In part two of our GDPR guide, Hayley Pells explains how practical steps will help you be ready.
It hasn’t been a good month for the public’s perception of how companies use their data. You may have noticed that during the coverage of Facebook and Cambridge Analytica on TV that Elizabeth Denham, the UK’s Information Commissioner, would pop up to reassure the public that steps were being taken to regulate how their data was used and stored by companies, which was of course a reference to GDPR. If there was any doubt about how seriously the country is going to take the new legislation, this will be a wake up call.
Last month, we explored the background of GDPR and how it is going to affect your business, this month, we are going to explore a step-by-step guide to show you how you can become legally compliant yourself. If you are unsure of the process there is still time to get some professional help. There are independent consultants all over the country and there are larger organisations who are able to roll out a fast to access service. The average garage owner can do this in-house for themselves, but if you are busy, it could be a more cost effective solution to outsource.
Following on from last month’s article, you need to make sure all of your team know about the legislation. In my case, trying to explain it to my father who I work with (and is in his late sixties) is a hoot, but we got there. The key area to get across is the impact this compliance will have on the business and acknowledging the time and cost it will require to implement. Do you have a risk register? It could be useful to have one. Compliance can be difficult if the preparations are left to last minute, especially if you then plan to outsource.
STEP 2 – Current situation
What personal data do you hold about your clients and staff ? Do you really need it? This is a good opportunity to “clean house.” Dispose of the unrequired information responsibly, ensuring that the data is inaccessible at the point of disposal.
What you should be left with is the information that you need. What do you do with it? This is how compliance with the accountability principles of GDPR are achieved. You need to know what information you hold, where it is held and how it
is held. It must be held securely. When sharing data, this needs to be done responsibly. For example, does someone else process your payroll? Now is the time to check that the information you share is being done so in a responsible manner and that your service provider is up to speed with their obligations.
Having assessed your current situation it is a good idea to record it and then outline your strategy for improvement. This is a very similar process to how you would complete a risk assessment.
STEP 3 – Communicating
Do you have a privacy notice? Currently, when you collect personal data you need to give people the following information;
– Who you are
– How do you intend to use their information
That information you have probably done without thinking, to continue with the payroll simili “I’m Fred Bloggs, I need your NI number to process your pay.” With the GDPR, this is expanded upon, now there are a couple of extra things you need to tell people;
– Your lawful basis for processing the data
– Data retention periods
– The individual’s right of complaint to the Information Commissioner’s Office
So for this I shall use the example of information that I gather for a MOT test. My lawful basis for collecting information about my client is that I have been tasked with performing a MOT test on their vehicle. I keep this data for one year and the ICO’s website can be found at ico.org.uk – they are the Information Commissioner’s Office, the UK’s independent body set up to uphold information rights in the public interest. The GDPR requires that plain language is used, every step should be as clear and concise as possible.
STEP 4 – Individual’s rights
You should check and record your procedures to ensure they cover the following rights of the individual, include how you would erase personal data or provide personal data electronically in a commonly used format;
– The right to be informed
– The right of access
– The right to rectification
– The right to be forgotten
– The right to restrict processing n The right to data portability
– The right to object
– The right not to be subject to automated decision-making including profiling
Now bear with me, this all probably sounds like something completely new, but before spanners are thrown up into the year and “this modern euro nonsense is just taking over everything, I am but a simple mechanic” is hailed (or was that just my father?). Let us examine what this means practically. A lot of these rights are just basic common sense, you are probably employing them right now – the key areas that are significantly different are mainly within the right of portability, it only applies;
– To personal data an individual has provided to a controller
– Where processing is based on the individual’s consent or for the performance of a contract
– When processing is carried out by automated means With the Data Protection Act, you could, if you so wished, charge a fee for the provision of data to the individual, under the GDPR you cannot and the information provided by the ICO insist that it be provided in a structured commonly used and machine readable form.
STEP 5 – Access Requests
Step four outlined the right the individual has, step five now examines how those rights are handled. It is good practice to have this recorded and share it with everyone in your organisation.
– No charge for information requests
– Information to be given within a month (under the Data Protection Act, this was 40 days)
– You can refuse or charge for requests that are manifestly unfounded or excessive
– If you do refuse a request, you are legally obliged to tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do without undue delay and at the latest, one month.
If you have a large organisation or you handle large numbers of information requests this may be a good time to assess the implications of dealing with requests quickly. It may be worth considering the desirability of systems that allow individuals to access their own information online.
STEP 6 – Lawful basis for processing personal data
As individuals now have a stronger right than under previous legislation to access their personal data in order to achieve compliance with the GDPR, you should document and share your lawful basis for the collection and processing of this data. This is especially important now individuals have the right to deletion of their personal data.
STEP 7 – Consent
Consent cannot be inferred by silence and must not be an “opt out” (no pre-ticked boxes or assumptions). This is quite a broad area and will be explored further next month with detailed guidance. Consent cannot be thrown in with your general terms and conditions as it must be freely given, specific, informed and unambiguous. In my opinion, post 25th May 2018, this is going to be the next big goldmine for all those companies that are currently benefiting from the PPI refunds, it will be an easy area to identify non- compliance if the correct procedures are not in place.
STEP 8 – Children
Before shoulders are shrugged that you don’t deal with children, first understand what is meant by the term “child”, although the consent given by children within this context tends to be more concerned with young children and internet related services such as social networking, it would be a good idea to consider how you handle apprentice’s (or any other employee or client who are under 18) information. Currently the GDPR sets the age at 16, this may be lowered to 13, being mindful of how this age limit may change and implementing into your policy documents for the younger people that you may deal with will be the best method to achieve compliance.
If your organisation does deal with children, you must remember that consent must come from someone with “parental responsibility” and has to be verifiable. Your privacy notice must be written in language that children can understand.
STEP 9 – Data Breaches
What to do if it all goes wrong? The legislation does consider that like locking the door to your home doesn’t stop thieves getting in, you may be subject to a data breach that, in under normal working circumstances, would not happen.
If you have a breach, determining the nature of the breach will direct your next course of action. You only need to notify the ICO if the breach is likely to risk the rights and freedoms of the individual, for example, if it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. If this breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify them directly.
In order to achieve compliance with the GDPR you must have procedures in place that detect, report and investigate personal data breaches. Having a good clear out at step two will reduce the risk in this area.
STEP 10 – Data Protection by Design and Data Protection Impact Assessments
Remember when you had to uncheck a prefilled box to opt out of things online? Now you have to check it yourself, this is what that is about. The chances are, if you collect data in this way, this is something that you are already aware of and I am personally at a loss as to why you would have a need to process information in this way within the automotive aftermarket, but I am sure there is someone out there who could enlighten me!
STEP 11- Data Protection Officers If it is everyones’ job, nobody does it. Identifying a person responsible for data protection compliance is now a formal obligation in certain circumstances. You probably won’t be one of them, but it is still good practice to formally appoint someone to oversee your compliance, that person should take proper responsibility for your data protection compliance and has the knowledge, support and authority to carry out their role effectively.
STEP 12 – International
If you are lucky enough to deal internationally with your organisation you should determine your lead data protection supervisory authority and document this. The lead authority will be where your central administration is located but only relevant where you carry out cross-border processing. (This step doesn’t apply to my garage. Currently).
Hopefully, this article will be helpful in becoming compliant for yourself. The advantage in doing this yourself will enable your organisation to be familiar with the new legal responsibilities organisations have with respect to personal data. The next article will thoroughly examine the subject of consent and how it is applied in this context.