GDPR Data Processing: What you need to know
Find your business
There has been much written over the last few months of GDPR, some of it is good accurate information and the rest, well, fish and chip paper is probably it’s best use.
A lot of what has been written has been about the attention-grabbing fines, the debate about consent and the right to be forgotten. There has been very little about the foundation of the data protection principles, the legal basis for processing, the processor-controller relationship and the fact that in many ways the GDPR isn’t very dissimilar to the current Data Protection Act. Whilst I could write war and peace of these subjects there are three points that I haven’t read much about, but very important. One or two of them might even be an eye opener for you.
Choosing a data processor
As a data controller you have full accountability for ensuring that if you use a company to do your processing (for instance an outsourced marketing company), that you have conducted the right level of due diligence to ensure that they have the right “technical and organisational controls in place to keep safe and secure”. These measures should be at least equal to yours, and if they sub this out further (let’s say to a contractor), you should be given the opportunity to decline the sub-processor and they should have the same security measures in place.
It is vital to have the processor-controller relationship, liabilities, and actions (what they can and can’t do, what they should do with your data once the project is finished) set out in terms and conditions. It is both companies responsibility to have this documented, without it, all parties open themselves up for some hefty fines if there is a breach. What’s more, if you’re the data processor without sufficient organisational and technical measures in place and there is a breach, the terms of the contract will ultimately lay the fines of the controller at your door, and that could be 4% of their turnover!
Whilst the fines are robust, it is someway short of the reputational damage that would be done to your business.
Food for thought!
This is one that many just can’t seem to get right. So back to the basics of data protection which will help in the understanding of this. One must have a legal basis to process personal information of individuals, one of those legal basis’s is consent (but there are more). This consent can be used for the processing of personal data, however, and this is where it gets interesting, when it comes to marketing, consent is necessary. Just because one has consent for the general processing of data, does not mean this is consent for marketing. However, businesses will need explicit consent for data transfers to non-EEA countries or where there is a high risk in a transfer and for the processing of sensitive data. And, what’s more, whilst one must comply with the Data Protection Act and soon to be GDPR, when it comes to marketing, it’s PECR (Privacy of Electronic Communications Regulations) that must be adhered to along with the GDPR for its other requirements.
Whilst this regulation has been around since 2002 not many have heard of it!
The tick box off the shelf approach
As you would imagine, GDPR has become a little like cyber was a year or two ago, plenty of people jumping on the band wagon, and most of them not really knowing the first thing about it other than the very basics.
There are plenty offering the silver bullet of an off the shelf solution that can be applied across the board. The issue here is that every business is different, different people, ways of working, nuances and challenges. And whilst there will be some commonalities between companies, there certainly isn’t a one size fits all approach if you want to do it properly.
Jezz Gobran, MD of i-Secured, a Birmingham based data protection and information security consultancy. Helping business understand and meet legal data obligations whilst Protection their reputations and businesses. This guest post was originally published by Jelf on their website. Read it here
Jelf are award winning experts in Insurance, Risk Management and Employee Benefits for businesses and individuals. Find out more about us on our website
Find your business
A milestone passed | Bank Referral Scheme Post Implementation Review
Alternative Business Funding Chairman, Adam Tavener's thoughts on HM Treasury's Bank refer...LEARN MORE
Considering taking the plunge and starting a business?
Has Coronavirus made you think about becoming a business owner? ABF Chairman, Adam Tavener...LEARN MORE
Countering currency volatility during the coronavirus
The acceleration of the coronavirus crisis in March led to some dramatic currency movement...LEARN MORE