Is your business compliant with the New Data Protection Regulation?

What is General Data Protection Regulation (GDPR)?

In short, the General Data Protection Regulation (GDPR) is a set of European regulations on how EU citizens’ data is handled. In general, the rules are more strict than before and there are significant fines and penalties if you do not take care to familiarise yourself with the new legislation.

Does it apply to my business?

The General Data Protection Regulation (GDPR) will apply from 25 May 2018.

If you are processing (handling) or controlling (making decisions about) any personal data (for example names, addresses, emails, phone numbers, IP addresses etc.) of an EU citizen, then you will be affected by these changes. This includes businesses that are not necessarily based in the EU and the data is not limited to your clients but also includes employees, suppliers and other partners. There is a separate group of ‘special categories’ of personal data for things like ethnic background or religious views.

Furthermore, the government has indicated that this legislation and the Data Protection Regulation will remain in full force after Brexit.

What do I have to do?

There are 11 chapters and 99 separate articles in the new General Data Protection Regulation (GDPR) legislation. There are various legal reasons you can have for processing data (contract/legal obligation/vital interests/public task/legitimate interests), but generally speaking, the most important one for most small businesses is that of consent.

Consent to handle data needs to be clear, specific, explicit and freely given, so it cannot be hidden in small print or involve a default ‘opt-in’ position.

Additionally, data must be deleted or anonymised after a certain period of time. People will also have the right to access all the personal data you hold on them at any time, or request that you delete the data you are storing on them, so it is important that it is stored in an organised and comprehensible fashion to be accessed quickly and easily.

What are the penalties for non-compliance?

Businesses that breach the new Data Protection Regulation are open to substantial fines of up to €20 million or 4% of your company’s annual global turnover (whichever is larger), so clearly these rules are not to be taken lightly. It is also worth bearing in mind that an individual who suffers as a result of poor data management can sue you for damage.

How can we help?

If you are unsure about what steps to take next, our lawyers are on hand to point you in the right direction.

Our comprehensive and competitive advice on the General Data Protection Regulation (GDPR) compliance includes, but is not limited to:

  • Update your Terms of Service and Privacy Policy to comply with the GDPR
  • Update your website to comply with GDPR
  • Provide a list of action points to anonymise online payments
  • Advise on anonymising inactive customers and prospects
  • Consult on data mapping
  • Provide full-scale, comprehensible information about “Right to Access” and “Right to be Forgotten”
  • Additional services, such as training your staff

For expert advice and assistance, please contact our lawyers on tel. +44(0)20 7822 8599 and by e-mail: info@sterlinglawyers.co.uk

GDPR – complexities of small print and how to take it easy

Summary by Xena Semikina, Solicitor and Higher Rights Advocate

The EU General Data Protection Regulations (GDPR) are coming into force on 25 May 2018 and so far it has caused quite a stir among businesses.

The date is upon us, the penalties for non-compliance are severe and hardly anyone knows what exactly they have to do to comply. You suddenly find yourself on the wrong side of the law without knowing right from wrong.

The 119 page document was published in small print in an official periodical of the European Union and only lawyers can read it without falling asleep.

However, the beast is not vicious, but only misunderstood. We naturally have a fear of things we don’t know, but thankfully we don’t need to take up a degree course every time we face this fear.  This article will explain the new law in little more than a thousand words – not enough to make you an expert, but enough to alleviate the fear and prompt you to act.

It’s not difficult to grasp a piece of legislation if you know only one thing about it – its purpose. The purpose of a legislation is its spirit. The spirit of this particular legislation can be summoned by only one word – accessibility. This is the only thing that makes this legislation very different from all those pre-existing ones. All the rest of changes are subsequent to this one and arise from it naturally, by the virtue of common sense.

There are two main reasons why information has to be accessible and it affects subjects’ rights at two main stages – the stage of data collection and the stage of data retention.

Data Collection

At the stage of data collection the primary concern is the clarity of the information provided to the subjects. It is at this stage that your customers are expected to make the decision whether or not to enter a business relationship with you and share their data. The universal principle of human co-existence in a free world is that every contact between human beings has to be consensual. No one can be made party to something they reject. And business interactions are not different from private interactions in this respect.

Your customers have to give their consent to share their data with you and this consent has to be given knowingly.

‘Knowingly’ means that they have to know what exactly they are consenting to, how exactly their data will be used. They will not know, if they are not informed. ‘Informing’ used to mean ‘providing information’. GDPR puts an end to this interpretation and this is the most fundamental change it introduces.

According to GDPR ‘informing’ means not only providing information, but presenting it in a clear form, accessible to majority of people. When you request consent, you have to present your request in a clear, unambiguous language, and in a form which is easy to read (Article 7). No more lengthy policies in small print, no more hyperlinks that crush devices before they link – information has to be right before your customers’ eyes. You have to state your request in a plain and concise language, identifying clearly why you need the data, and the subjects have to give their consent explicitly, which means consciously. Pre-ticked boxes no longer count as an explicit consent.

Data Accessibility

Now you have collected the data and you keep it. This is where the new law kick in for the second time, and again with the same kick – accessibility.

In the language of GDPR it is called ‘data portability’. According to Article 20 of the GDPR 2016/679 the data has to be stored in commonly used and structured way. It has to be machine readable and easily transferable. The rationale behind this rule is very simple.

The data has to be easily accessible and available at a short notice on request of the data subject. It also has to be easily deleted if the subject requests it. This is because the subjects have the right of access to the data (Article 15) held by any business or organisation, they have the right to withdraw their consent for the processing of their data at any time (Article 7(3)) and request erasure of the data – so called ‘right to be forgotten’ (Article 17).

At this stage many of you may think: ‘I don’t like it’. It smells of total restructuring of your website and maybe the entire business, which for smaller enterprises may mean a great strain on already tight resources.

Here is good news for you.

A lot of businesses don’t need to modify their website or their business practices. Obtaining your customers’ consent is only one lawful basis for legitimate data processing (Article 6). In many clear cases consent may in fact be presumed. It covers situations where the data you have collected are strictly necessary for the pursuit of your business purposes, in other words the purposes which are mutual for you and your customers – the provision of services by you to them. In the language of GDPR it’s called legitimate interests.

GDPR & Legitimate Interests

When you think about it, it only makes sense. If someone comes to you and asks you to do something for him, of course he expects you to know where to find him. You do not need to explain to him that this is the purpose of you retaining his data and you don’t need to ask him for consent, because it is already presumed and clear to both of you. He has given it to you by his act of requesting your services. However, when using this basis for data processing, you have to be extra careful, because you take extra responsibility for the subjects’ rights and interests, and you have to balance you legitimate interests against their interests and fundamental rights at every point of data collection.

It may well be that your business does not have to undergo painful and expensive restructuring and all you have to do is to update two documents – your Privacy Policy and your Terms and Conditions – to make references to the new legislation. A careful analysis of your website at all points of data collection will show whether or not you will need your customers’ consent at any of those point or you can use legitimate interests basis.

At Sterling Lawyers, for a small fee, we can carry out thorough analysis of your website and your business practices, and advise you on whether or not you need to introduce changes to comply with the new legislation. We can also help you to amend your existing documents and create customer and staff notices compliant with GDPR.

For any assistance please feel free to contact Xena Semikina, Solicitor and Higher Rights Advocate by e-mail: xena@sterlinglawyers.co.uk or phone +44 (0) 207 822 8599