top of page

General Data Protection Regulation (GDPR)

Q&A's for SME's

Q1       What is data protection?

 

Data protection laws apply to information about living, identifiable people.  These can be employees, workers, contractors, job applicants, customers and third-party providers. It protects individuals from the misuse and abuse of information held on them.

 

Q2       What is the General Data Protection Regulation (GDPR)?

 

The new regulation comes from the European Union (EU) legislation and aims to provide a modern and harmonised approach to data protection for the whole of the EU (including the UK).

 

Q3          Does GDPR apply to the UK even if we are planning to leave the EU?

 

Yes, despite Brexit, the UK government has committed to implementing GDPR. A new Data Protection Bill for the UK has now been published to implement GDPR.

 

Q4        When does GDPR come into force in the UK?

 

GDPR was implemented on 25 May 2018

 

Q5       Does the Data Protection Act 1998 still apply?

 

No, the Data Protection Act (DPA) 1998 no longer applies, although the principles of data protection under GDPR are broadly similar

 

Q6       Who enforces the GDPR in the UK?

 

The legal requirements of GDPR and the UK Protection Bill will be enforced by the ICO (Information Commissioner’s Office)

 

Q7       Why GDPR?

 

The new rules are needed to meet the needs of the digital age, change attitudes towards data privacy and provide individuals with greater transparency of the Personal Data that is processed about them.

Q8       What's Changed?

 

  • increased sanctions for employers if they breach the GDPR - you may be fined up to 20m euro or 4% of global annual turnover (whichever is higher)

  • increased scope – GDPR applies to all businesses  processing personal data regardless of size and location

  • revised data protection principles for personal data processing and accountability (6 instead of 8)

  • increased transparency - you must have a lawful basis for processing each category of Personal Data and this must be included in your privacy notice

  • more emphasis on the documentation that you must keep to ensure you stay compliant. You must maintain records on how you collect, use, retain and share Personal Data

  • individuals will have more control over their personal data with increased rights to access, amend, restrict, object to and delete their Personal Data. There is a new right ‘to be forgotten’

  • requests to access, amend, restrict, object to delete data must normally be dealt with within one month of the request being received

  • obtaining valid consent to processing Personal Data will be much stricter and requires a positive ‘opt in’

  • definitions of personal and sensitive data have been expanded and sensitive Personal Data is now called ‘Special Category Data’

  • Personal Data relating to criminal convictions or offences is a separate category of Personal Data although it is treated in a similar way to special category data.

  • data privacy needs to be built into day to day operations and processes

  • blanket data protection wording in a contract of employment is no longer permissible

  • increased requirements for breach reporting – breaches must be investigated and reported to the ICO within 72 hours if you think there is a risk to the rights and freedoms of individuals

 

Q9       Are the GDPR data protection principles the same as they were under the DPA 1998?

 

No, they are not exactly the same. The GDPR’s data protection principles are similar to the current DPA - except there are 6 instead of 8 principles.  (see Q10 below)

 

Q10     What are the GDPR data protection principles?

 

You must be able to demonstrate that any Personal Data you handle is:

  1. processed lawfully, fairly and transparently

  2. collected for specified, explicit and legitimate purposes

  3. adequate, relevant and limited to what is necessary

  4. accurate and kept up to date where necessary

  5. kept for no longer than is necessary where data subjects are identifiable

  6. processed securely and protected against accidental loss, destruction or damage

 

Q11     Who does GDPR effect?

 

GDPR applies to:

Data Controllers - i.e. you as an employer

Data Processors  - responsible for processing Personal Data on behalf of the controller (eg. HR)

Data Subjects     - individuals who’s Personal Data is processed

Q12     Who are data subjects?

 

Data subjects are anyone who you process Personal Data about - customers, clients, employees, workers, job applicants.  This includes individuals who access your website, social media and any other on-line communication and information channels

Q13     What is Personal Data?

 

Personal Data is any information relating to a living individual who is, or can be, identified by that information either diretly or in combination with other information.  This is called an ‘identifier’.  Examples of an identifier are - name, identification number, location or online data or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

 

Q14     What is a Lawful Basis for Processing Personal Data?

 

By law you can only use and share individual’s Personal Data if you have a proper reason to do so.  This is called the ‘lawful basis’. 

 

GDPR provides 6 available reasons for processing Personal Data:

  1. consent

  2. to comply with a legal obligation

  3. to fulfil a contractual obligation

  4. for legitimate reasons

  5. for vital interests - to protect the individual’s or another persons interests eg. a medical emergency

  6. to carry out a task in the public interest

 

Q15     How do I identify my lawful basis for processing Personal Data?

 

You need to carry out an information audit to identify what Personal Data you hold, on who and determine what your lawful reason is for collecting, processing and sharing this Personal Data. An audit information template can be provided.

Q16     How do I show I have a lawful basis for processing Personal Data?

 

You need to identify what your lawful basis (reason) is for processing each type of Personal Data, document it and include this information in your Privacy Notices. template Privacy Notices can be provided.

 

The audit template that you complete can be used to feed into the formal documentation of your Personal Data processing activities.

 

Q17     How do I get consent from individuals if that is the lawful basis for processing?

 

Under GDPR if you need to get an individual’s consent to process their Personal Data you need to show that the individual gave their consent independently and freely and that it is for a specific purpose. A blanket consent paragraph in a contract of employment or a standard form is no longer acceptable. 

 

Consent requests must be kept separate from other terms and conditions and you must keep a record of the consent.

 

Q18     What is Special Category Data?

 

The GDPR refers to sensitive Personal Data as “Special Category Personal Data’. It includes information about:

  • racial or ethnic origin

  • political opinions

  • religious or similar beliefs

  • trade union membership

  • physical or mental health

  • sex life and sexual orientation

  • genetic and biometric data (this is new!)

 

Q19     Do I treat Special Category Data differently to Personal Data?

 

Yes, to legally process Special Category Data you must have both a lawful basis for processing the data (see Q14), AND a separate condition for processing the special category data.

 

You need to document both the lawful basis for processing the data and the separate condition (see also Q 15 & 26). 

 

Q20     Is Personal Data about criminal convictions or offences special category data?

 

No, but it is treated in a similar way to special category Personal Data - you must have a lawful basis for processing and a condition for processing.

 

Q21     What is a Subject Access Request (SAR)?

 

This is the way that individuals (data subjects) request access to their Personal Data. 

 

This is not new as it has been in place under the DPA.  However, the rules and penalties have changed under GDPR:

 

  • The current £10 fee will disappear although there is some discretion to charge a reasonable fee in limited circumstances, eg. excessive or repeat requests.

  • You must respond to a SAR within one month (under the DPA this is 40 days).

  • Responses can be extended to three months for particularly complex requests

  • The data must be provided in a structured, commonly used and machine readable format

Q22     How long to I have to respond to a SAR?

 

You must respond to a SAR within one month (under the DPA this is 40 days). Responses can be extended to three months for particularly complex requests

 

Q23     What rights do individuals have to their Personal Data?

 

GDPR expands the rights of individuals and gives them more control over their Personal Data.  Under GDPR individuals have the following rights:

  • the right to be informed about the processing of their Personal Data

  • right of access

  • right to rectification

  • right to be forgotten (ie. delete their Personal Data)

  • right to restrict processing

  • right to data portability

  • right to object

  • rights in relation to automated decision making and profiling

 

Individuals also have the right to make a complaint. 

 

Q24     What is a privacy notice/privacy policy?

 

A privacy notice or policy tells people how you collect, use, store and share Personal Data that they provide to you in person, online or on social media, by email, text, phone, in writing or any other communication channels you use.

Q25     What information should be included in a privacy notice/privacy policy?

 

Under GDPR your privacy notice/policy must confirm the name of the company, that you are registered with the Information Commissioners Office (ICO) and that any personal information collected will be used and held in accordance with the requirements of the EU General Data Protection Regulation (GDPR).

You will also need to confirm your lawful basis for processing categories of data:-

  • to fulfil a contract

  • a legal duty

  • a legitimate interest

  • consent

  • a vital interest

  • a task of public interest

  • your legitimate interests for processing persona data if this is the lawful basis

  • how you collect, use, store and share Personal Data

  • whether you use automated decision-making, including profiling

  • individual’s rights

  • that individuals have a right to complain to the ICO

  • how you deal with complaints and breaches

 

The GDPR requires this information to be easy to understand and in clear language.

 

Q26     What documentation do I need to keep?

 

Under GDPR it is a legal requirement to document your Personal Data processing activities. You must have up to date written records showing:

  • the name and contact details of your company and if applicable your Data Protection Officer

  • the purpose for processing

  • a description of who’s data you are processing (the category of individual, e.g. an employee)

  • a description of what Personal Data you are processing (the category of Personal Data, eg. bank details)

  • any conditions for special category data and criminal offence data

  • the lawful basis for processing each type of Personal Data (ie. the reason)

  • how the Personal Data is collected, used, stored and accessed

  • who you share the Personal Data with (the recipient)

  • records of consent

  • any transfer of data to other countries

  • how long you keep the Personal Data (retention)

  • any kind of monitoring you do on individuals

  • any Data Protection Impact Assessment reports

  • details of any breaches

These records can be held electronically as well as manually.

 

Q27     How long do I need to keep HR records?

 

Data should only be kept for as long as is necessary to fulfil the purpose identified, or as required by law. Statutory and recommended HR record retention periods can be provided

 

Q28     How can I safely share and transfer Personal Data to third parties?

If you use third parties, eg. payroll or recruitment providers to process employee data, tax reporting to HMRC or credit and debit card companies to process customer payments, you will need to make sure that the third party is GDPR compliant.  Under GDPR written contracts are now a requirement. They need to include the type of Personal Data being processed, the category of data subject (eg. employee), for what reason and for how long.

 

Q29     What information needs to be included in a third-party contract?
 

The terms of the contract will need to include that the processor must only act on the instruction of you as the controller, that people processing the data treat it confidentially and that the third party has data security measures in place to protect the data.

Q30     Can I transfer Personal Data outside of the overseas?

International transfers of Personal Data are more complex.  The GDPR rules on transferring Personal Data across borders are similar to under the DPA, although Brexit may have an impact further down the line.  If you are transferring Personal Data outside of the EEA, you need to tell people why you are doing this and ensure that there are adequate safeguards in place to protect individual's Personal Data.

Q31     Do I need to have a Data Protection Officer (DPO)

Any company can appoint a DPO but under the GDPR you only need to appoint a DPO if you are a public authority or you carry out large scale systematic monitoring of individuals.

 

Q32     What do a need to do to ensure data security is compliant with GDPR?

 

Under the GDPR, the level of your data security needs to be appropriate to the risk involved in processing that data within your business.  The size of the company, how it operates, the volume and nature of Personal Data processed and the potential harm that could result from a security breach need to be considered.

You will need to have a clear policy for dealing with security incidents e.g a security information policy, maintain up to date security systems eg. firewalls and encryption and carry out risk assessments on data systems. 

 

Q33     What happens if a Personal Data breach occurs?

Under the GDPR reporting breaches is changing.  You must report data breaches to the ICO where the breach is likely to result in a risk to the rights and freedoms of individuals, eg. if it could result in discrimination, damage to reputation, financial loss, or loss of confidentiality. An example is the loss of a USB stick, data being destroyed or sent to the wrong person, theft or laptop hacking.

You will need to put procedures in place to detect, report and investigate a Personal Data breach.

 A template can be provided.  To report a breach you can call the ICO helpline on 0303 123 1113


Q34     What happens if I don't comply with the GDPR?

If you fail to comply with the new law, the cost to your business could be high.  Not just in terms of direct financial costs through fines (now up to 20 million Euros!) but also potential costs associated with court cases and reputational damage. Enforcement of the new rules rests with the ICO (Information Commissioner’s Office)

 

Q35     What action do I need to take to ensure GDPR compliance?

  • make people aware of what’s changed so that everyone understands their responsibilities -  create a communications plan to include an initial briefing followed by regular updates

  • create a project plan with timescales - who is doing what by when

  • carry out an information audit to identify what personal and special category data you hold on employees, workers, applicants contracts and customers

  • document how Personal Data is collected, where it is stored, accessed and used, the lawful basis for processing it and who you share it with.  Document where consent is required and how you will obtain this

  • using the audit as a basis, create a written record of your Personal Data processing activities

  • review and update your current privacy notice/privacy policy, data protection and IT security policies to comply with the new GDPR requirements. If you don’t have any of these, create new policies to be compliant and communicate the new data protection requirements

  • amend any other policies and processes to ensure they cover any applicable changes (eg. recruitment, disciplinary, grievance, absence management) and amend or create other documentation that needs to be updated, eg. forms

  • update your contract of employments to ensure compliance with the new GDPR requirements

  • communicate the changes and implement the new and amended policies

  • reinforce the changes through specific training (and keep attendance records)

bottom of page