Stephenson Law GDPR Guide

An alternative law firm POCKET GUIDE TO THEGENERAL DATA PROTECTION REGULATION



2CONTENTSABOUT US 3INTRODUCTION 4KEY ISSUES 5PROCESSING PERSONAL DATA 7LAWFUL BASIS FOR PROCESSING 9INDIVIDUAL RIGHTS 11ACCOUNTABILITY, GOVERNANCEAND TRANSPARENCY 16DATA PROTECTION BY DESIGN AND BY DEFAULT 18PERSONAL DATA BREACHES 19INFRINGEMENT 20CHECKLIST 21 stephensonlaw.co.uk

3ABOUT USStephenson Law is a specialist, Stephenson Law can help youindependent law firm focusing on understand complex legislativecommercial, corporate and technology provisions and provide clear andlaw. We provide expert advice and straightforward legal advice so thatguidance for businesses on issues you can concentrate on runningconcerning social media, information your business.technology, data protection andintellectual property.stephensonlaw.co.uk

4INTRODUCTIONThe General Data Protection Regulation • kept in a form which permits(GDPR) comes into force on 25 May identification of data subjects for2018 and replaces the Data Protection no longer than is necessary for theAct 1998. It expands the rights of purposes for which the personalindividuals to control how their personal data are processed; anddata is collected and processed andplaces more stringent obligations on • processed in a manner thatbusinesses to be more accountable ensures appropriate security offor data protection and privacy within the personal data.their entire business practice. The GDPR is all about ensuringThe GDPR requires personal data to be: accountability and transparency and as long as you can demonstrate that • processed lawfully, fairly and in your business takes data protection a transparent manner in relation seriously, has implemented systems, to individuals; policies and procedures to ensure the safe transfer of data and are • collected for specific, explicit and processing data lawfully, the threat of legitimate purposes and not further enforcement action should not be a processed in a manner that is dark looming cloud. incompatible with those purposes; The aim of this guide is to provide • adequate, relevant and limited you with a basic and easy to digest to what is necessary in relation overview of the GDPR and the steps to the purposes for which they you need to take to be compliant. are processed; Whilst this guide is no substitute for • accurate and, where necessary, legal advice, it is intended to provide kept up to date, having regard to you with a good starting point for the purposes for which they are your business. processed and are erased or rectified without delay; stephensonlaw.co.uk

5KEY ISSUESThe GDPR raises a number of key issues that business need to consider,including the following:• M any things are changing, but • 72 hour data breach notification not everything The GDPR requires businesses to The GDPR makes many important report data breaches to the ICO changes to EU data protection law, within 72 hours of detection. For but it is not a complete departure many businesses, radical changes to from existing principles. Many of internal reporting structures will be the concepts that organisations needed to comply with this. are familiar with will continue to apply under the GDPR. • Increased compliance obligations for controllers• Consent The GDPR imposes new and Consent becomes harder to obtain increased compliance obligations and rely on. Notably, the GDPR on controllers (e.g. implementing states that consent is not valid appropriate policies, keeping records where there is a ‘clear imbalance’ of processing activities, privacy between the controller and the by design and by default, etc). data subject. • Direct compliance obligations for• Rights of data subjects processors Some rights of data subjects are Under the GDPR, processors will strengthened by the GDPR (e.g. have direct legal compliance the right to object) and some new obligations and will be subject to rights are created (e.g. the right to enforcement action. data portability). These rights may make it harder to lawfully process personal data.stephensonlaw.co.uk

6• A ppointing a DPO If you regularly and systematically monitor data subjects, or process sensitive personal data on a large scale, you will need to appoint a Data Protection Officer (DPO).• Cross-border data transfers If you are transferring personal data out of the EEA, you need to ensure you are using an approved transfer mechanism.• Remedies and sanctions The consequences of breaching EU data protection law escalates dramatically under the GDPR, which sets the maximum fine for a single breach at the greater of €20 million, or 4% of annual worldwide turnover (whichever is greater) stephensonlaw.co.uk

7PROCESSING PERSONAL DATAThe GDPR applies to controllers and It ensures that both processors andprocessors. A controller determines controllers process personal data forthe purposes and means of processing a lawful reason (see page 9), do notpersonal data and a processor is retain that data for too long andresponsible for processing personal maintain records of personal datadata on behalf of a controller. processing activities. It also places additional obligations on controllers to ensure that all contracts with processors comply with the GDPR.stephensonlaw.co.uk

8WHAT IS PERSONAL DATA? WHAT IS SENSITIVE PERSONAL DATA?Personal data means any informationrelating to an individual which can The GDPR refers to sensitive personalidentify them, either directly or data as ‘special categories of personalindirectly. It can refer, amongst data’which specifically includes geneticother things to an identification and biometric data, as well as datanumber, or to one or more specific relating to race, ethnic origin, politicalidentifying pieces of data, such as an opinions, religious or philosophicaladdress or date of birth. beliefs, trade union membership, data concerning health, a natural person'sThe definition of personal data reflects sex life or sexual orientation as well aschanges in technology and the way to children.businesses collect information aboutpeople. The GDPR applies to both The GDPR imposes additionalautomated personal data and to obligations on businesses processingmanual filing systems. sensitive personal data because this type of data could create more significant risks to a person's fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination. stephensonlaw.co.uk

9LAWFUL BASESFOR PROCESSINGIn order to process any type of Legal obligation: the processing ispersonal data, you need to have a valid necessary for you to comply withlawful basis. There are six available the law.lawful options. No single basis is'better' or more important that the Vital interests: the processing isothers - which basis is most appropriate necessary to protect someone's life.will depend on your purpose andrelationship with the individual. Public task: the processing is necessary for you to perform a taskMost lawful bases require that in the public interest or for yourprocessing is 'necessary.' If you can official functions, and the task orreasonably achieve the same purpose function has a clear basis in law.without the processing, you won'thave a lawful basis. You must also Legitimate interests: the processingdetermine your lawful basis before is necessary for your legitimateyou begin processing, and you should interests or the legitimate interestsdocument it in a privacy notice, of a third party unless there is a goodfor example. reason to protect the individual's personal data which overrides thoseWHAT ARE THE LAWFUL legitimate interests.BASES FOR PROCESSING? For the purposes of this guide, Consent: the individual has given we will focus on consent and clear consent for you to process their legitimate interests. personal data for a specific purpose. CONSENT Contract: the processing is necessary for a contract you have with the The GDPR sets a high standard for individual, or because they have asked consent. If consent is difficult, look for you to take specific steps before a different lawful basis. entering into a contract. Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, buildstephensonlaw.co.uk

10customer trust and engagement and the processing. The GDPR specificallyenhance your reputation. The GDPR is mentions direct marketing whenboth forward and backward facing discussing legitimate interests. However,and so you will need to check if you are relying on legitimate interestsyour existing consents and refresh for direct marketing, the right to objectyour consents if they don't meet the is absolute and you must stopGDPR standard. processing when someone objects.Under the GDPR, consent requires a There are three elements to the legiti-positive opt-in. You will be unable to mate interests basis. It helps to think ofrely on pre-ticked boxes or any other it as a three-part test. You need to:method of default consent. Consentrequests must be kept separate from 1 identify a legitimate interestother terms and conditions and mustbe unbundled. You must be specific 2  s how that the processing isand granular so that you get separate necessary to achieve itconsent for separate things. Vague orblanket consent is not enough. 3 b alance it against the individual's interests, rights and freedomsYou will also need to name any thirdparty controllers who will be relying on The legitimate interests can be yourthe consent you have obtained, make own interests or the interests of thirdit easy for people to withdraw their parties. This can include commercialconsent by telling them how and keep interests, individual interests or broaderevidence of that consent. The easiest societal benefits. The processing mustway to do this is through the privacy be necessary; if you can reasonablynotice on your website. achieve the same result in another less intrusive way, legitimate interestsLEGITIMATE INTERESTS will not apply, and you must balance your interests against the individual's.Legitimate interests is the most flexible If they would not reasonably expectlawful basis for processing, but you the processing, or if it would causecannot assume it will always be the unjustified harm, their interests are likelymost appropriate. It is likely to be to override your legitimate interests.appropriate where you use someone'sdata in such a way that they would When using legitimate interestsreasonably expect, and which has as your lawful basis, you will needa minimal privacy impact, or where to keep a record of your legitimatethere is a compelling justification for interests assessment (LIA) to help you demonstrate compliance if required. stephensonlaw.co.uk

11INDIVIDUAL RIGHTSThe GDPR provides the following • the legitimate interests of therights for individuals: controller or third party (where applicable); • The right to be informed • The right of access • categories of personal data e.g.name, • The right to rectification address, email address, telephone • The right to erasure number etc; • The right to restrict processing • The right to data portability • any recipient or categories of • The right to object recipients of the personal data; • Rights in relation to automated • d etails of transfers outside the EEA decision making and profiling and safeguards;THE RIGHT • retention period or criteria used toTO BE INFORMED determine the retention period;The right to be informed encompasses • the existence of data subjects’ rights;the obligation to provide 'fairprocessing information' and is typically • the right to withdraw consent at anydone through a privacy notice. It time, where relevant;emphasises the need for transparencyover how you use personal data • the right to lodge a complaint with awhere you must provide: supervisory authority; and • the identity and contact details of • the existence of automated decision the data controller and the data making, including profiling. protection officer (if applicable); Where the data is obtained directly from • the purpose of the processing and the data subject, the above information the lawful basis for the processing; should be provided at the time the data is being obtained. Where the data is not obtained directly from the data subject, then within a reasonable period of having obtained the data (within one month).stephensonlaw.co.uk

12RIGHT OF ACCESS RIGHT TO RECTIFICATIONIndividuals have the right to access Individuals are entitled to haveany personal data and supplementary personal data rectified if it is inaccurateinformation you hold. Under the GDPR, or incomplete. If you have disclosed theindividuals have the right to obtain: personal data in question to others, you must contact each recipient • confirmation that their data is being and inform them of the rectification processed; (unless this proves impossible or involves disproportionate effort). • access to their personal data; and You need to respond to a request of • other supplementary information - rectification within one month (which this largely corresponds to the can be extended by two months where information that should be provided the request is complex). Where you in a privacy notice. are not taking action in response to a request for rectification, you mustYou must provide a copy of the explain why to the individual, informinginformation requested free of charge them of their right to complain toand without delay within one month of the supervisory authority and to areceipt. This period can be extended by judicial remedy.a further two months where requestsare complex or numerous and can be Eraserrefused if the request is manifestlyunfounded or excessive. Where yourefuse to respond to a request, youmust explain why to the individual,informing them of their right tocomplain to the supervisory authorityand to a judicial remedy withoutundue delay and at the latest withinone month. stephensonlaw.co.uk

13RIGHT TO ERASURE Under the GDPR, this right is not limited to processing that causesThe right to erasure is also known as unwarranted and substantial damagethe 'right to be forgotten'. The broad or distress. However, if the processingprinciple underpinning this right is to does cause damage or distress,enable an individual to request the this is likely to make the case fordeletion or removal of personal data erasure stronger.where there is no compelling reasonfor its continued processing. If you have disclosed the personal data in question to others, you mustThe right to erasure is commonly contact each recipient and informmisunderstood and does not provide them of the erasure of the personalan absolute 'right to be forgotten' data - unless this proves impossible- individuals have a right to have or involves disproportionate effort.personal data erased and to If asked to, you must also inform theprevent processing only in specific individuals about these recipients.circumstances, i.e.: The GDPR reinforces the right to • Where the personal data is no erasure by clarifying that organisations longer necessary in relation to the in the online environment who make purpose for which it was originally personal data public should inform collected/processed. other organisations who process the personal data to erase links to, copies • W hen the individual withdraws or replication of the personal data consent. in question. • W hen the individual objects to While this might be challenging, if you the processing and there is an process personal information online, overriding legitimate interest for for example on social networks, forums continuing the processing. or websites, you must endeavour to comply with these requirements. • The personal data was unlawfully processed. • The personal data has to be erased to comply with a legal obligation.stephensonlaw.co.uk

14RIGHT TO RESTRICT RIGHT TO DATA PORTABILITYIndividuals have a right to 'block' or The right to data portability allowssuppress processing of their personal individuals to obtain and reuse theirdata. When processing is restricted, personal data for their own purposesyou are permitted to store the across different services. It allowspersonal data, but not process it them to move, copy or transferfurther. You will be required to restrict personal data easily from one ITthe processing of personal data where environment to another in a safe andan individual contests the accuracy secure way, without hindrance toof the personal data while you verify usability. It enables them to takeit, where an individual has objected advantage of applications and servicesto the processing and you are which can use their data to find themconsidering whether your organisation's a better deal, or help them understandlegitimate grounds override those of their spending habits, such as pricethe individual and when the processing comparison sites.is unlawful but the individualopposes erasure. The right to data portability applies to personal data an individual has provided to a controller, where the processing is based on the individual's consent or for the performance of a contract, and when processing is carried out by automated means. You must provide the information in a structured, commonly used and machine-readable form within one month and free of charge (unless complex or numerous). stephensonlaw.co.uk

15RIGHT TO OBJECT RIGHTS RELATED TO AUTOMATED DECISIONIndividuals must have an objection MAKING INCLUDINGon grounds relating to his or her PROFILINGparticular situation. You must stopprocessing the personal data unless: Automated decision making relates to making a decision solely on • you can demonstrate compelling automated means without any human legitimate grounds for the involvement and profiling is the processing which override the automated processing of personal data interests, rights and freedoms of to evaluate certain things about them. the individual; or Profiling can be part of an automated decision-making process. • the processing is for the establishment, exercise or defence Businesses obtain personal information of legal claims. about individuals from a variety of different sources. Internet searches,You must inform individuals of their buying habits, lifestyle and behaviourright to object ‘at the point of first data gathered from mobile phones,communication’ and in your privacy social networks, video surveillancenotice. systems and the Internet of Things are examples of the types of data which DIRECT MARKETING you might collect. You must stop processing personal Under the GDPR, you can only carry data for direct marketing purposes out solely automated decision-making as soon as you receive an objection. with legal or similarly significant effects There are no exemptions or grounds if the decision is: to refuse. You must also deal with an objection to processing for direct • necessary for entering or marketing at any time and free performance of a contract between of charge. an organisation and the individual; • a uthorised by law; or • based on the individual's explicit consent.stephensonlaw.co.uk

16ACCOUNTABILITY,GOVERNANCE ANDTRANSPARENCYThe Information Commissioners Office You will also need to implement(ICO) is the UK’s regulatory body measures that meet the principles ofgoverning compliance with the GDPR. data protection by design and dataAll businesses processing personal protection by default. Measuresinformation are required to register with could include data minimisation,the ICO and the ICO expects businesses pseudonymisation, creating andto put in place comprehensive (but improving security features on anproportionate) governance measures. ongoing basis, using data protectionGood practice tools that the ICO has impact assessments and appointing achampioned for a long time such as data protection officer.privacy impact assessments and privacyby design are now legally required in Being transparent and providingcertain circumstances. Ultimately, these easily accessible information tomeasures should minimise the risk of individuals about how you will usebreaches and uphold the protection of their personal data is a key element ofpersonal data. Practically, this is likely the GDPR. The most common wayto mean more policies and procedures to provide this information is in yourfor businesses. privacy notice.In order to be accountable for the datayou process, you must implementappropriate technical and organisationalmeasures that ensure and demonstratethat you comply. This may includeinternal data protection policies suchas staff training, internal audits ofprocessing activities and reviews ofinternal HR policies. stephensonlaw.co.uk

17The first principle of data protection is It is also important to recognise thatthat personal data must be processed the ways in which data is collectedfairly and lawfully. The GDPR says that are changing. Traditionally, data wasin order for processing to be fair, the collected directly from individuals, fordata controller has to make certain example when they filled in a form.information available to the data Increasingly, businesses use data thatsubjects, so far as practicable: has not been consciously provided by individuals in this way. It may be • who the data controller is; observed by tracking people online or by smart devices, derived from • t he purpose or purposes for which the combining other data sets or inferred information will be processed; and by using algorithms to analyse a variety of data such as social media, • any further information which location data and records of purchase is necessary in the specific in order to profile people. circumstances to enable the processing to be fair. In these cases you are acquiring and processing personal data aboutThe main elements of fairness include: individuals, and the requirement to be fair and transparent still arises. These • Using information in a way that new situations can make it more people would reasonably expect challenging to provide privacy information, and new approaches may • Thinking about the impact of your be required. A good way to approach processing. Will it have unjustified these issues is to carry out a privacy adverse effects on them? impact assessment (PIA). This is a methodology for assessing and • B eing transparent and ensuring that mitigating the privacy risks in a project people know how their information involving personal data. will be usedstephensonlaw.co.uk

18DATA PROTECTION BYDESIGN AND DEFAULTUnder the GDPR, businesses have a Taking a privacy by design approach is angeneral obligation to implement essential tool in minimising privacy riskstechnical and organisational measures and building trust. Designing projects,to show that they have considered processes, products or systems withand integrated data protection into all privacy in mind at the outset means thatprocessing activities. potential problems can be identified at an early stage and addressing them atPrivacy by design has always been an this stage will often be simpler and lessimplicit requirement of data protection costly. It will also increase awareness ofwhich promotes privacy and data privacy and data protection across theprotection compliance from the start, business, ensuring that you are moreby default, and then throughout its likely to meet your legal obligationslifecycle. For example, when: under the GDPR. • building new IT systems for storing or accessing personal data; • developing legislation, policy or strategies that have privacy implications; • embarking on a data sharing initiative; or • using data for new purposes. stephensonlaw.co.uk

19PERSONAL DATA BREACHESA personal data breach is a breach When a personal data breach hasof security leading to the accidental or occurred, businesses will need tounlawful destruction, loss, alteration, establish the likelihood and severity ofunauthorised disclosure of, or access to, the resulting risk to people’s rights andpersonal data. This includes breaches freedoms. If it is likely that there will bethat are the result of both accidental a risk then businesses must notify theand deliberate causes. It also means ICO; if it’s unlikely then no report needsthat a breach is more than just about to be made. However, if a breach is notlosing personal data. reported, this decision must be justified and documented.Personal data breaches can include: Businesses reporting a breach must do • access by an authorised third party; so within 72 hours of becoming aware of the breach where feasible and where • deliberate or accidental action (or the breach is likely to result in a high risk inaction) by a controller or processor; of adversely affecting individuals’ rights and freedoms, they must also inform • sending personal data to an incorrect those individuals without undue delay. recipient; ! data breach • computing devices containing personal data being lost or stolen; • alteration of personal data without permission; and • loss of availability of personal datastephensonlaw.co.uk

20INFRINGEMENTThe ICO can impose fines of up to €20 The ICO will take into account themillion or 4% of annual global turnover circumstances surrounding the(whichever is greater) against both breach when assessing the level ofdata controllers and data processors. fine including, for example, the typeExamples of breaches which could and volume of personal data affectedattract a fine include: by the breach, the level of loss or damage suffered by the affected data • the basic processing conditions subjects, whether the breach was including in respect of obtaining negligent or wilful and any previous consent; infringements of GDPR by the breaching party. • infringement of the rights of data subjects; In addition to the imposition of fines, the ICO may choose to conduct • international transfers of personal audits, review certifications, issue data; warnings and reprimands to controllers and processors that have • failure to implement or adhere to a breach GDPR and impose limitations subject access request process; and restrictions around the breaching party’s ability to process data. • failure to implement measures to Reputational damage could also be ensure privacy by design; significant. • failure by a controller in relation to the engagement of processors; • failure of a processor to process data only in accordance with the controller’s instructions; • failure to report data breaches; and • failure to appoint a data protection officer, if such an appointment is required pursuant to the GDPR. stephensonlaw.co.uk

21CHECKLISTcheck A wareness – ensure that all check C onsent – review how seek, record decision makers in your business and manage consent and whether are familiar with the principles you need to make any changes. of GDPR Refresh existing consents if they don’t meet the GDPR standard.check Information audit – identify (and document) what personal data check C hildren – consider whether you you hold, where it came from and need to introduce systems to verify who you share it with individuals’ ages and to obtain parental consent for any datacheck Data processing agreements – processing activity review and update all existing processing agreements and all check D ata breaches – ensure you have agreements moving forwards the procedures in place to detect, report and investigatecheck Privacy notice – review and update any breaches your current privacy notice check Data protection by design &check Individuals’ rights – check your impact assessments – familiarise procedures cover all the rights yourself with the ICO’s code that individuals have, e.g. to ensure of practice on privacy impact you can delete personal data or assessments and consider how provide data electronically in a and when to implement them in commonly used format your businesscheck Subject access requests – update check D ata protection officers – your procedures to ensure you designate someone to take can handle requests within the responsibility for data protection new timescale compliance and whether you need to formally appoint a DPOcheck Lawful basis for processing personal data – identify the lawful basis for your processing activity, document it and update your privacy notice to explain itstephensonlaw.co.uk