In 1984 the UK introduced the Data Protection Act. It aimed to govern the processing of personal data by companies and organisations. By 1998 it had become clear that the Data Protection Act needed a review. This was to cover the growing use of computers within the workplace.
The new Data Protection Act included data stored on a computer. It also included accessible records in education and health. The penalty for breach of the 1998 act was a fine or criminal prosecution.
Fast forward 20 years to another DPA amendment. This was due to the introduction of the EU General Data Protection Regulations (GDPR). The new amendment covers areas that are not included in GDPR.
GDPR was introduced on the 25th of May 2018. It aims to protect the data of not just the UK, but of all EU citizens. European businesses must comply with the new EU regulations if they process data.
Under GDPR EU citizens are now able to:
- Obtain access to their personal data
- Receive information about how their personal data is processed
- Request amendments to incorrect or incomplete data
- Refuse to allow a company to use their data
- Request the elimination of data when it is no longer needed or if it is unlawful
- Receive information by a company before their data is collected. The person then has the right to opt-out
- Have the right to be notified if there has been a data breach
- Request that data transferred from one server to another is in a ‘machine-readable format’
What does this mean for businesses?
All businesses who sell goods or services to EU citizens will now have to create secure methods of data collection.
What do I have to do to comply?
Requests for Data – You should have procedures in place to adhere to a customer’s request for data. This could be information, amendments, opt-out’s or deletion.
Responsible Staff – There should be a member of staff with responsibility for the data. This person can act as the Data Protection Officer or Data Controller. Only authorised personnel should have access to personal data. This person should receive training so that they are aware of the GDPR rules and regulations.
Up to Date Privacy Notices -Amend your privacy notices. They need to comply with the Data Protection Act and GDPR. For example, people now have the right to complain if they think you are mishandling their data. You must make this clear in your privacy notice.
Obtain the relevant permissions for data collection. Check to see if you need consent to collect personal data. Sometimes you don’t need consent. The Information Commissioner’s Office (ICO) have a good example on their website. They point out that to send someone an invoice you need their personal information. This is part of the contract between your company and the customer. You supply the goods or the service and they pay for it. In this case you won’t need permission to store the data you need to do this.
However, anything outside the contract will need permission. Say you want to send a newsletter and an email to your customers. This will need their permission. It is not part of the contract you have with them to supply a product or service for payment.
It can’t be blanket consent. If you want to send a newsletter and an email you must ask for permission for each separate notification. You can’t put both offers under one consent.
The way you ask for consent must be clear and easy to understand. Implication is not consent. You can’t write something like, “If you are reading this it implies your consent for us to send you further emails.” You must ask the person if they want to opt-in so you could say tick this box. By the box, you should have a text that says something like, “Yes please, I want to receive your marketing emails.”
Records – You must keep records of the date of consent, what for and who gave it. You must also set up a simple procedure to enable a person to opt-out if they wish. Plus, if you have data on children under the age of 13 you must have parental or guardian consent to process the data.
Other records should include:
- The names of the personnel who have permission to access the data
- Where the data is stored
- An outline of any possible risks which could cause data breaches
Records on computer should have a backup. Copy paper records and store them in a different place from the original.
Review Data Lists – Review your data lists regularly and only keep the data you need. If data is no longer used, then eliminate it.
Security Measures – Only allow authorised staff to access data. Put a recovery programme in place so that you can recover any lost or destroyed data. You should also take the following steps:
- Review your business passwords. Change them regularly and use 8 to 15 characters. Don’t spell words backwords or use numbered sequences like 1234. Make the most of your keyboard to create strong passwords.
- Use Encryption. It doesn’t have to cost the earth, there are simple processes small businesses can adopt. Have a look at this article by Lifehacker.
- Have your website regularly checked for security by an independent company. Don’t use your own IT department or your software providers.
- Be wary about the paperwork you throw away. It is much safer to use a shredding service which will ensure documents can’t be put together or read.
What If There’s a Breach?
If someone hacks your company data or an unauthorised member of staff gets access to it, this is a breach. So too is data that is destroyed or lost, altered or disclosed to a third party.
R85 of the GDPR outlines what you need to consider in the event of a breach. It says:
“If a person is likely to suffer physical, material or non-material damage.”
This is a person who is at risk of financial loss, identity theft or fraud. As well as loss of confidentiality or damage to their reputation. In this case you need to notify your Data Protection Officer or Controller. You must do this within 72 hours of the breach occurring.
Breaches can include:
- Losing or deleting the only copy of a data list whether on a computer or written on paper
- Incorrect information added to an individual’s record
- Emailing data to a person who isn’t authorised or sending a list to the wrong person
- Being hacked
- A member of staff accessing the data maliciously
In these cases you will need to inform the individuals on your data list about the breach. If you can’t contact them then you should report the matter to the press so people can read it in the media. The information you need to provide is:
- The nature of the breach
- Consequences of the breach
- Measures taken to mitigate the effects of the breach
- Contact information
If there has been a breach in your organisation the ICO can take the following actions:
- Fine your company either 2% of its annual global turnover, or 10 million, whichever is the greater. Or, 4% of its annual global turnover, or 20 million euros, whichever is the greatest
- Issue your company with a warning or a reprimand
- Prohibit your company from data processing either permanently or temporarily
- Suspend the transfer of data to third countries
Some breaches don’t need reporting. The ICO website gives this example. “Someone losing or altering the staff telephone list wouldn’t need to be reported.” This would be viewed as an inconvenience rather than an event that caused harm.
If you want to know more about GDPR have a look at the guides available on the ICO website. You can also get details of our shredding service from our website or you can contact us on 01564 332352 during office hours.