Getting to grips with GDPR – the General Data Protection Regulation
It may have taken four years of preparation and debate but the General Data Protection Regulation, commonly known as the GDPR, has now been approved and will apply from 25 May 2018.
The GDPR requires all businesses within the EU – no matter the size – to collect, store and use personal data more securely. In the UK, the Office of the Information Commissioner will be responsible for enforcement.
The GDPR will update UK law from the Data Protection Act 1998.
Businesses which operate outside the UK may be subject to local laws, which are outside the scope of this article.
This is a European Law – what about Brexit?
The UK will be a member of the EU until at least April 2019. The GDPR will therefore apply to UK businesses from May 2018. Any changes after the UK leaves the EU are unlikely to be significant.
Does data protection law apply to parks?
In short, yes.
Data protection law applies to anyone who controls (stores) or processes (uses) personal data which identifies any individual. Parks collect personal data about these data subjects every day. This may range from the names and addresses of customers to sensitive personal data about the health status of their employees. The GDPR updates the definition of personal data to include genetic data and data captured online such as location data and online identifiers.
Processing includes (but is not limited to) collection, recording, organisation, structuring and storage of data. The data does not need to be held on a computer.
Will parks need a Data Protection Officer?
All parks should ensure that someone in their business is responsible for complying with data protection law. Both the requirements and the risks of getting it wrong are increasing.
The GDPR will require some data controllers and processors to formally appoint a Data Protection Officer. A Data Protection Officer must directly report to top management, be specifically consulted on issues of data protection and appropriately qualified. They do not need to be full time, or even an employee.
A park will be legally required to appoint a Data Protection Officer if its core activities involve regular and systematic monitoring of data subjects on a large scale. This might be the case if the park has an extensive CCTV system in place, for example.
Do customers and employees have to give their consent before the park can store and use their data?
Data must be processed fairly. This will usually involve obtaining consent although there may be exceptional circumstances. For example, it will usually be fair to disclose information to the police if they are investigating a crime.
The GDPR makes some important changes. The first is to require the data subject to clearly affirm their consent instead of just signifying it. If a data subject complains to the ICO, then the ICO will look at whether the data subject was given a genuine choice and was fully informed.
Second, the consent must be obtained by a transparent method. Subjects must opt in, not out. Pre-ticked boxes will no longer count and a consent concealed in standard terms and conditions is unlikely to do so either.
The business will be expected to prove that they have consent, where this is required. Existing consents need to be reviewed to ensure they meet GDPR standards.
Finally, the subject must be able to withdraw their consent. Parks must be able to remove a customer or employee from a database whenever this is requested and the park does not have a valid reason to refuse. For example, a customer who owes money could not require details of the debt to be deleted!
Will data have to be stored and processed differently?
The GDPR confirms the move to privacy by design and privacy by default. For example:
- data must not be processed more often than is necessary;
- it must be pseudonymised where possible. For example, if a park decides to share some customer feedback with the team then rather than reporting “Mrs Smith said x and Mr Jones said y” then it may be sufficient to call them Customers A and B;
- technical and security systems must be appropriate and include back-up facilities;
- there should be ongoing review and security testing.
Will a park be responsible for its business partners?
If a park contracts out any data processing, for example to a marketing company, then it must put in place a data processing agreement which requires the contractor to comply with GDPR. This new requirement is also likely to apply to parks which use Cloud storage services. Parks should check that their storage provider has updated their terms and conditions.
Have the record keeping requirements changed?
The GDPR will require businesses to produce records of processing activities to the ICO on request. Parks must therefore be able to show how they are using the data they hold.
What will happen if there is a data breach?
The GDPR will define a data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
There will be a strict 72-hour deadline to report any breaches. This means calendar hours, not working hours! A breach on a Friday must be reported no later than the same time on the Monday. Separate reports are required to the ICO and to every data subject affected, unless their data was sufficiently protected – for example by being encrypted.
New subject access rights
The rights of data subjects to see copies of their records are being increased. Parks must be prepared to provide copies online and to act quickly – the time limit for most cases has been reduced to one month. Charges will only be possible in exceptional circumstances, such as where the same request is repeated.
Data subjects will also have the right to have all personal data erased and so “forgotten” once it is no longer required.
The cost of getting it wrong
Not only have obligations increased, but also the penalties for not meeting them.
An aggrieved data subject may already complain to the ICO or bring a claim and receive compensation.
The ICO may also impose fines. The GDPR increases the maximum fines to 20 million euros, or 4% of the organisation’s global revenue (whichever is higher). Whilst the largest fines may be reserved to the largest organisations, the ICO already has a record of imposing significant fines for the most serious breaches.
Fines may be reduced where the business has made its best efforts to comply with the GDPR. One way to do so is to obtain certification under the ICO accreditation scheme, although this accreditation cannot be relied upon to guarantee any reduction or exemption.
So what do parks have to do to comply?
The GDPR will affect most organisations in the UK. Most parks will need to make some changes.
As GDPR will apply to all data, whether old or new, now is the time to start. GDPR will apply in full from 25 May 2018. No further time will be allowed for implementation!
View or download our GDPR Checklist