GDPR – What You Need to Know!

With the GDPR implementation date of 25 May fast approaching, our Compliance Partner Jon Wilby gives a quick re-cap (or heads-up if it's somehow passed you by until now) of the minimum that all businesses need to know about the new data protection laws.

-GDPR applies to any data from which a living person resident in the EU can be identified. For most businesses this means customers/clients, employees and individual suppliers/contacts.

-It regulates how the data can be processed lawfully (anything else is unlawful, which is a criminal offence punishable by hefty fines). Processing covers the collection, storage, use, sharing, alteration and destruction of personal data.

-Lawful processing of personal data must fall into at least one of these categories:

1. Explicit consent (failure to opt out is not consent).
2. Performance of a contract with the Data Subject.
3. To comply with a legal obligation.
4. In the public interest/for the purpose of some official authority.
5. Necessary for legitimate business interest reasons which are not outweighed by the privacy rights of the Data Subject.

-Personal data must be processed in a transparent manner, kept up-to-date, limited to the specified purpose, kept securely and in a form that permits identification of the data subject for no longer than is necessary.

-The data subject's rights include:

1. To be informed about the processing of their personal data
2. To have access to it
3. To rectify errors
4. To object to the processing
5. To be forgotten

-In order to comply with the regulations all businesses must:

1. Carry out a data audit as follows:

• What personal data do we hold
• About whom
• Why do we have it
• What do we do with it
• Is it shared with others and if so are they GDPR compliant?
• How do we access the data?
• Do we need to keep it?

2. Identify the lawful basis for processing the data. If that is the legitimate business interest grounds you must carry out a privacy impact assessment to justify your reasoning that your legitimate interests for processing the data (for example marketing mailshots) is not outweighed by the risk of harm to the data subject (e.g. loss of data/invasion of privacy).
3. Prepare a privacy notice. Examples will be popping up in normal commercial situations very soon, but you must make sure that the privacy notice is relevant to your business. There are specific requirements: check on the Information Commissioner's office website ico.org.uk or your trade or professional body might be able to give guidance. If you are unsure, take legal advice.
4. Check that anyone you share personal data with is GDPR compliant - ask them to confirm this. You are jointly liable with them for any unlawful processing of personal data that you share with them.
5. Put a system in place to monitor data protection including policies if necessary (we can help you draft those) and keep it under review as you would any other asset or risk facts or affecting your business.

Jon Wilby has prepared more detailed briefing notes that are available on our website (www.bandhattonbutton.com/gdpr-updated-guidance/) and has delivered a seminar on GDPR compliance (if you would like a copy of the notes from that seminar please contact Sarah Jordan via SCJ@bandhattonbutton.com). To discuss any particular issues or concerns around GDPR compliance for your business please do not hesitate to contact Jon Wilby via JJW@bandhattonbutton.com or on 024 7649 3116.