Clock is ticking towards rollout of EU’s landscape-shifting data protection and privacy law.
Time and tide wait for no man. And nor does GDPR.
Business leaders take note: the countdown is almost over. On 25 May 2018 the much vaunted and much daunted General Data Protection Regulation (GDPR) will be rolled out across the European Union. It will shift the data protection and privacy landscape for any business that controls or processes personal data. In practice that means each and every business must get its data house in order.
We take a look at the main features of the EU’s brainchild and where an age-old business tool fits into it all: the business card.
So, what about business cards?
If at a networking event someone hands you their business card, it’s dangerous to assume they’ve given you their unqualified consent to process their personal data carte blanche. Equally, it’s probably not necessary to recite your privacy notice while they consume a mini pastry or sushi in a spoon. It is however reasonable for them to expect you to contact them – so you’ve probably got their consent, at least to make initial contact.
It may not be so simple to establish legitimate interest when it comes to making contact beyond that initial approach. The Information Commissioner’s Office has recommended a three-stage test to establishing legitimate interest before processing a subject’s data:
- What is the purpose of the data processing?
- Is the data processing necessary to achieve that purpose?
- Do the data subject’s individual interests override those of the legitimate interest?
We need to consider the likely intentions or expectations of the data subject when they hand over their business card. They probably expect to hear from you and may expect a follow-up email on the topics you discussed, but whether they want or expect to be added to your marketing database and receive promotional emails is another question entirely. It is prudent to seek specific consent for that purpose.
Ultimately, it is up to you as the data controller to consider whether the processing of personal data meets the criteria under GDPR.
Best practice when it comes to adhering to all aspects of GDPR is to give full and proper consideration to how you process personal data, and why. Your systems and policy for handling personal data cannot be too detailed or too thorough. It may be that an automated consent form is generated when any contact is added to your database. Alternatively your first email to that person could be tailored to ask them specifically to confirm their consent – but always give them the option to unsubscribe!
For more information on GDPR generally, keep reading.
What is GDPR?
GDPR replaces the outdated Data Protection Directive (introduced in the digitally-simpler days of 1995). In contrast to EU directives, national governments don’t need to enable GDPR, so it will be applicable in the United Kingdom (and across the EU) from day one.
GDPR is designed to tackle the challenges posed to data privacy that have evolved over the last two decades with the rise of increasingly complex and opaque data technology. It aims to give a greater degree of control to individuals over how their data is stored and processed. GDPR gives individuals (or “data subjects”) enhanced rights, such as the right to be informed about how their data is held, the right to restrict the processing of their data, or the right to be erased (or “forgotten”).
Above all however, GDPR introduces a new regime under which organisations are accountable for how they handle personal data. A key aspect of GDPR is the duty it places on businesses (and their data processors) to manage and monitor their own data management protocol in a fair and transparent manner.
It is no longer adequate to simply deal with data issues as they arise. In this new world order organisations must be able to demonstrate they have given proper consideration to how they will comply with the rules of GDPR. From 25 May 2018, every business should have a GDPR protocol in place – and if they don’t, the consequences could be very expensive.
Why does GDPR matter?
The GDPR regime has teeth.
The penalties for non-compliance with GDPR will be severe. A breach of the rules may result in a fine of up to €10 million or, if greater, 2% of a company’s global turnover. That penalty could be imposed for failing to promptly notify the supervising authority (in the UK, the Information Commissioner’s Office) of a data breach, or neglecting to keep adequate data processing records.
In the case of a serious breach, such as processing individuals’ data without their consent, offenders could face a fine of €20 million or, if greater, 4% of their global turnover.
Does GDPR affect my business?
GDPR is almost certain to affect your business because personal data (whether it is that of a customer, an employee or a supplier) is so intrinsic in the way organisations conduct their business in the digital era, whether it is stored electronically or not.
GDPR applies to both “controllers” and “processors” of personal data. If your business is responsible for handling personal data on behalf of another organisation, it is likely to be a processor under GDPR. If your business is not a processor, the chances are it is a controller – meaning it determines the purpose, conditions and means of processing personal data. In some cases a business could be a controller and a processor.
However whether your business is a controller or a processor or both, it must comply with GDPR and have a lawful basis for processing personal data. If you are a controller, you must have a GDPR-compliant contract in place with all of your processors. If you are a processor, you also ought to consider protecting yourself by having a contract in place, as processors may now be accountable directly to data subjects.
What is “personal data”?
Personal data is any information from which a natural person can be directly or indirectly identified.
In the case of a business card, the personal data is pretty apparent – the data subject’s name, email, phone number and address, and any other information on the card which can be used to identify the person. The data subject can be directly identified by his or her name, but details such as a job title also allow indirect identification.
In other cases information which constitutes personal data may be less obvious, and could be anything from medical records to an IP address. As a rule, if a person can be identified through information, it is personal data as far as GDPR is concerned. It is clear that regulators will view the definition of personal data with a wide scope, so it would be prudent to have policies and procedures established to handle all forms of information.
How can we lawfully process personal data under GDPR?
GDPR sets out six bases upon which personal data can be lawfully processed:
- Consent from the data subject to use their personal data for a specific purpose
- A contract between the controller or processor and the data subject which makes the processing of their personal data necessary
- A legal obligation on the controller or processor which requires the personal data to be processed
- It is in the vital interest of a data subject for their personal data to be processed
- The processing of the personal data is necessary to perform a public task
- It is in your legitimate interest (or that of a third party) to process the personal data (but this will not override the interests of the data subject).
In everyday business, most people would expect to rely on consent or legitimate interests, but even then it’s best to tread carefully. Speak to a data protection and privacy expert to create a bespoke plan to ensure your business is GDPR compliant.
The content of this bulletin should not be construed as legal advice. If you do require legal advice, please contact a solicitor at Rosenblatt.