Summary by Xena Semikina, Solicitor and Higher Rights Advocate
The EU General Data Protection Regulations (GDPR) are coming into force on 25 May 2018 and so far it has caused quite a stir among businesses.
The date is upon us, the penalties for non-compliance are severe and hardly anyone knows what exactly they have to do to comply. You suddenly find yourself on the wrong side of the law without knowing right from wrong.
The 119 page document was published in small print in an official periodical of the European Union and only lawyers can read it without falling asleep.
However, the beast is not vicious, but only misunderstood. We naturally have a fear of things we don’t know, but thankfully we don’t need to take up a degree course every time we face this fear. This article will explain the new law in little more than a thousand words – not enough to make you an expert, but enough to alleviate the fear and prompt you to act.
It’s not difficult to grasp a piece of legislation if you know only one thing about it – its purpose. The purpose of a legislation is its spirit. The spirit of this particular legislation can be summoned by only one word – accessibility. This is the only thing that makes this legislation very different from all those pre-existing ones. All the rest of changes are subsequent to this one and arise from it naturally, by the virtue of common sense.
There are two main reasons why information has to be accessible and it affects subjects’ rights at two main stages – the stage of data collection and the stage of data retention.
At the stage of data collection the primary concern is the clarity of the information provided to the subjects. It is at this stage that your customers are expected to make the decision whether or not to enter a business relationship with you and share their data. The universal principle of human co-existence in a free world is that every contact between human beings has to be consensual. No one can be made party to something they reject. And business interactions are not different from private interactions in this respect.
Your customers have to give their consent to share their data with you and this consent has to be given knowingly.
‘Knowingly’ means that they have to know what exactly they are consenting to, how exactly their data will be used. They will not know, if they are not informed. ‘Informing’ used to mean ‘providing information’. GDPR puts an end to this interpretation and this is the most fundamental change it introduces.
According to GDPR ‘informing’ means not only providing information, but presenting it in a clear form, accessible to majority of people. When you request consent, you have to present your request in a clear, unambiguous language, and in a form which is easy to read (Article 7). No more lengthy policies in small print, no more hyperlinks that crush devices before they link – information has to be right before your customers’ eyes. You have to state your request in a plain and concise language, identifying clearly why you need the data, and the subjects have to give their consent explicitly, which means consciously. Pre-ticked boxes no longer count as an explicit consent.
Now you have collected the data and you keep it. This is where the new law kick in for the second time, and again with the same kick – accessibility.
In the language of GDPR it is called ‘data portability’. According to Article 20 of the GDPR 2016/679 the data has to be stored in commonly used and structured way. It has to be machine readable and easily transferable. The rationale behind this rule is very simple.
The data has to be easily accessible and available at a short notice on request of the data subject. It also has to be easily deleted if the subject requests it. This is because the subjects have the right of access to the data (Article 15) held by any business or organisation, they have the right to withdraw their consent for the processing of their data at any time (Article 7(3)) and request erasure of the data – so called ‘right to be forgotten’ (Article 17).
At this stage many of you may think: ‘I don’t like it’. It smells of total restructuring of your website and maybe the entire business, which for smaller enterprises may mean a great strain on already tight resources.
Here is good news for you.
A lot of businesses don’t need to modify their website or their business practices. Obtaining your customers’ consent is only one lawful basis for legitimate data processing (Article 6). In many clear cases consent may in fact be presumed. It covers situations where the data you have collected are strictly necessary for the pursuit of your business purposes, in other words the purposes which are mutual for you and your customers – the provision of services by you to them. In the language of GDPR it’s called legitimate interests.
GDPR & Legitimate Interests
When you think about it, it only makes sense. If someone comes to you and asks you to do something for him, of course he expects you to know where to find him. You do not need to explain to him that this is the purpose of you retaining his data and you don’t need to ask him for consent, because it is already presumed and clear to both of you. He has given it to you by his act of requesting your services. However, when using this basis for data processing, you have to be extra careful, because you take extra responsibility for the subjects’ rights and interests, and you have to balance you legitimate interests against their interests and fundamental rights at every point of data collection.
At Sterling Lawyers, for a small fee, we can carry out thorough analysis of your website and your business practices, and advise you on whether or not you need to introduce changes to comply with the new legislation. We can also help you to amend your existing documents and create customer and staff notices compliant with GDPR.