– John Clarke, Nwes Business Trainer and Start&Grow Advisor
The General Data Protection Regulations (GDPR) comes into force in May this year replacing earlier outdated laws.
Centre Coordinator Katie Howard, recently organised an excellent GDPR breakfast discussion in Norwich at Rouen House. It was a great insight into the new legislation. Nwes Business Trainer and Start&Grow Advisor, John Clarke, took his note pad and summarised as follows:
What is it?
The EU’s General Data Protection Act replaces outdated, 1995, legislation and sets down some tighter rules as to the way personal data is used. It also introduces harsher penalties for breaking the rules. The fines can be large; 4% of turnover or 20 million euros, whichever is the greater. So, we really do have to take notice.
Protects EU citizens from privacy and data misuse issues. It reflects an ever increasing, online, data world.
Who does it apply to?
Applies to data “controllers” and “processors” A controller could be a company existing to make profit, a charity or a government. A processor could be, for instance, an IT company, processing the data
- The standards GDPR sets out for consent are high. However, you won’t always need it as there may be other grounds for using data, including “Legitimate interest” and “Contractual”.
- When it comes to consent, you must place people in control and there must be a real choice made. It’s about building trust and engaging. Hence the new rules can be viewed in a positive way – essentially being totally “upfront” with customers, giving them a clear choice.
- It is important to check your existing consent statements and practices. Make sure they meet the new standards – if they don’t you will need to change them.
- Consent must be a positive opt-in. You can’t use a pre-ticked box and hope they don’t notice!
- It must be a clear and specific statement of consent.
- Make sure your consent request is separate from other terms and conditions.
- You can’t have a vague or overall consent – separate consents for different things is a safer option.
- Must be concise and clear.
- You must name any third parties who will rely on the consent.
- Make it easy for people to withdraw consent – tell them how they can do it.
- Keep all evidence of consent.
- The most flexible lawful basis for processing. You cannot however assume it will always be the best method.
- Likely to be most appropriate where people’s data is used in ways they would reasonably expect. Also, there must be minimal impact on privacy. There should be compelling justification for the processing.
- As an example of where it applies, GDPR states – “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
- If you choose to rely on legitimate interests, you take on extra responsibility. You must consider how you protect people’s interests.
- There are three elements to legitimate interest. You need to:
- identify a legitimate interest.
- show that the processing is necessary to achieve it.
- balance it against the individual’s interests, rights and freedoms.
- Legitimate interests can be your own interests or the interests of third parties. They can include commercial interests or individual interests.
- The processing has to be necessary. If you can reasonably achieve the same result in another way, which could be deemed less intrusive, then legitimate interests will not apply.
- Balance your interests against theirs. If they would not reasonably expect the processing, their interests are likely to override any legitimate interest claim.
- Keep a records of your legitimate interest assessments (LIA) to demonstrate compliance.
- You must include details of your legitimate interests in your privacy statements.
- If you need to process someone’s personal data to do the following, then you can rely on the legal basis for doing so:
- to fulfil a contractual obligation to them; or
- because they have asked you to provide or do something before entering into a contract (e.g. provide a quote).
- The processing must be necessary. Again, if you could reasonably act as required without processing their personal data, this basis will not apply.
- You should document your decisions to rely on this lawful basis.
The GDPR says that the information you provide to people about how you process their personal data must be:
- concise, transparent, intelligible and easily accessible.
- written in clear and plain language, particularly if addressed to a child.
- free of charge.
Rules on the policy statement are more detailed and specific than in the DPA and place an emphasis on making privacy notices understandable and accessible.
What to include in your privacy statement;
Full details of the GDPR regulations can be found here www.eugdpr.org.
If you are interested in exploring Start&Grow, the UK’s only online business resource platform, register for free online at startandgrow.uk. You can also follow Start&Grow on Facebook, Twitter and Instagram for advice and news.