You will have heard something about the General Data Protection Regulation (GDPR) over the last few months, and you will probably know that the new legislation regarding data protection came into force from Friday 25 May 2018.
In this document, we will attempt to explain a little more about the general topic of data protection, what the changes will mean, and the impact on all of us. We will discuss some of the definitions within data protection, explain the principles underlying data protection legislation and some of the areas those principles have been strengthened under GDPR. We will finish with a reminder of what each of us should be doing to play our part under the new legislation.
There’s a lot to take in here, and it’s essential that everyone has a basic understanding of the law and the role they can play. This document does not need to be read all at once, but please do not ignore it.
So what’s it all about, and how will it affect what we do across the Tingdene companies?
Firstly, let’s deal with a few simple definitions.
Personal data is data which relates to a living individual who can be identified from that data or from other information held. It might include someone’s name and address, telephone or email contact details, date of birth and bank details. It might include CCTV images, website photos or voice recordings. A telephone number or email address in isolation will not be personal data if it is not attributable to an individual, However an email recording someone’s opinion about a named individual will be personal data.
Sensitive personal data nature, including information on racial or ethnic origin, political opinions, religious beliefs, health condition etc.
Personal data could be stored on a spreadsheet, an email, a database entry, someone’s notebook or diary, or a piece of paper on a desk. It could be a visual image or a sound recording.
A data controller personal data is processed. A processes the personal data. By processing, we mean collecting, using, analysing, sharing and disposing of data, all on behalf of the whose data is being processed.
In our case, Tingdene are both data controller and data processor, dealing mainly with personal data, with very little sensitive personal data. Data we process can be both digital and paper-based. Personal data is collected and processed from customers, potential customers, suppliers and employees.
Up until May 2018, data protection law was governed by the Data Protection Act 1998.
The act set out certain principles in respect of the controlling and processing of personal data, as follows:
• should be fair and lawful – compliant with other laws, cause no unwarranted detrimental effect s on people. Only do with people’s data what they would reasonably expect you to. In addition, be transparent – inform people what you are doing with their data
• should be for limited and specified purposes - be clear for what purpose you collect, hold and use people’s data – and don’t use for other unrelated purposes
• data quality principles - adequate, relevant, not excessive – enough for what you need the data for, but no more. Accurate and up to date. Kept no longer than is necessary – ha ve an appropriate retention policy in place, and stick to it
• data should be processed in line with data subjects’ rights
• data should be secure - requirement to have appropriate technical and organisational measures in place to secure the data
• GDPR has built on those principles and introduced others to strengthen data protection law. There is increased accountability on the part of the data processor, new rights for individuals, and strengthening of existing rights, a new sys tem of reporting breaches of data loss, and higher penalties for non-compliance
Privacy notice – this is an important and necessary way of being transparent and telling existing and potential customers what data we collect, what we do with that data and how long we keep it. Importantly, for all the different business processes which utilise personal data, our privacy notice details the lawful basis for processing. The privacy notice updated for GDPR is available to view on each of our company websites – it would be a good idea to familiarise yourselves with the content.
Individual rights - the main rights for individuals under the GDPR are:
• the ability to make a subject access request (SAR) – see below,
• to have inaccuracies corrected,
• to have information erased,
• to prevent direct marketing, and
• data portability
We may come across some, if not all, of these in our company business so we need to understand what our obligations are so we can properly deal with any requests received.
Let’s look at a few of these aspects in more detail and explain how they are impacting Tingdene.
SAR – this refers to the right of an individual data subject to request sight of all the personal data being held by a data controller/processor. The rules for dealing with SARs have changed under the GDPR. In most cases we will not be able to charge for complying with a request and normally we will have just one month to comply. Unfounded or excessive requests can be charged for or refused.
Consent – you will see from our privacy notice that the Tingdene policy is not to direct market to prospective customers without their consent. Where we process personal data on the basis of consent, we have had to review how we are seeking, obtaining and recording consent. As a result, we have been seeking consent from those people where we considered we did not already hold adequate consent, and we have been amending procedures and wording to ensure that going forward our processes for capturing new sales leads are GDPR compliant. Consent must be freely given, specific, informed and unambiguous, and a positive affirmation of the individual’s agreement. It’s a high standard to maintain.
Data breaches - we are required to ensure we have the right procedures in place to detect, report and investigate a personal data breach – for example if we lose some personal data or disclose data to the wrong recipient. The GDPR has brought in a breach notification duty for all organisations to report to the Information Commissioners Office (ICO). Not all breaches will have to be notified to the ICO
–only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach. If we do need to report it we have to do it within 72 hours of the breach being discovered, so it’s important that any breaches are immediately reported.
Breaches can include the loss of a computer or mobile phone that contains personal data, access to data by an unauthorised third party, deliberate or accidental action (or inaction) by a controller or processor, sending personal data to an incorrect recipient, alteration of personal data without permission, or accidental deletion of personal data.
We must get used to thinking about the lawful basis used to collect, store or use that
even if we’ve already collected it.
The Group has a Data Protection Champion (“DPC”),– any comments, questions, or concerns regarding data protection issues from within the Group that can’t be answered locally, should be directed in writing to CFO@tingdene.net or by calling our Head Office and asking to speak to the DPC.
Overall, GDPR has required a review of the way we regard and treat personal data.
data,
As a general guide, and to get people thinking about data protection and data security within their own roles, here is a list of some of the do’s and don’ts to be followed:
• when you process (collect, use, analyse) personal data you mus t ensure that it is accurate , relevant and not exces sive in relation to the purpose;
• if you are considering a new business proce ss or project which may involve personal data, think about the data protection implications;
• consider the ways that you work and the processe s you are part of – are there alternative and mor e secure ways in which w e can collect, use or analyse personal data? For example, accessing standing data from the server is more secure than emailing information between colleagues;
• in most cases, Tingdene processes personal data in performance of a contract with that person or to meet a legal obligation (in the case of customers ), or where we have obtained that person’s consent to pr ocess their data (in the case of prospective customers). In all other cases, if you are not sure why we are processing data or our lawful basis for doing so, then please ask;
• familiarise yourself with our privacy notices (on each company website) which explain more about why we use personal data and our lawful basis for processing;
•if you download personal data from the server to offline storage (for example, your PC) to work on or share internally or externally, think about the data protection implications. It’s best practice to anonymise or password protect the data, and when no longer required remember to permanently delete it from the personal drive;
• if you are working off-site or remotely, or transferring personal data to third parties, be vigilant – consider password protection of the document (send password separately). Avoid working in public spaces where other people could view or overhear personal data, and avoid logging on to public Wi-Fi without initiating our VPN first;
• do not open email attachments from an unknown source, the majority of data breaches originate from an accidental insider, rather than malicious external attackers;
•do not disclose information (for example a reference) about an individual (for example an employee) to an external organisation without first checking that the individual consents to such disclosure, or that we can rely on another lawful basis for processing. Check our privacy notice or with the DPC;
•the use of the company network is strictly for company employees only –no access to the company network should be made available to anyone other than company employees;
•use a shredder to dispose of any unwanted documents containing personal data, whether or not you consider it to be confidential;
•notify the IT department to securely dispose of old computer equipment, hard drives, external storage devices etc;
• where possible keep paper files locked away and your desk clear. Think about where you store personal data and who has access to it;
•always lock your computer when you are away from your desk. Do not give your user name or password to anyone;
•remember anything that you write about a person could be seen by them should they make a subject access request;
•report any data breaches to the DPC immediately, even where you think it’s not serious. The decision as to whether the breach is reportable will sit with the DPC. Within Tingdene, only the DPC has the authority to communicate with the ICO. Hopefully breaches will be very rare, but they will happen. More often than not, a breach may occur through human error, and that is inevitable, so we want to encourage a culture of communication of issues, where employees will feel comfortable about reporting breaches. The alternative is more serious in that we fail to notify a serious breach to the ICO before they themselves learn of the breach from another source, a situation we would wish to avoid;
•given the various ways in which breaches might occur, think about how you yourself work, and how you might minimise the possibility of these events happening in the first place.
UNDERSTANDING GDPR AND HOW IT AFFECTS YOU & US