The start-up's guide to the GDPR
You may have read about the General Data Protection Regulation (GDPR) and wondered if it applies to you? This new piece of legislation comes into effect on 25 May 2018 replacing the EU Data Protection Directive and to become the European Union's new data protection law. In fact, it is considered as one of the most significant changes in data privacy law in recent years.
So how do you know whether the GDPR applies to you?
The GDPR will apply to you if your business is doing anything with data that relates to living people and from which you can identify those people. The GDPR applies to:
- Those who process personal data – the GDPR regulates processing by an individual, a company or an organisation of personal data relating to individuals in the EU. Micro, small and medium-sized enterprises (including start-ups) must comply with the GDPR.
- Those based outside the EU offering goods or services to EU data subjects or monitoring EU data subjects' behaviour – the GDPR applies even if your start-up is based outside the EU but providing goods or services (paid or for free) to the EU or monitoring the behaviour of individuals in the EU, for example, by using web-tracking or analytics tools which monitor behaviour).
Under the GDPR, your business will be categorised as 'data controller' and/or 'data processor' to the extent by which any personal data is processed.
There is no grace period after 25 May 2018 either. Fines can be pretty severe. Failure to comply could mean a fine of 4% of total annual worldwide turnover, or up to €20 million – whichever is higher.
If you think the GDPR applies to you, we have outlined some of the basic concepts to help you gain a broad understanding of this forthcoming regulation. It isn’t intended to be a comprehensive legal guide and we recommend you speak to an expert to ensure your start-up is compliant.
What is 'personal data'?
This is any information that relates to an identified or identifiable living individual. Different pieces of information, obtained from different sources, which collected together can lead to the identification of a particular person and can therefore also constitute personal data. Examples of personal data are set out below:
- A name, surname and home address
- An identification card number
- Location data obtained through an app on a mobile phone
- An Internet Protocol (IP) address
Not all personal data is equal. Enhanced protection is provided to certain categories of personal data.
- Sensitive data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data processed solely to identify a human being, health-related data and data concerning a person’s sex life or sexual orientation are deemed to be sensitive and can only be processed under specified circumstances.
- Children: children also merit specific protection because they may be less aware of the risks and consequences relating to the processing of their personal data. Your start-up can only process a child’s personal data with the consent of their parent or guardian up to a certain age. The age threshold for obtaining parental consent varies between 13 and 16 years, depending on the age set in each EU Member State.
A reasonable effort must be made, taking into consideration available technology, to verify that the consent given is truly in line with the law.
If you provide services to children, you must ensure that any information and communication addressed to a child is easily accessible and in clear and plain language that a child can easily understand.
What about marketing and your suppliers' data?
Before acquiring a contact list or a database with contact details of individuals from your supplier, your supplier must be able to demonstrate that the data was obtained in compliance with the GDPR and that it may use it for the specific activity you have obtained this for. For example, if they acquired it based on consent, the consent should have included the possibility to transmit the data to other recipients for their own direct marketing or specific activity you have obtained this for.
You must also ensure that the list or database is up-to-date and that you don’t send communication to individuals who objected to the processing of their personal data for the specific activity you are using it for.
Individuals will have a right to object to such processing. You must also inform individuals; at the latest at the time of the first communication with them, that you’ve collected their personal data and that you’ll be processing it for the specific activity you are using it for.
Most start-up's use of marketing is also regulated by the ePrivacy Directive (which you must comply with in addition to the GDPR).
What does processing mean?
The definition of processing can be broad. Potentially, any action that can be performed on personal data can constitute processing. Collecting, recording, using, including deleting personal data constitutes processing. Examples of processing are set out below:
- Staff management and payroll administration
- Creating a contacts database containing personal data
- Sending marketing emails
- Posting a photo of a person on a website
- Video recording (including CCTV)
What's the controller, the processor and the data protection officer?
The GDPR introduces the concept of accountability. Not only must a controller be responsible for complying with the principles relating to the processing of personal data, the controller must also be able to demonstrate compliance with the principles.
Your start-up business will be categorised as 'data controller' and 'data processor', or both – depending on how you process personal data.
A data controller is the organisation that determines the purposes for which and the means by which personal data is processed. If it's your decision on why and how the personal data should be processed, then you are a 'data controller'.
In the UK, data controllers must register with the Information Commissioner's Office.
A data processor is the organisation that processes personal data on behalf of the controller. The data processor is usually a third party external to the company. A typical activity of processors is offering IT solutions such as cloud storage. Data processors must also comply with the GDPR. This is a significant change from the Data Protection Act 1998 (the current law in the UK) which applies to data controllers only.
The GDPR specifies that the duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorisation from the data controller.
Depending on your circumstances (nature of business, type of data, quantity of data and risk), you may need to appoint a data protection officer.
The GDPR – what are the principles for processing personal data?
- Personal data must be processed lawfully, fairly and in a transparent manner. It's an important principle because it sets the tone for your start-up's compliance with the GDPR
- There must be a specific purpose for processing the data and your organisation must specify that purpose to individuals when collecting their personal data. You should not collect personal data for undefined purposes or in a manner which is incompatible with the stated purpose
- Personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is collected. You should not collect personal data that is not relevant for the purpose for which personal data is collected
- Personal data processed must be accurate and where necessary, kept up to date
- Personal data may not be stored for longer than is necessary for the purposes for which the personal data is processed/collected
- Personal data must be kept secure, including from protection against unauthorised or unlawful processing, accidental loss, destruction or damage
How can you lawfully process personal data?
The GDPR sets out the circumstances under which you may process personal data. Grounds which are commonly relied upon are set out below. You may process personal data:
- With the explicit consent of the individuals concerned
- Where there is a contract with the individual
- To meet a legal obligation
- Where your organisation’s legitimate interests may provide a legal basis for processing personal data. This is recognised as the most flexible basis for processing. It is likely to be most appropriate where you use someone's data in ways they would reasonably expect and which have a minimal privacy impact. You would need to assess the circumstances of the case and check that the rights of the individual aren't seriously impacted (e.g., the right to privacy)
What information should you provide for transparency?
Transparency requires individuals to be informed about the processing operations being carried out on their personal data. At the time of collecting personal data, people must be provided with the information below:
- Who your organisation is (your contact details, and if applicable, the contact details of your representative or data protection officer)
- Why your organisation will be using their personal data (purposes) and the legal justification for processing their data
- Who else might receive personal data and whether personal data will be transferred to a recipient outside the EU
- For how long the data will be kept
- The right of access to and rectification or erasure of personal data; a right to restrict processing or object to processing as well as the right to data portability
- The right to withdraw consent at any time (where processing is based on consent)
- The right to lodge a complaint with a supervisory authority (for example the Information Commissioner's Office)
- Where applicable, the existence of automated decision-making and profiling and the logic involved, including the consequences
The information may be provided in writing, verbally or by electronic means where appropriate. You must do that in a concise, transparent, intelligible and easily accessible way, in clear and plain language and free of charge.
When data is obtained from another organisation (for example, when you buy third party lists for marketing purposes), you are still under a general requirement to provide information to the individual concerned.
What approach is best to take when planning?
Plan with risk in mind – the GDPR is based on a risk-based approach. In other words, organisations processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Therefore, the obligations on a company processing a lot of data are more onerous than on a company processing a small amount of data.
The nature of the personal data and the impact of the processing also play a role. Processing of a small amount of data, but which is of a sensitive nature, for example health data, would require implementing more stringent measures to comply with the GDPR.
What does 'data protection by design' mean?
The GDPR requires organisations to implement technical and organisational measures at the earliest stages of the design of the processing operations so that privacy is safeguarded and data protection principles are complied with right from the start.
Do you need a data protection impact assessment (DPIA)?
This is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA is required at least in the following cases:
- A systematic and extensive evaluation of the personal aspects of an individual, including profiling
- Processing of sensitive data on a large scale
- Systematic monitoring of public areas on a large scale
The DPIA should be conducted before the processing and should be considered as a living tool, not merely as a one-off exercise.
What should you do in the event of a data breach?
A data breach occurs when the data for which your business is responsible suffers a security incident, resulting in, for example, a loss of data. If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, you must notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach. If your business is a data processor it must notify every data breach to the data controller.
If the data breach poses a high risk to those individuals affected then they should also all be informed, unless there are effective technical and organisational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialise.
If you want to know more about the GDPR or have any other questions around data privacy, please get in touch with us Trowers' start-up team. We have produced a series of fact sheets to help start-ups, click here to access our online resources.