GDPR: The essentials
3rd January 2018
On May 25th the GDPR (General Data Protection Regulation) will come into force throughout the EU. Many businesses seem to still be in the dark about these important new rules, so we were delighted to be invited by the region's leading law firm, Wilkin Chapman to join them in a series of seminars to discuss GDPR.
GDPR will apply to all EU citizens, as well as anyone or any businesses that hold data on EU subjects or market to EU citizens. These forthcoming changes are therefore very likely to affect your business in one way or another, and you only have until May to get GDPR compliant.
In this article, we will introduce the main issues surrounding GDPR as well as provide details of a series of 4 seminars where Cursor's Daniel Westlake will be joined by experts on Employment & Go, Compliance and Cybercrime to discuss GDPR in association with the leading law firm, Wilkin Chapman.
What about Brexit?
The first thing people ask is, what about Brexit? Well, as it stands, Brexit will not affect GDPR, as the UK will assimilate EU regulations into UK law when it leaves the EU. In theory, the government could change the requirements at some point in the future, but as GDPR is considered to be ‘the gold standard’ of data protection, it’s unlikely that it will.
GDPR builds upon the UK’s Data Protection Act (DPA) and goes further than previous rules, so it’s worth knowing what the changes are then deciding what actions you need to safeguard personal data.
What is personal data?
‘Personal data’ is defined as information that either on its own or along with other information could be used to identify someone, such as phone numbers, email addresses, names, identification numbers, internet addresses, physical addresses, character traits, health information and financial records. This includes digital and physical files.
A ‘Data subject’ is the living person the data pertains to. Under GDPR all individuals will have the right to view the data held about them and ask for it not to be processed - the ‘Data controller’ (the person who owns and uses the data) and either process it themselves or uses the services of a ‘Data processor’ must comply. Individuals will also have the right (and, again, controllers and processors must comply) to be told the basis for data processing when the data collected. So, if an organisation intends to gather data to sell on, for example, they’d need to make that clear at the outset.
GDPR will increase individuals’ rights
The new rules are designed to give individuals greater transparency about how their data will be used by organisations, and more trust in how it is collected, processed and shared. It includes tighter controls on how data is used and processed (including collecting, storing, filing, analysing, transmitting and destroying information). GDPR increases the burden of responsibility for anyone who uses data to be able to prove that they comply with the rules, and introduces more substantial penalties for anyone who does not comply.
Under previous Data Protection Act (DPA), someone’s consent to have their data collected and processed could be inferred from an action or inaction where it showed consent, such as not opting out. Under GDPR, individuals will have to give their active and unambiguous consent via a “statement or clear affirmative action”. Organisations will no longer be allowed to infer consent from someone’s silence, inactivity or a pre-ticked box.
Data subjects will also have two new rights: ‘the right to be forgotten’ and have their data deleted, and ‘the right to data portability’, which means that individuals can demand a copy of the data held about them in an understandable format. This was required under the DPA, but GDPR will make it unlawful to charge people to access their data (unless the data controller can prove that the costs would be “excessive”), and they’ll have a month to comply rather than the previous time limit of 40 days.
Two further changes the GDPR includes are that companies processing “large” amounts of data will be required to appoint a data protection officer (DPO), and there will also be special protection for children’s data.
How will GDPR affect your business
Anyone who controls or processes data will have to make sure they’re compliant but, depending on their activity, it may not necessarily change the way they manage and handle data. GDPR may have a more significant impact on how many businesses store data. Data controllers and processors will have to be able to prove that they’re compliant, which means they’ll have to keep records of how data is used – right from its collection through to its destruction.
You won’t necessarily need to change your current DPA consents, but you will need to make sure that they meet the new requirements of being a specific, prominent opt-in that is appropriately recorded and can be quickly withdrawn by the data subject.
Changes coming to digital marketing
The changes to the way data is used will have a far-reaching impact on the growing digital marketing sector. Industries that use marketing lists, email newsletters, inbound marketing and marketing techniques such as conversion tracking and remarketing, will have to find ways of working that don’t contravene the new requirements. If your business relies on this and you are not prepared then you could be in for a shock.
Companies will have to have “clear, justified and legitimate” reasons for processing personal data and be able to argue their case, yet for most this will mean tightening up their current processes rather than a total overhaul.
Changes needed on company websites
Where businesses are gathering personal information online, they will need to display how they will use this information. This will likely mean adding a data statement to all online forms which states what the personal data will be used for and how long it is stored. Website visitors need to be able to make an informed choice when providing their personal data and this is going to mean some changes to most company websites.
In addition, consent to process personal data needs to be actively given and this should be recorded as proof. Each web form, therefore, requires an opt-in checkbox along with the data statement. This cannot be pre-ticked, or consent assumed when the form is submitted.
GDPR: The essential seminars
There’s been a lot of scaremongering and misinformation about GDPR circulating, so we were delighted to be invited by Lincolnshire's leading law firm, Wilkin Chapman to join them in a series of seminars to discuss GDPR. The seminars will cover some of the essentials elements that are going to change come May 2018.
- What is new about GDPR and the Data Protection Bill
- How the GDPR will directly affect HR processes
- Key points to bear in mind throughout the employment lifecycle from recruitment, contracts and policies to termination of employment
- Project planning: what do you need to do to be compliant by May 2018?
- Practical workflows for GDPR compliance
- Detecting and dealing with breaches
- GDPR and digital marketing
- Making your website GDPR compliant
You will leave this event armed with the information, the tools and a handy checklist to set you on the road to GDPR compliance. In addition to the law expert speakers from Wilkin Chapman and Cursor's Managing Director, Daniel Westlake we will be joined by Detective Sergeant Steve Dennison who leads the Humberside Police Cybercrime Investigation Team and will be providing crime prevention advice looking at computer hacking, network intrusion, and malicious software attacks.
The GDPR series of seminars are taking place across 4 locations. Training costs £150 plus VAT per delegate and £100 plus VAT for additional colleagues from the same organisation. Click the links below to register your place(s).
- 18th January, Cartergate House, Grimsby, 8am - 11am
- 24th January, The Maltings, Lincoln, 8am - 11am
- 31st January, Best Western Kenwick Park Hotel, Louth, 8am - 11am
- 8th February, Cottingham Parks Golf & Leisure Club, Beverley, 8am - 11am
We hope you can join us.
Please note that the contents of this blog are not intended to act as or replace legal advice. If you work with data and have any concerns about what GDPR means for you, please seek legal advice.