Background to the GDPR
The General Data Protection Regulation (GDPR) came into force on the 25th May 2018, and it is fair to say that some SMEs are a little confused about what it means for them. What is certain is that they must be complied with. An EU regulation has to be complied with without exceptions.
Whilst it is arguable that a well-run company with proper data protection procedures will have little to worry about, all organisations will need to review their data protection procedures to make sure that they can demonstrate compliance.
The GDPR sets out specific obligations and requirements for data controllers and data processors, and you will need to have processes in place to cover these obligations.
Additionally, you can no longer assume that sensitive personal data of any type can be held without the knowledge and specific approval of the relevant individual, and therefore explicit consent may need to be obtained. Additionally, everyone now has the “Right to Be Forgotten”, although you must also be aware that there may be a legal requirement to retain critical information to meet your compliance obligations.
What do you need to do?
As a minimum, we would advise a thorough audit to identify what data you hold, where it is, who controls and processes it, and what controls you have over it.
You also need to identify which of the 6 allowable lawful bases set out in the regulations allow you to hold such data. These bases are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
You will need to work out which, if any, of these is a reasonable basis for holding personal data. However, beware of just relying on consent, as it can be an administrative burden and also leaves you open to people changing their minds. That would then leave you in a difficult position if it is in relation to data you want to hold, but would then have to delete.
You cannot ignore the GDPR. It may not require you to change much, but it is undoubtedly good practice to audit your current arrangements. There is no excuse for non-compliance.
We are trained in this area and are able to advise on the best and most cost-effective way to get to compliance.