With just over two months to go until the General Data Protection Regulation (GDPR) takes legal effect, there are still a wide variety of opinions and questions circulating. Look it up on Google and there are over 7,000,000 results. The maximum fine for infringing GDPR is 20,000,000 euros or 4% of total worldwide annual turnover: whichever is higher. But the most important number is this: over 500,000,000 Europeans will enjoy new rights and protections under GDPR. And that’s what GDPR is really all about: taking care of people.
The Information Commissioner, Elizabeth Denham, makes this point very well when she says:
“This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines but thinking that GDPR is about crippling financial punishment misses the point… it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”
We have been living through a technological revolution over the last few decades: the internet has transformed our world and devices have taken on increasing significance. Our personal data is the fuel that is powering this change. GDPR is simply ensuring that we retain ultimate control over our personal data and that anyone who is using it, is doing so legally and transparently, while always keeping our personal data safe and protected.
Is it really a question of consent?
Any conversation about GDPR will quickly turn to consent. Some people are worried that without consent, they cannot process personal data. In some cases, that is true, but in many cases, it is not. Once again, Elizabeth Denham explains:
“Consent is one way to comply with the GDPR, but it’s not the only way. Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR. Not only has this created confusion, it’s left no room to discuss the other lawful bases organisations can consider using under the new legislation.”
Without consent, there are still lawful grounds for processing personal data and we believe that the vast majority of our clients can use one of these:
- If processing is necessary to fulfil a legal obligation, consent is not required
- If processing is in the public interest or being done as part of the duties of a public body, then consent is not needed
- If there is a demonstrable legitimate interest that requires processing of personal data, there is no need for consent
However, there are special categories of personal data that require further thought and careful attention before processing, because they reveal sensitive personal information about an individual’s race or ethnicity; sexual orientation; political, philosophical or religious beliefs; health, etc. Explicit consent provides a lawful basis to process special category data but there are numerous other grounds too.
Under GDPR, people will continue to have the right to access any personal data you may be processing about them. They will also have other rights:
- The right to be fully informed about why it is being processed and who else it is being shared with and the right to rectify incorrect personal data
- The right (in certain circumstances) to be forgotten or the right to restrict (or object to) processing of their personal data.
And finally, if they have given consent, they will have the right to withdraw it as easily as it was given.
Be ready for 25th May
Research published recently by the Federation of Small Businesses showed that a third (33%) of small businesses have not started preparing for the introduction of GDPR. We are urging our clients in all sectors to be ready for people who may invoke their new rights. That means identifying and documenting your lawful basis for processing personal data and, if applicable, the additional lawful basis for processing special category data. You should also review your policies, especially your privacy notice, and procedures. The ICO provides good guidance in its ’12 Steps to Take Now’ document.
Of course, at ERS we have been working to ready ourselves. Data protection has been at the heart of Electoral Reform Services (ERS) since we administered our first ballot over 100 years ago. So, there is a long and well-established commitment to protecting data at ERS. We have a Data Protection Officer supported by a team and we have had ISO27001 accreditation (the international standard in data protection) since 2013. This is important because GDPR requires all of our clients to “use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of (GDPR) and ensure the protection of the rights of the data subject.” (Article 28).
Getting ready for GDPR requires time and effort but it helps to remember, that GDPR is about taking care of people. As well as giving people rights, it is about protecting them. If you ensure that the personal data you process is well protected, then breaches will not happen. We can provide that level of security at ERS: personal data is safe with us.
Data Protection Officer