At this stage, organisations should have a GDPR project team in place, and a data audit of the personal data held by the organisation should be underway. A data audit will help all organisations comply with various GDPR obligations and is a prerequisite for any privacy compliance strategy.
Given the volume of GDPR enquiries we have received, I thought it might be useful at this stage to compile some FAQs we have received from our client base, and "bust" a few GDPR myths.
Must I have consent for all of my organisation's personal data processing activities?
It is true that the GDPR is raising the bar to a higher standard of consent than under the Data Protection Act 1998 (DPA). However the rules around consent only apply if you are relying on consent as your lawful basis to process personal data. Consent is only one of the six lawful bases for processing personal data under the GDPR. For example if you need to process personal data to fulfil a contract with a customer, then consent is not required.
My organisation would like to continue to send marketing materials to individuals on our marketing database. Do we need to "refresh" all our consents?
You are not automatically required to refresh all existing consents obtained under the DPA if such consents meet the standard required under the GDPR. So it is important to check how consent was obtained (was consent implied or explicit, for example). If existing consents do not meet the GDPR standard you will need to seek fresh GDPR-compliant consent, or identify a different lawful basis for the processing (or stop the processing altogether).
Must all data protection breaches be reported to the ICO?
If the breach is likely to result in a risk to people's rights and freedoms, then it will be mandatory to report the breach. However, if no such risks exist then you don't need to report the breach. Organisations should note that if there is a high risk to people's rights and freedoms then the breach must be reported to the affected individuals too.
Will fines under the GDPR be huge?
The ICO will have the power to impose fines much bigger that the £500,000 limit currently imposed by the DPA, but the ICO has said that issuing fines will continue to be the last resort, and that it will use its powers proportionately and judiciously.
Must my organisation perform a privacy impact assessment?
Organisations will be required to perform privacy impact assessments (PIAs) where new projects may result in the processing of personal data that could result in a high risk to data subjects. So a PIA should be considered where a new IT system for storing personal data or a new surveillance system is being put in place (for example). Not all projects will be deemed to pose a risk to the privacy of data subjects. Organisations should first ascertain the need for a PIA when undertaking a new project.
If an individual asks for their information to be deleted, must my organisation comply?
Individuals will have the right to request that organisations delete their personal data in certain circumstances (for example, the data is no longer necessary for the purpose for which it was collected). However if personal data must be retained under a legal requirement, or is required by the organisation to fulfil a contractual obligation then the organisation will have a legitimate reason to retain the personal data, at least for as long as it takes to fulfil the legal or contractual requirement.
Must my security systems be of a certain cyber-security standard?
The GDPR states "Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". So while the GDPR offers guidance on what security actions might be "appropriate" to the risk (including "a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing"), the regulation does not set an approved code of conduct or approved certification mechanism that must be complied with (although organisations can use these standards to demonstrate compliance with the GDPR’s security requirements).
Is the GDPR going to impose an unnecessary burden on my organisation?
If your organisation is complying with the terms of the DPA, then it is well on the way to being compliant with the obligations imposed by the GDPR. Many of the fundamental principles under the DPA remain the same under the GDPR: transparency, accuracy, security and minimisation. The GDPR is an evolution in data protection, and essentially is enforcing what has always been good practice, such as knowing what personal data is held by an organisation, where it is held, how it was obtained and for how long it has been stored. Advances in technology since 1998 mean that the DPA is not fit for purpose in terms of protecting individual's rights in today's information society, and the GDPR will build upon the DPA to address these inadequacies.