The commercial team at BPE is supporting clients preparing for the General Data Protection Regulation (GDPR), but is worried by the number of self-proclaimed experts positioning themselves as consultants in this complex subject. In this post, Solicitor Doris Woo details the actual facts of the matter, mythbusting the uncertainty around the new legislation that will replace the Data Protection Act.
I decided to write this article to tackle head-on some of the howlers my colleagues and I have heard from GDPR factsheets, webinars and the occasional sales call from so-called GDPR experts trying to sell us consultancy services (the irony of this is not lost on us). I will also provide relevant links to parts of our “Brilliantly Simple Guide to the GDPR” series, where you can read in more detail about the topic in question.
Myth 1: GDPR only applies to businesses who have a turnover of £x, or employ more than x people.
We hear this a lot, whereas in fact the GDPR applies to any business that holds data on EU citizens. When the UK leaves the EU, UK businesses will still be subject to the GDPR as it will be transposed into the new Data Protection Bill, which will repeal and replace the current Data Protection Act (DPA).
Read more about the new Data Protection Bill HERE.
Myth 2: If personal data is available in the public domain, the GDPR doesn’t apply to it.
Any information a business holds that identifies an individual is covered; there are no loopholes or exceptions for B2B purposes under either the DPA or GDPR. If an individual provides information or data to a company that will result in that information being publicly listed, that does not mean that a second unrelated company can use that data. The permission given to the first company to use a person’s data is not transferred to a third party simply because they found the information.
Regardless of how the information is being used, businesses must process any personal data in accordance with the data protection principles and one of the six prescribed lawful grounds. Those lawful grounds, including consent, are described HERE.
Additionally, the Privacy and Electronic Communications Regulations (PECR) are very clear that if you want to send direct email or direct text marketing to people, you must hold explicit consent in advance, regardless of how accessible their contact information is.
Myth 3: There are no changes to the definition of “sensitive personal data” under the GDPR
This is another untruth. There are three distinct new categories that are classed as sensitive; genetic or biometric data, sexual orientation (in addition to sex life), and philosophical belief, which is in addition to religious beliefs.
Personal data that relates to criminal convictions and offences now has its own classification that reflects the more stringent processing requirements that such data is subject to.
In addition to the changes in classification, additional lawful grounds for processing sensitive personal data have been introduced, and there is a requirement that the consent to process sensitive personal data must be explicit. Read more about the definitions of sensitive data HERE
Myth 4: It is only mandatory to appoint a data protection officer (DPO) if your company has more than 250 people
It is arguably best practice to consider appointing someone to carry out DPO functions, regardless of the size of your organisation. It is essential for the individual to hold sufficient knowledge of the GDPR and to be able to carry out the responsibilities of the DPO independently of any other duties they perform for their employer. A DPO is also responsible for carrying out specific tasks under Article 39 (read more HERE).
The reference to the size of the organisation (250 employees) is often confused with the statutory obligation for organisations with more than 250 employees to keep records of their processing activities. But these record-keeping requirements also apply to organisations of any size who regularly process sensitive personal data, data about an individual’s criminal convictions and offences, or other processing which are likely to be a risk to those individuals’ rights and freedoms.
So depending on your organisation’s activities and the volume and regularity of sensitive personal data that is handled, formally appointing a DPO for companies with less than 250 employees could still be mandatory.
Myth 5: Data protection impact assessments (DPIA) are optional
DPIAs are required if one of a number of conditions relating to how your company processes personal data is met.
The following list is not prescriptive, and there could be additional conditions that would require the completion of DPIAs, but they will be required if:
- The manner in which you process data either uses new technology or is largely automated
- You process large volumes of sensitive personal data, data which relates to criminal convictions or offences, or perform large-scale monitoring of publicly accessible areas
The GDPR gives individual EU member states the option to publish lists of processing activities that require a DPIA, but this has been removed from the draft version of the Data Protection Bill.
With the clock ticking down to 25 May 2018, there is still time to get your house in order and make all necessary preparations for the change from DPA to GDPR. The BPE team has worked with a lot of clients already, carrying out data audits, checking systems and processes and advising on the necessary steps to be taken to comply when the regulation comes into force.
A full list of the services BPE’s GDPR team can provide for your business is available HERE
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.