TwentyEA's guide to GDPR
What is GDPR?
The GDPR (General Data Protection Regulation) is the new EU Data Protection regulation that replaces the Data Protection Act 1998 and comes into force on 25th May 2018.
It enhances the protection of the personal data of EU citizens and increases the obligations for organisations who collect and process personal data of these citizens.
The ICO has published an excellent set of webpages aimed to inform you about GDPR, which you can find here. But we aim to give you an overview of some key points as well as some practical tips to help you for your GDPR journey...
What is personal data?
Personal data is any information relating to an identified or identifiable natural person for example, name, address, email address, phone number and so on.
I’m only a small business, do I have to comply?
Yes, if you hold and process personal information about your clients, prospects, employees or suppliers, you are legally obliged to protect that information in line with the regulations.
Under GDPR, you will need to have a lawful basis to collect & process any personal data, and importantly document that this is what you have decided. There are six lawful bases, which are: -
- Consent
- Contract
- Legal Obligation
- Vital Interest
- Public Task
- Legitimate Interest
It is unlikely that you will use Vital Interest or Public Task for any of your processing, however you would most likely process data under Contract for your customers information to be able to fulfil their contract with you. You will most likely use either Consent or Legitimate Interest to process data for marketing activities, but to be able to rely on Legitimate Interest you must have completed a balancing test. We think that there is a really good template that has been published by The Data Protection Network, which is available here and further information on what each of the lawful bases are and how they can be used, can be found on the ICO website here.
Most of the existing data subject rights under the Data Protection Act 1998 have been brought into the GDPR with a couple of changes and additions: -
- Right to be informed
- Right to object
- Right to access
- Right to rectification
- Right to restrict processing
- Right to erasure
- Right to data portability
Again, you will find full details on each of these rights on the ICO website here. It is unlikely that data portability will apply to any thing that you do but please check!
What should you be doing to prepare for GDPR?
If you haven’t already, we recommend taking the following steps: -
- Create a small working group
- Have a read of the GDPR guidance from the ICO, we’d also recommend reading the ICOs “12 Steps to take now” guide, which broadly outlines the process that we are going through. You can find it here. We like the simple infographic on page 2:
- Conduct a gap analysis to cover:
- What information do you have
- What is it used for
- Where is it held
- Who has access
- Is it shared outside of your organisation, if so where & for what purpose?
- If data was collected under consent, what statements were used to collect this data?
- Do you have contracts in place with any data processors & do they cover the article 28 requirements? (We’ve found that most data processors are pushing out updates to their terms of service proactively)
- You will most certainly need to update website privacy policies and fair processing notices.
- Once you’ve done your gap analysis, prioritise your work steam items, you can’t do everything at once.
Our top tips
Only take information from reputable sources like the ICO, DMA to avoid the hundreds of myths about GDPR, such as “consent is needed to process all data” – it’s not, this is just one of the lawful bases. You can read more about some of the common myths on the ICO blog here.
The ICO has also created checklists and several other resources, all available through the links above. They have also set up a SME helpline (holding time varies but can be 30-45 minutes), full details available here.
Don’t re-invent the wheel, feel free to re-use anything we have created for instance.
Check if you need any new policies, such as a Data Retention Policy – have you documented how long you will keep the personal data (you will have told the data subject this when you collected the data under article 13), make sure you have a process for adhering to this.
What have we been doing to prepare for GDPR?
The GDPR is very clear about how you should have greater control over your personal data and making it easy for you to have that control. TwentyEA is fully supportive of this and welcomes any change that enhances the legitimate use of data in ways which are value adding for data subjects.
To that end TwentyEA is committed to working with all partners, suppliers and clients to ensure that we: -
- Provide appropriate notifications to data subjects;
- Give full and easy effect to data subject rights;
- Achieve high standards of data protection generally; and
- Market responsibly and ethically.
TwentyEA formed a working group in 2016, it is made up of a number of individuals from various teams across our business.
We began with a business gap analysis and from this we identified a number of tasks that we needed to complete, these included (but are not limited to): -
- Documentation - making sure that we have detailed documentation for any data that we process, this ranges from Employment, Recruitment, Suppliers, Clients, Prospects, and data contributors to our products for instance.
- Lawful Basis – making sure we have identified a lawful basis for all the different types of data we process.
- Legitimate Interest Assessments - following the Data Protection Network template,
- Consent – making sure any data that has been or will be collected under Consent that it meets the standards of consent in the GDPR.
- Awareness – making sure that all our employees and Clients are aware of the GDPR and its implications.
- Privacy Policies – making any necessary updates.
- Procedures – making sure our procedures such as Complaints, Objecting to Processing, Subject Access Requests, Data Breaches are fit for purpose under GDPR.
- Contracts – Updating these under Article 28 - contracts between Controllers and Processors need to include some specific terms. We will be issuing updates to our contracts soon, so watch out for this.
- Our Data Contributors - As you would imagine we are heavily engaged with each of our data contributors and we are auditing all data collection points for GDPR readiness & based on our current views we are confident that the data available for our Clients will continue to be comprehensive.
If you have any specific questions on GDPR, please contact our GDPR team at – gdprteam@twentyci.co.uk.
Disclaimer
The information provided here is our views of the GDPR. It does not constitute legal advice and our views may change as the Information Commissioners Office publishes more guidance. You should consider taking your own legal advice as you see appropriate.