Data protection rules for business
Businesses need to be able to demonstrate and evidence their compliance with the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA). But what does that actually mean?
For many business owners and managers new data protection laws are confusing, challenging and somewhat daunting. There’s also significant consequences to getting it wrong. But it’s not an option to ignore the GDPR, so where do you start and what are the rules?
The data protection rules
Article 5 of the GDPR sets out seven Data Protection Principles which are essentially the data protection rules for your business to follow.
The Principles don’t present an exhaustive task list but they do provide overarching guidance. They’re also the best place to start your GDPR compliance journey.
Here we share the Principles trying to keep it jargon-free and clear. Remember, they relate purely to the processing of personal data.
We’ve included a handy compliance checklist for each principle so you can start to work through your own compliance.
When reading this blog, think of your business as the ‘data controller’ and individuals as ‘data subjects.’ Data subjects are the people your business processes data about such as your customers, employees or suppliers.
Principle a) processed lawfully, fairly and in a transparent way – “Lawful, fair and transparent”
Make sure you satisfy all three elements of the lawful, fair and transparent data processing principle.
It's generally at the point of identifying a lawful basis for processing activity that most businesses go wrong with their compliance efforts. The basis you choose for processing must be the right one, and will determine certain aspects of the relationship you go on to have with your data subject.
For example, if you choose the lawful basis of consent, an individual must be able to revoke their consent. If this is not feasible then it’s unlikely consent is the right lawful basis to choose.
If the lawful basis is contractual, the data subject is bound by the terms of the contract in place. Consequently, they may not be able to opt out of, or object to, processing.
Whichever basis you choose, there’s further work to be done. With consent, you need to keep evidence of the consent given, and your method of gaining consent needs to meet the strict requirements of the GDPR.
If you’ve chosen legitimate interests you should have undertaken (and documented!) a Legitimate Interest Assessment.
Lawful basis – special category and criminal offence data
In instances where you’re processing more sensitive data in the form of special category information or criminal offence checks, you’ll need to identify a second condition for processing under Article 9 of the GDPR.
Whenever you transfer data to a country outside the European Economic Area (EEA), you must make sure those “international transfers” are lawful. This requirement is to ensure the protection of individual’s rights when processing takes place outside European member states.
- You have identified an appropriate, lawful basis for all data processing activities
- If processing special category or criminal offence data (which is particularly sensitive), you have identified two lawful bases for processing
- You keep the necessary records to meet the requirements of lawful basis chosen (i.e. evidence of consent, meeting the requirements of consent, legitimate interest assessments etc)
- You do not breach any laws when collecting personal data
- You ensure that any international transfers of data are identified and compliant
Generally, fairness means handling peoples’ data in ways they would expect, and giving consideration to the impact processing will have on them. ‘How does it affect those concerned?’ and ‘How would I feel if this were my information being processed?’ are good questions to ask yourself.
- You have considered the impact of how processing data may affect individuals and can justify your reasoning
- You only handle peoples’ data in a way that they would reasonably expect and ensure you can explain any unexpected processing
- You do not deceive or mislead when collecting personal data
To be transparent you must be crystal clear about your purposes for data processing, right from the start. You need to communicate this information to data subjects in the form of a Privacy Notice.
- You are clear, open and honest from the start about how you use peoples’ data
- You publish and provide compliant privacy notices wherever they're needed
Principle b) collected for specified, explicit, legitimate purpose – “Purpose limitation”
You must ensure that you only process the data you’ve collected for the purpose(s) you disclosed. You can only use the personal data for a new purpose if it is compatible with your original purpose, you get consent, or you have another lawful basis for processing.
Processing purpose checklist:
- You have clearly identified the purpose for processing
- You have documented the purpose using simple, understandable language
- You include the purposes for processing in your privacy information for individuals
- You regularly review your processing, and whenever necessary, update policies, documentation and individuals
- You only use peoples’ data for the purpose(s) you’ve communicated to them
- If you use peoples’ data for some other purpose you identify an appropriate lawful basis for that processing, and seek consent where it is needed
Principle c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed – “Data minimisation”
You should only be collecting the data you need to undertake the purpose you have stated. You shouldn’t be collecting or processing any personal data superfluous to that need.
Can you adequately justify why you’re collecting all the data you are collecting?
Data minimisation checklist:
- You only collect the data you need for your specified purpose
- You regularly review the data, deleting anything that is not needed for your specific purpose
Principle d) personal data shall be accurate and (where necessary) kept up to date – “Accurate and up to date”
The accuracy of the data you process is vital and you must take all reasonable steps to ensure it is correct and factual. You may be responsible for keeping the personal up to date, although this really depends on what you’re doing with the data.
You must take steps to correct or dispose of false, out of date or inaccurate information when you become aware of it. Aim to give your data subjects easy ways to check, amend or challenge the data you’re processing about them.
- You ensure the accuracy of the personal data you process
- You’ve implemented processes that verify accuracy and sources of data
- You keep a record of any mistakes or issues with data you’ve handled
- You comply with individuals right to rectify inaccurate data
Principle e) personal data shall be kept in a form which permits identification of data subject for no longer than is necessary -“Storage limitation”
You need to make sure you don’t keep personal data for any longer than is necessary.
The GDPR does not state timeframes but in some cases there are legal requirements for how long you should retain data. For example employment and transactional records need to kept for a set amount of time.
Beyond what’s already defined in law, you must decide how long you can justify the retention of data for your specified purpose(s).
Personal data held for too long can become irrelevant and inaccurate and therefore poses a risk to you and your data subjects. Anonymised data may be kept for as long as you wish.
Storage limitation checklist:
- You know what data you hold and why you hold it
- You consider how long data is held and document relevant justifications
- You regularly review information, erase and anonymise where needed
- You document your policies on storage retention and secure data disposal
- You have processes in place to comply with an individual’s request for erasure under the right to be forgotten
- You clearly identify any personal data that you may need to keep for public interest, archiving, scientific or historical research, or statistical purpose
Principle f) processed in a manner that ensures appropriate security of the personal data – “Appropriate technical and organisational controls”
You must process data securely by means of appropriate technical and organisational measures.
These measures must ensure the confidentiality, integrity and availability of the personal data you process.
Organisational controls can largely be broken down into three, interrelated areas: People > Systems > Process.
You must have the right record keeping, policy and procedural framework in place to ensure ongoing business compliance. All staff handling personal information should attend appropriate training. The systems they use should be secure, robust and manageable.
You should be able to demonstrate sufficient technical controls to secure your IT infrastructure, and any digital presence, from unauthorised access or breach of personal information.
Furthermore, you need to ensure that companies processing data on your behalf (data processors) are GDPR compliant, and you’ll need Data Processing Agreements in place with them.
The ICO have published a Practical Guide to IT Security which is helpful for small businesses seeking to better understand their IT obligations. The National Cyber Security Centre has also provided a useful guide to cyber security for businesses.
Compliance activities and security measures should be regularly monitored, tested and regularly reviewed.
Technical and organisational controls checklist:
- You analyse the risks presented by your processing and use this to assess the appropriate level of security needed
- You ensure you have sufficient policy and procedure in place to guide compliant processing
- You regularly review relevant policies, check their effectiveness and improve them wherever necessary
- You have implemented sufficient technical controls to detect and protect against data breaches
- You have effective procedures in place to manage a data breach, and to notify the ICO and data subjects in a timely way
- You use encryption and/or remove personally identifiable information where applicable
- You can restore access to personal data in the event of any incidents and have established back-up processes
- You have researched other technical and organisational measures you may need to adopt in relation to your specific processing activities
- You regularly test and review your security measures
- You have processes in place to ensure the compliance of the data processors you use
- You have Data Processing Agreements in place with all data processors
- You understand the requirements of confidentiality, integrity and availability for the personal data you process
The final principle is in article 5 (2). The controller shall be responsible for, and able to demonstrate compliance with, paragraph 1 – “Accountability”
This new principle requires that you be accountable for your compliance. That means you must be able to evidence your compliance with legislation. Think about what you would actually provide to the ICO in the event you had to prove your compliance with the GDPR. Would it be sufficient?
Compliance is ongoing activity, not a one off event. You’ll also need to show a robust approach to regularly monitoring, reviewing and testing the measures you’ve implemented to make sure they are effective.
- You recognise your legal responsibility for GDPR compliance at the highest management level and throughout your organisation
- You can demonstrate “appropriate technical and organisational measures” to secure and protect the data you process
- You assign resource to plan, achieve, monitor and maintain compliance
- You keep records evidencing the measures you take and controls you have in place
- You have appointed a data protection officer (where necessary) or assigned a data protection lead
- You adhere to relevant codes of conduct and sign up to certification schemes like Cyber Essentials
- You monitor, regularly review and update compliance records and activity
Need more help?
GDPR Gap Analysis
Your business will be legally responsible for any personal information it collects, stores and processes about individuals including customers, suppliers, and employees.
The GDPR requires that you have "sufficient technical and organisational measures" in place to secure and protect that information.
But, GDPR compliance is not easy to unpack and can be a rather daunting task.
Our GDPR Gap Analysis is the perfect solution for any business that's looking for a clear roadmap to compliance, with the support of an experienced IBITGQ accredited GDPR Practitioner.
In February 2020, we're launching our brand new GDPR management system - On Track GDPR. It includes a clever web app, template GDPR documents, tool-kits and access to our GDPR helpdesk all for an affordable monthly fee. For more information please contact us.
Smarter Data Protection are specialists in data protection and compliance. We are ISO and IBITGQ accredited and provide concise, accurate guidance that you can implement straight away to protect your business.
We are passionate about privacy and make your compliance process simple and transparent.
If you need help handling a subject access request, GDPR compliance or any aspect of data protection get in touch.
Protect your business. Protect your data. Choose Smarter Data Protection.