Our latest Women in Packaging (WIP) event, held at the Doubletree by Hilton Leeds City Centre hotel gave those who attended the chance to enjoy a GDPR overview with the stunning Leeds city skyline as a backdrop. And if that doesn’t sound cosmopolitan enough, attendees took part in one-to-one cocktail making sessions to ensure that the information on offer was all the more palatable.
We needn’t have worried, however, guest speaker and intellectual property law specialist, Sara Ludlam, treated WIP delegates to a concise and industry-relevant overview. We can assure you there were no glazed eyes scanning the cityscape as Sara delivered her 8 data protection principles in addition to ‘what’s new and what’s not’ presentation. Far from it. Many questions were asked by our WIP members on the night.
In case you missed it, Sara has very kindly sent over her overview, which we’ve posted below. Quick tip: Scroll to the bottom for a handy 13-point GDPR to-do list! We think Sara’s done a great job of simplifying this complex subject matter. If after reading this, you have more questions about how GDPR will affect your business you can contact Sara, a partner at 3volution, direct.
Or contact us to find out more about the Women in Packaging initiative.
GDPR OVERVIEW FOR WOMEN IN PACKAGING EFFECTIVE 25 MAY 2018
THE 8 PRINCIPLES – THESE DO NOT CHANGE
The 8 data protection principles:
1. Personal Data (“PD”) must be processed fairly and lawfully.
2. Personal Data should only be retained for specific and lawful purposes.
3. Personal Data which you choose to process must be adequate, relevant and not excessive.
4. Personal Data must be accurate and up to date.
5. Personal Data must not be kept longer than necessary.
6. Personal Data must be processed in accordance with the rights of data subjects.
7. Measures must be taken against unauthorised or unlawful processing of Personal Data.
8. There must be adequate protection for Personal Data transferred outside the EEA.
WHAT ELSE IS NOT NEW?
• The need to have in place appropriate legal safeguards if you want to send PD outside the EEA: Use EU Commission 2010 Model Clauses; or rely on US Privacy Shield if you can; or Binding Corporate Rules if the transfer is going to a group company
• The need to have a lawful basis on which to process PD: Why do you have the PD and what is the lawful basis?
o you have a contract with the individual; or
o you are required by UK or EU laws to process the PD for a particular purpose (eg HMRC requirements); or
o it is necessary to protect someone’s life; or
o you need to process PD to carry out your official function or a task in the public interest and you have a legal basis for the processing the PD under UK law; or
o legitimate interest you can process PD without consent if you have a genuine and legitimate reason (including commercial benefit) UNLESS this is outweighed by the harm to the individual’s rights and interests.
If none of the above apply then you need EXPRESS CONSENT – which needs to be recorded and be specific for each form of processing you carry out. The requirement that this consent is effectively express is new. (Consent must be a freely given, specific, informed and unambiguous indication of the Data Subject’s wishes
by which s/he, by statement or clear affirmative action, signifies agreement to each type of processing of PD relating to him or her = “express”?!)
• Data processors have liability as well as data controllers
• ICO’s right to audit
• Response times for breaches
• Implied consent for marketing uses of PD is no longer acceptable
• Information you have to give data subjects when you receive their PD
• Accountability / transparency – need to keep records
to demonstrate that you know what PD you hold, why, who has access to it, for what purpose, how secure it is, when it will be returned or destroyed
“Personal Data” has always been information relating to an identified or an identifiable natural person (“Data Subject”) but the definition has now been extended to include online identifiers, device identifiers, cookie IDs and IP addresses.
“Sensitive Personal Data” / “Special categories” of data means information relating to an individual’s racial or ethnic origin, political opinion, religious or other beliefs, political and working affiliations, physical or mental health, sexual life, criminal record or information relating to criminal history, and information relating to any proceedings or sentences of any court in such proceedings.
“Special categories” of data has been extended to include biometric and genetic data.
• If consent is for direct marketing purposes a right to object should be brought to the Data Subject’s attention.
• Data Processors are now liable in addition to Data Controllers.
• Transparency you need to be seen to be complying with the GDPR. You must be able to demonstrate compliance with the GDPR. Compliance program initiated must be appropriate and proportionate and needs to be evidenced in writing and be regularly reviewed.
• You need to have written agreements in place with any third party to whom you give or receive PD. Include the right to audit.
• Obligations following a Data Breach have changed a “data breach” is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, PD transmitted, stored or otherwise processed.
If a data controller identifies a Data Breach it must report it to the ICO without undue delay and in any event within 72 hours if it is likely to result in a risk to the rights and freedom of individuals (eg result in discrimination, damage to reputation, financial loss etc). A data controller must also report the breach to affected Data Subjects without undue delay if there is a high risk unless:
o the breach is unlikely to result in a risk for the Data Subject;
o appropriate technical measures have been applied (eg encryption); or
o notification would be disproportionate.
In addition, a Data Processor has an obligation to notify Data Controllers of all breaches without delay.
• Individual rights and subject access request procedure has changed. The deadline for supplying information further to a subject access request has gone from 42 days to 1 month and you cannot charge any fee for accessing such data. Plus failure to comply with a subject access request or failure to implement a subject access request process could incur a top level ICO fine.
• Information to be supplied to individuals by a data controller when it collects PD has changed. Need to supply: ID and contact details of DC (and DPO if applicable); purpose of processing and lawful basis; (detail of legitimate interest); third party recipients, if any; transfers outside the EEA, if any and if so safeguards; retention period or criteria used to determine retention period; right to withdraw consent at any time (where relevant); right to lodge a complaint with the Supervising Authority; existence of automated decision making including profiling and info on how decisions are made, the significance and consequences; existence of rights (as listed below).
• The GDPR provides the following rights for individuals (new ones are highlighted):
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure (to be forgotten)
5. The right to restrict processing
6. The right to data portability
7. The right to object to processing
8. Rights in relation to automated decision making and profiling
The information you supply about the processing of PD must be: concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.
• Right to “unsubscribe” should be as easy as the right to subscribe. A data subject needs to know that these rights exist, right to be informed, and it is the Data Controller who is responsible for ensuring that s/he does know and managing the PD.
• Transferring data outside of the EEA – you need to ensure adequacy in the destination country. Most will be deemed to be inadequate (one of the few exception is the Isle of Man). Consider using EU Commission “Model Clauses”. Incorporate this obligation into agreements with your data processors/sub processors?
TO DO LIST
1. Identify what PD is being processed within your business and assess the risk to a data subject in the event of any breach of the regulations. Document this assessment.
2. Identify whether you are the data controller or the data processor in relation to each type of PD. (For employee information you will be the DC.)
3. Identify who has access to PD and why.
4. Control and where possible limit access– physical and technical solutions should be in place.
5. Delete and/or anonymise and/or pseudonymise PD where possible.
6. Check how consents were obtained when PD is acquired (and you have to rely on consent for processing) and keep records.
7. Check “unsubscribe” options are available and that individuals (and you) can easily effect changes to their data.
8. Identify all third parties to whom you are transferring PD (eg payroll, credit check companies, hosted data centres, couriers, other associated businesses, etc.) and make sure you have a written agreement in place making it clear what obligations they have and what rights you have.
9. Check employee confidentiality and data protection obligations and update and train as necessary.
10. Appoint a DPO?
12. Check your staff and data processors know the procedure for dealing with a PD breach.
13. Diarise regular reviews of your PD processing.
GDPR Overview ©3volution 2018