Make sure you’ve had the right GDPR advice

The GDPR regulations have been in force for one month now and it’s great to see so many organisations large and small taking on board the message that individuals personal information is a privilege to process and not a right. But for every exceptional measure we’re also seen some poorly put together privacy policies that fail to pass GDPR standards, either using inappropriate lawful bases, not declaring the use of their party processors, not notifying individuals of personal information obtained not directly from them, or just outright misuse of personal information.

Consent

Consent is one of the lawful bases an organisation can use to process your information, but it’s not the only lawful bases and it’s not appropriate for all purposes.

However, we’ve seen quite a few uses of Legitimate Interest, another lawful basis for processing information, where it’s quite obvious that the interests of the organisation are not in line with the interest of the individual, and the individual would not expect their information to be used in the way that it is being used.

Lawful Bases Of Processing

We don’t handle any personal information

Some organisations have suggested that they don’t process personal information. While that’s a possibility it’s very unlikely. If you have an employee then you are handling their personal information, if you have a client who’s a sole trader their ‘business’ information is by default personally identifiable information.

It’s very likely that you do actually process personally identifiable information, even if it’s not visible in the day-to-day running of your organisation, and as such you should make sure you comply with the GDPR.

We don’t do email marketing

A common misconception is that the GDPR was only concerned with marketing, it isn’t. The GDPR replaced the Data Protection Act (and will be replaced by the Data Protection Act 2018) and relates to the processing of personal information.

Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
GDPR Article 4 Definitions For the purposes of this Regulation

GDPR doesn’t apply to us

If you process any personally identifiable information on an EU citizen then then you do need to comply with the GDPR.

We’ve heard arguments that because an organisation doesn’t directly collect the information, or is only processing information on behalf of another organisation or entity, that they don’t need to worry about the GDPR. This simply is not the case. The GDPR states that both Data Controllers and Data Processors need to be GDPR complaint.

Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
GDPR

We don’t know who our data processors are

This sounds like a simple argument to tackle, and in essence it is, but there may be more data processors working on your behalf than you think.

You should audit all your personally identifiable information, where and how it comes in, what happens to it and where it goes, this should help you identify all the processors you are using.

Auditing your information, and documenting it as you go, is a great way to adhere to several key GDPR principles, such as the ability to be transparent with your processing, the ability to quickly respond to a Data Subject Request and the ability to apply data minimisation (only keeping the minimum amount of information to achieve the processing required)

Some common ones that we have seen people miss include:

  • Accountants
  • Payroll
  • Insurance
  • Cloud-based databases (CRM for instance)
  • Mobile phone
  • Pensions

Our data processors have not replied

As a data controller it is your responsibility under the GDPR to make sure the processors you choose to use are compliant. If you are having trouble getting information from one of your processors, you need to consider moving to a different processor. A processor who is not taking their responsibility to securely manage the information on your behalf is exposing themselves and you to possible fines for breach of GDPR.

Special category information

Information that the GDPR calls ‘special category’ information is information that has additional levels of protection around, it’s considered particularly sensitive and if you have a need to process it you must adhere to the extra levels of protection built into the GDPR.

Before you start looking at the additional levels of protection, check that you absolutely need to process the special category information. If it’s surplus information then as part of the data minimisation process you should remove and delete this sensitive data.

What is Special Category Information

Responding to Subject Access Requests

Sooner or later your organisation is going to receive a Subject Access Request (SAR) depending on the size of your organisation, the amount of exposure to the public and the types of information being processed.

There’s a good chance that some enterprising individuals will start offering a data finding service sending off hundreds of SARs on behalf of individuals, these types of blanket SARs could pose a significant admin impact of smaller organisations.

Your organisation needs to have procedures in place to be able to process these SARs, the GDPR states that unless certain circumstances are met, you need to process the SASs within one month and you’re not allowed to charge for this service.

ICO Advice on SARs (Your Data Matters)

Reporting an organisation

If an organisation is processing information in a non-compliant way, they can be reported to the ICO as being in breach if the GDPR. However, in most instances we would recommend that individuals first contact the organisation and try to resolve the situation directly, such as asking the organisation to erase the information or cease processing it, however if the organisation is in breach of the GDPR there’s a good chance they won’t respond to an SAR.

The ICO Reporting website

Share
Leave a Comment