GDPR: A Tiger Quickfire SummaryWhat you need to know about collecting, processing, storing and securing the data your business runs on.
When GDPR comes into force in May 2018, individuals your business deals with have the following rights¹ regarding the information you have about them:
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.
As a business you have the duty under law to comply with and protect these rights. Working together with the GDPR’s transparency requirements, there are provisions actively promoting accountability and governance where our UK legislation has previously been implicit.
It's not just about IT & Marketing
These rights don’t just apply to customers or prospective customers whose personal details you might collect or otherwise acquire (eg through a marketing list) in the course of dealing with them. They also apply to everyone else including job applicants, temporary workers, employees and contractors or any member of the public.
The data doesn’t have to be digital either. The Act covers data held in physical form like business cards and correspondence.
Anyone in your organisation or acting on behalf of it, who can be defined as a “Data Controller” OR a “Data Processor” has legal liability if there is a breach.
Although GDPR extends liability to processors for the first time, if you are the Data Controller you are still liable if they are responsible for the breach.
According to the Information Commissioner's Office (ICO),
"A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller."
What are your responsibilities?
As a business, you could find yourself operating both as a data controller and as a data processor. For instance, you might be the decision-maker who employs or contracts others to process personal data or you might, in some industries and professions, process data on behalf of your clients as a contractor. And then, when you instruct your staff to fulfil the requirements of your client’s brief, you are in the role of data controller again.
A data controller is responsible for, and must be able to demonstrate, compliance with the 6 GDPR principles². The data must be:
- Processed lawfully, fairly and transparently – you must deal with the data ethically.
- Collected for specified, explicit and legitimate purposes – you must explain why you are collecting the data you’re collecting.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed – you must only collect what you need for the purposes you’ve set out.
- Accurate and, where necessary, kept up to date – you must update and delete old and inaccurate data.
- Only stored for as long as is necessary for the purposes you collected it for (with some exceptions).
- Subject to adequate security from team members to server locations.
What are the lawful bases for processing?
There are six available lawful bases for processing most of which require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
At least one of these must apply whenever you process personal data³:
- You must identify and document your lawful basis before you begin processing.
- Your privacy notice should include your lawful basis and the purposes of the processing.
- If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
- If you are processing special category and/or criminal conviction data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
|CONSENT||CONTRACT||LEGAL OBLIGATION||VITAL INTERESTS||PUBLIC TASK||LEGITIMATE INTERESTS|
|The individual has given clear consent for you to process their personal data for a specific purpose.||The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.||The processing is necessary for you to comply with the law (not including contractual obligations).||The processing is necessary to protect someones life.||The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.||The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individuals personal data which overrides those legitimate interests⁴.|
GDPR & Employers
Employees have all the same rights as any individual under the GDPR and this means that all employers will have to:
- Ensure and demonstrate compliance.
- Only collect personal data that is adequate, relevant and necessary.
- Remove names from data (anonymisation) or use data encryption to anonymise it (pseudonymisation conceals identities but allows them to be recovered).
- Be open with employees about processing their data and allow them to monitor that processing.
- Improve data security features.
- Identify and limit any detrimental effects of data processing on individual privacy.
Don't be hazy about GDPRTiger Law can help you work it out and make the changes you need.
Audit your data management, processes and storage including your website.
Advise on and action necessary compliance measures.
Review and amend your Privacy and Terms & Conditions notices.
Redraft or supplement your Employee Handbook (in partnership with our sister company Tiger HR)
Review and, if necessary, redraft your contracts with contractors, suppliers and employees.
Website checks and recommendations, working with our compliance-conscious web developer.
Training and Communications for senior officers, employees and external partners.
Call: 01233 227 355
Zealds House, 39 Church St, Wye, TN25 5BL
¹ Articles 12 – 22
² Article 5 of the GDPR
³ The lawful bases for processing are set out in Article 6 of the GDPR
⁴ This cannot apply if you are a public authority processing data to perform your official tasks.