stored and how it is used. This is the “personal data” as defined under the regulations.

Receiving consent

Overhaul how your business asks for personal information and how full consent is requested. This will mean updating contact forms, terms and conditions and your privacy policy.

Full and timely access

One of the most important aspects of GDPR is being able to identify a piece of personal data that the owner has requested is deleted. This “right to be forgotten” is a fundamental part of GDPR and must be fully supported by your business.

Security first

With such high fines for data breaches, upgrading the data security across your business is critical to avoid the personal information you hold being compromised.

Do you need a Data Protection Officer?

If your business or organisation routinely collects and processes “personal data” you will need a DPO. This is a sensible appointment, as your business will then have a central point of contact for GDPR.