Tony Bingham explains the ins and outs of GDPR compliance, and how to make sure you don鈥檛 fall foul of the new data rules
GDPR 鈥 How are you coping? Or, rather, how is your inbox coping? Talking of inbox, I bought the new iPhone X. The Apple Shop man soon downloaded all my bumf from the 鈥渃loud鈥. Slick, except that it didn鈥檛 stop downloading. In came 26,640 emails from the last umpteen years. What fun.
So to GDPR: in my view, it鈥檚 gone too far. A pal of mine has just received a 鈥淟et鈥檚 stay in touch email鈥 from his first wife 鈥 he hasn鈥檛 seen her for five years. Another pal is a member of local allotment society: for them, GDPR stands for the Gardening, Digging, Planting and Raking club. And, yes, the Information Commissioner鈥檚 Office told the 40 members they must send emails telling each other about private and personal things.
Let me make a confession: this GDPR thing is driving me scats. What is this malarkey all about?
Data protection regulations have existed in the EU for the last 20 years. This new GDPR is an add-on is to give you and me more power over our personal data 鈥 what, how, why, where and when our personal data is used, processed (big word) and disposed of. From what I can fathom, there are quite a few outfits out there that have got something on you, and you, and you. And you don鈥檛 even know that your personal stuff is being passed from pillar to post.
鈥淚n my view, gdpr has gone too far. A pal of mine has just received a 鈥楲et鈥檚 stay in touch email鈥 from his first wife 鈥 he hasn鈥檛 seen her for five years鈥
What is personal data? It is any data that relates to an 鈥渋dentifiable natural person鈥: name and address; ID numbers; health and genetic data; racial or ethnic data; political opinions (wow); sexual orientation and much more. Also included is web data information such as location, IP address and cookie data 鈥 those little fiends that can identify you via the device you are busy using. This all counts as personal data from now on 鈥 even if it identifies you only indirectly. An inter-company letter, email or memo, for instance, includes such indirect personal data.
I got in touch with the Information Commissioner鈥檚 Office. This is the team of honchos in charge of all this territory. They wanted to know whether I had 鈥渞egistered under the Data Protection Act鈥. It is 拢35 per year 鈥 or 拢500 if your turnover is 拢25.9m and you have more than 249 staff. What for? It is to give you a badge that says 鈥淚 am processing鈥 (big word again). I told the fellow what I did for a living and he went to speak to his boss. They didn鈥檛 know if I was processing or not, but said I should send the money anyway. He pointed me to the recommended 鈥12 steps to take now鈥 for GDPR. And here they are:
- Awareness Tell all your colleagues in the office that from 25 May the law changed to apply the GDPR (as if they didn鈥檛 know).
- Information you hold Glibly the guide says 鈥淵ou should document the personal data you hold [鈥 where it came from and who you share it with鈥.
- Communicating privacy information Having collected people鈥檚 personal information, you have to tell them how you intend to use their information 鈥 that鈥檚 done via a 鈥減rivacy notice鈥.
- Individual rights Introduce into your procedures a method of telling people how you delete their info, their right of access, right of rectification, erasure, processing restriction right, right to object, and, oh dear, more besides.
- Subject access requests Compile your procedure for handling requests: fee or no fee, time limit, refusal system, complaints system.
- Lawful bases for processing personal data Advise individuals of their right to require you to delete their data. I like that.
- Consent Seek, record, and manage consent. Consent needs to have been freely given, and must be specific, informed and unambiguous. It cannot be silent. There must be a simple system of consenting to 鈥減rocessing鈥 data and easy withdrawal of consent.
- Children This is all about social networking safeguards. For those under 16, parental consent is needed to process an individual鈥檚 data. Great care is needed if you offer online services and collect child data. And you must write in language a child can understand.
- Data breaches You must devise a procedure to detect, report and investigate any personal data breach. Failure to report a breach incurs a fine.
- Data protection by design means carrying out a privacy impact assessment 鈥 weighing up the consequences or effect or risk of data escaping 鈥 and it is an express legal requirement.
- Data protection officers You must designate a person to take responsibility for data protection compliance, especially if you are a big boy 鈥 or engage one of the numerous folk offering the service for a fee, of course.
- International It applies EU wide, but you can choose where your lead data protection authority is if you operate in more than one EU country.
Processing is what you do with someone鈥檚 private data: who it is shared with and how, and why. Don鈥檛 risk discrimination, damage to reputation, financial loss, and loss of confidentiality or any other significant economic or social disadvantage by getting it wrong. Perhaps the name should be changed from GDPR to GOTCHA 鈥 this territory is a minefield; it is so easy to put a foot wrong.
As for my overflowing inbox: this has been a great opportunity to press the unsubscribe button.
Postscript
Tony Bingham is a barrister and arbitrator at 3 Paper 黑洞社区s, Temple
No comments yet