GDPR – More Important Actions
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/If you haven’t done it already, you need to review your privacy notice(s). There is a new requirement to identify your legal basis (bases) for processing data and state your data retention policy as part of your privacy notice.
Following on from my previous articles I would like to introduce a few more actions that business owners and managers need to do as part of preparing for GDPR.
As noted in my first article Consent is not the only legal basis open to you. Consider your legal bases carefully as the Information Commisisoner’s Office have been very clear that they will take a dim view of organisations amending these without a change in underlying circumstances.
You should also consider an individual’s rights, there are eight of these in total.
- Right to be Informed – reviewing this section on the ICO website will help you include the right information in your privacy notice.
- Right of Access – this is the equivalent of the Subject Access Request under the current data protection rules. You need to have a process in place to respond to such requests. The key changes here are that you will only have 30 days to respond (currently 40 days) and you must do it free of charge (currently you can charge £10).
- Right to Rectification – if an individual informs you that data which you hold is incorrect or incomplete you must correct it within 30 days. This links with your obligation to keep data accurate. You can only refuse if the request is ‘manifestly unfounded or excessive’.
- Right to Erasure – sometime referred to as the right to be forgotten. It is worth reviewing the ICO website for when this right applies and when you can refuse to comply. Make sure you have a process in place for dealing with these requests. If you have shared the data with third parties you will also need to inform these parties of the erasure.
- Right to Restrict Processing – as with the right to erasure this is not an absolute right, it only applies in certain circumstances. Where this right does apply and an individual wishes to exercise it you must comply within one month. Compliance means that you can store the data but not process it in any way. Often a restriction will apply temporarily, for example while investigating a request for rectification
- Right to Data Portability – this applies to data supplied to you by the individual where the processing is based on consent of the performance of a contract and the processing is automated. You must provide the data in electronic form (e.g. a spreadsheet or XML). There is no definition of a specific format within the regulations but there is reference in the ICO guidance to midata as an example.
- Right to Object – this applies to processing based on legitimate interest, including direct marketing. You can refuse to action an objection where you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual. However, you cannot refuse to action an objection to direct marketing under any circumstances.
The Information Commissioner’s Office is about to launch an awareness campaign informing the public of their rights. Whilst the stated objectives of this campaign are about building trust and confidence it will inevitably result in requests under the rights listed above. It is therefore extremely important that you and your employees know what to do in each case.
The last point that I will raise in this article is staff policies and training. Although it was always important to have policies and training in place around data protection, under GDPR it now becomes a legal requirement. There are plenty companies offering training packages. These range from multi-day offsite courses costing several hundred pounds to online training that lasts less than an hour and costs just a few pounds. It is important to gear the level of training the employee’s job role. Every employee needs some training. This should then form part of the new starter induction process. This may also be an opportunity to look at training around various aspects of cyber security, such as training your staff how to spot phishing e-mails and similar threats to your business.
There are a few more important things to consider which I will reivew next time.
Ian Roberts is the director of Steadcross Solutions Limited, which offers various business development and consultancy services under the Steadcross brand. Contact us if you would like to discuss an area in which we could help your business.
The information in this article represents a summary of our view of GDPR and is not intended as detailed guidance or advice. If you have questions about how GDPR affects your business please speak to your own legal advisers.