GDPR Data Processing: What you need to know

A lot of what has been written has been about the attention-grabbing fines, the debate about consent and the right to be forgotten. There has been very little about the foundation of the data protection principles, the legal basis for processing, the processor-controller relationship and the fact that in many ways the GDPR isn’t very dissimilar to the current Data Protection Act. Whilst I could write war and peace of these subjects there are three points that I haven’t read much about, but very important. One or two of them might even be an eye opener for you.

Choosing a data processor

As a data controller you have full accountability for ensuring that if you use a company to do your processing (for instance an outsourced marketing company), that you have conducted the right level of due diligence to ensure that they have the right “technical and organisational controls in place to keep safe and secure”. These measures should be at least equal to yours, and if they sub this out further (let’s say to a contractor), you should be given the opportunity to decline the sub-processor and they should have the same security measures in place.

It is vital to have the processor-controller relationship, liabilities, and actions (what they can and can’t do, what they should do with your data once the project is finished) set out in terms and conditions. It is both companies responsibility to have this documented, without it, all parties open themselves up for some hefty fines if there is a breach. What’s more, if you’re the data processor without sufficient organisational and technical measures in place and there is a breach, the terms of the contract will ultimately lay the fines of the controller at your door, and that could be 4% of their turnover!

Whilst the fines are robust, it is someway short of the reputational damage that would be done to your business.

Food for thought!

Marketing

This is one that many just can’t seem to get right. So back to the basics of data protection which will help in the understanding of this. One must have a legal basis to process personal information of individuals, one of those legal basis’s is consent (but there are more). This consent can be used for the processing of personal data, however, and this is where it gets interesting, when it comes to marketing, consent is necessary. Just because one has consent for the general processing of data, does not mean this is consent for marketing. However, businesses will need explicit consent for data transfers to non-EEA countries or where there is a high risk in a transfer and for the processing of sensitive data. And, what’s more, whilst one must comply with the Data Protection Act and soon to be GDPR, when it comes to marketing, it’s PECR (Privacy of Electronic Communications Regulations) that must be adhered to along with the GDPR for its other requirements.

Whilst this regulation has been around since 2002 not many have heard of it!

The tick box off the shelf approach

As you would imagine, GDPR has become a little like cyber was a year or two ago, plenty of people jumping on the band wagon, and most of them not really knowing the first thing about it other than the very basics.

There are plenty offering the silver bullet of an off the shelf solution that can be applied across the board. The issue here is that every business is different, different people, ways of working, nuances and challenges. And whilst there will be some commonalities between companies, there certainly isn’t a one size fits all approach if you want to do it properly.

For example, if we look at a privacy policy that is written correctly and to the guidelines issued by the ICO, it should be produced once one knows what the data flows in the business are. What information will be gathered and for what purpose, who they will be shared with and more. If you take two businesses that you know, do these match completely or will there be some anomalies?

Author bio

Jezz Gobran, MD of i-Secured, a Birmingham based data protection and information security consultancy. Helping business understand and meet legal data obligations whilst Protection their reputations and businesses. This guest post was originally published by Jelf on their website. Read it here

Jelf are award winning experts in Insurance, Risk Management and Employee Benefits for businesses and individuals. Find out more about us on our website