Tony Bingham explains the ins and outs of GDPR compliance, and how to make sure you don’t fall foul of the new data rules
GDPR … How are you coping? Or, rather, how is your inbox coping? Talking of inbox, I bought the new iPhone X. The Apple Shop man soon downloaded all my bumf from the “cloud”. Slick, except that it didn’t stop downloading. In came 26,640 emails from the last umpteen years. What fun.
So to GDPR: in my view, it’s gone too far. A pal of mine has just received a “Let’s stay in touch email” from his first wife – he hasn’t seen her for five years. Another pal is a member of local allotment society: for them, GDPR stands for the Gardening, Digging, Planting and Raking club. And, yes, the Information Commissioner’s Office told the 40 members they must send emails telling each other about private and personal things.
Let me make a confession: this GDPR thing is driving me scats. What is this malarkey all about?
Data protection regulations have existed in the EU for the last 20 years. This new GDPR is an add-on is to give you and me more power over our personal data – what, how, why, where and when our personal data is used, processed (big word) and disposed of. From what I can fathom, there are quite a few outfits out there that have got something on you, and you, and you. And you don’t even know that your personal stuff is being passed from pillar to post.
“In my view, gdpr has gone too far. A pal of mine has just received a ‘Let’s stay in touch email’ from his first wife – he hasn’t seen her for five years”
What is personal data? It is any data that relates to an “identifiable natural person”: name and address; ID numbers; health and genetic data; racial or ethnic data; political opinions (wow); sexual orientation and much more. Also included is web data information such as location, IP address and cookie data – those little fiends that can identify you via the device you are busy using. This all counts as personal data from now on – even if it identifies you only indirectly. An inter-company letter, email or memo, for instance, includes such indirect personal data.
I got in touch with the Information Commissioner’s Office. This is the team of honchos in charge of all this territory. They wanted to know whether I had “registered under the Data Protection Act”. It is £35 per year – or £500 if your turnover is £25.9m and you have more than 249 staff. What for? It is to give you a badge that says “I am processing” (big word again). I told the fellow what I did for a living and he went to speak to his boss. They didn’t know if I was processing or not, but said I should send the money anyway. He pointed me to the recommended “12 steps to take now” for GDPR. And here they are:
- Awareness Tell all your colleagues in the office that from 25 May the law changed to apply the GDPR (as if they didn’t know).
- Information you hold Glibly the guide says “You should document the personal data you hold […] where it came from and who you share it with”.
- Communicating privacy information Having collected people’s personal information, you have to tell them how you intend to use their information – that’s done via a “privacy notice”.
- Individual rights Introduce into your procedures a method of telling people how you delete their info, their right of access, right of rectification, erasure, processing restriction right, right to object, and, oh dear, more besides.
- Subject access requests Compile your procedure for handling requests: fee or no fee, time limit, refusal system, complaints system.
- Lawful bases for processing personal data Advise individuals of their right to require you to delete their data. I like that.
- Consent Seek, record, and manage consent. Consent needs to have been freely given, and must be specific, informed and unambiguous. It cannot be silent. There must be a simple system of consenting to “processing” data and easy withdrawal of consent.
- Children This is all about social networking safeguards. For those under 16, parental consent is needed to process an individual’s data. Great care is needed if you offer online services and collect child data. And you must write in language a child can understand.
- Data breaches You must devise a procedure to detect, report and investigate any personal data breach. Failure to report a breach incurs a fine.
- Data protection by design means carrying out a privacy impact assessment – weighing up the consequences or effect or risk of data escaping – and it is an express legal requirement.
- Data protection officers You must designate a person to take responsibility for data protection compliance, especially if you are a big boy – or engage one of the numerous folk offering the service for a fee, of course.
- International It applies EU wide, but you can choose where your lead data protection authority is if you operate in more than one EU country.
Processing is what you do with someone’s private data: who it is shared with and how, and why. Don’t risk discrimination, damage to reputation, financial loss, and loss of confidentiality or any other significant economic or social disadvantage by getting it wrong. Perhaps the name should be changed from GDPR to GOTCHA – this territory is a minefield; it is so easy to put a foot wrong.
As for my overflowing inbox: this has been a great opportunity to press the unsubscribe button.
Tony Bingham is a barrister and arbitrator at 3 Paper Buildings, Temple