Processing Personal Data Under GDPR
The General Data Protection Regulation (GDPR) is coming into effect in May this year. Despite it only being a few months away, many businesses still don’t know exactly what to do! There is a lot of confusion and ambiguity in the air concerning processing personal data. In a previous post, we talk about GDPR and give a general overview of what businesses will be required to do under the new regulation.
Depending on what article you read, you may be led to believe you need to delete everything you have. The truth of the matter is that while GDPR refines and introduces a number of new regulations concerning personal data, businesses will still be able to hold and process data.
In this post, we will be addressing some of the salient points of processing personal data under GDPR further. It is crucial that you both understand your responsibilities and are able to demonstrate your compliance to the relevant authorities. Keeping a record of the processes you use and the basis you have used to process the data is therefore essential for compliance.
Data Controllers and Data Processors
GDPR places specific regulations and rules on both data controllers and data processors. However, some are confused as to whether they are a controller or processor. There are key differences between them. Below we distinguish the two:
- Data Controllers – The GDPR defines a controller as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’.
- Data Processors – The GDPR defines a processor as ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.
The data controller is responsible for all processing of data. A controller must choose a processor who shows they are complying to GDPR standards. However, both processors and controllers are liable for any breaches of GDPR regulations. Processors are responsible for the ongoing maintenance and processing of the data.
If you hold a data list and you bring on board a marketing company to email market to that list, the marketing company are the processor. As it is your data list, you are the controller and will be legally responsible for it.
If an individual wishes to withdraw consent and be taken off a marketing list, they must contact the controller and not the processor. The controller will have to instruct the processor to remove the record in question. Failure to do so can result in large fines for the business.
Data Protection Officers (DPO)
A DPO is a requirement under the GDPR for any company managing and holding data. Essentially, they are a representative (Either in-house or through a third party) that ensures the company is complying with the regulation. They have a duty to inform employees of their obligations, monitor activity to ensure it is complying and be a first point of contact for any authoritative bodies.
Your DPO can be internal providing the individual’s duties are compatible with the GDPR. There must also be no conflicts of interest.
GDPR is very specific when it comes to processing and handling data. There is a large emphasis on accountability. Data controllers must be able to demonstrate their compliance to regulators. They must be able to show the following:
- Data has been processed lawfully, fairly and transparently
- Collected for a specific, explicit and legitimate purpose
- Adequate, relevant and limited to what is necessary
- Accurate and kept as up to date as possible
- Retained only as long as necessary
- Processed in an appropriate manner to maintain security
Lawful Basis for Processing Personal Data
Under GDPR, there are 6 lawful bases for processing personal data. Below we outline these 6 with a brief explanation for each.
- Contract from an individual – You need to process personal data to fulfil a contractual obligation to the individual.
- Compliance with a legal obligation – You can rely on this if you need to process personal data in order to comply with a law or statutory obligation.
- Life or death interest – If processing an individual’s data is crucial for the protection of that person’s life, it is legal.
- Public tasks – You can process data if it is ‘in the exercise of official authority’. This is most relevant to public authorities but if you undertake activities in the public interest, this may be applicable for you.
- Consent from an individual – This is where an individual has explicitly given their consent for their data to be processed. An individual must enter their details and explicitly state that they are happy to opt-in. A pre-ticked box or silence is not an acceptable means of consent. Consider re-wording your opt-in statements and reviewing your current processes to ensure you meet this requirement.
- Legitimate interest – This allows for data to be processed if it is going to be used in ways that are of a legitimate interest to an individual and used in ways they would reasonably expect. It must have minimal impact on their privacy.
You will need to demonstrate compliance to regulatory bodies. Therefore, you will need to show you have a lawful basis to process an individual’s personal data. Identify your lawful basis before you begin processing personal data. Keep all documentation, processes, communications etc to ensure you can justify your processing.
GDPR is going to change many aspects of the management of personal data. It is vital that you review all of your current processes and make any changes needed before May. Regularly undertake data cleansing to ensure it is to the highest accuracy, minimising any issues. Also ensure you keep records of everything in order to show the authorities should the occasion arise.
If you would like more information about GDPR and how it may affect your business, get in touch and one of our data experts can advise further.