GDPR Consent, lawful basis and data breach procedures – all of your questions answered

These are the most frequently asked questions from our clients:

I own a small company which has 3 members of staff – I’ve heard that I will be exempt from GDPR – is this true?

In a word – No!. The GDPR applies to all businesses that use or have access to personal data – no matter how big or small. The ICO do recognise that SME’s do not have access to the same resources as larger companies and over the coming weeks will produce an SME guide to the GDPR. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/10/ico-announces-more-help-for-small-and-micro-businesses/

However, our GDPR OFFICE solution does take this headache away from you – click here for more GDPR OFFICE information

I know I need to have a lawful basis for having and using the personal data I acquire, but what are the options?

Your choices can range from
• Given Consent of the data subject
• Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
• 6(1)(c) – Processing is necessary for compliance with a legal obligation
• 6(1)(d) – Processing is  necessary to protect the vital interests of a data subject or another person
• 6(1)(e) –  Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• 6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
Note that this condition is not available to processing carried out by public authorities in the performance of their tasks.

Do I need to know what types of personal or sensitive personal data do I have?

This is key for your organisation to know – many organisations simply lump their data together and class it all either as not personal or as personal. For many, it is imperative that the data is studied to understand exactly what types of personal data are there as it has an impact on all following business protocols regarding the data.

Am I a data controller or a data processor?

Sounds simple, doesn’t it? The fact is that there are many companies who identify themselves as data controllers when in fact they don’t own the information but process it on behalf of the actual data controller. As responsibility is increased for both parties under GDPR, making sure this is documented means that all contracts between parties need to specify this relationship.

Do I need to explain what I use the data for?

Yes, you do! – you need to be crystal clear on what you plan to use the data for – and it needs to marry up with your legal basis for doing so.

What about other regulations that I have to comply with?

Whatever they are (PECR, PCI DSS?), you need to make sure that you comply with these also – GDPR is all-encompassing but there are specifics in these other regulations that are unique. Make sure that your compliance with any other regulations is documented and links to your GDPR documentation.

Do I need consent procedures?

Yes! Without these, all the data you have is of no use. Be explicit. Be precise. Be clear.

Do I need a privacy policy?

Yes! If you don’t have one your organisation doesn’t respect the personal data that it holds. Make it clear and available for people to find it.

What is a breach management policy?

Unsurprisingly a lot of companies don’t have a breach policy – you are going to need one. GDPR makes sure that accountability is key and the new rules mean that you will have to notify the ICO (in the UK) of a breach or suspected breach of your data – without a breach policy it will be difficult to prove to the ICO that you have done everything possible to protect the data you hold.

Do I have to have a defined breach management procedure?

Yes! See above!

Policies are all well and good – but nail down the actual process that your company has identified, document it and make it accessible to all your company’s personnel.

Do I have to be equipped to handle subject access requests and a person’s right to be forgotten?

All staff need to be aware of how to deal with such requests. Make it easy for the owner of the personal data to ask for their information and what they want doing with it. In some cases (CCTV) then your data deletion policy may take care of such queries – but everybody in your organisation should know this.

What if I have or use children’s’ data?

The most sensitive of personal data – if you hold it then make sure you have the most legitimate reason for having it.

Simply saying ‘for business purposes’ is no longer acceptable – if you really don’t need it then don’t have it.

And be prepared to invest in systems to make the data as safe as possible – there is no grey area when it comes to data involving children.

What if I transfer data internationally?

If you do then be prepared to have very serious conversations with all of those you share data with outside of your organisation – they will need to as a minimum ensure the safety of your data – if not then there could be serious consequences.

Do I need to tell everybody in my business about what GDPR is and it’s implications?

GDPR will affect everybody in your organisation – make sure they are trained, educated and aware of what to do in any situation that involves personal data and possible breaches.

How long can I store personal GDPR data?

The safe storage of your company’s personal data is key to your GDPR readiness. The length of time that you can store it for is dependent on what you are going to use it for – for example passenger name records for airlines may need to be stored for many years to plan for future enquiries such as EU261 claims, whereas CCTV data may be stored for up to 30 days unless needed by law enforcement agencies.

How can I make sure the Data Processors that I work with have encrypted my customers’ personal details and have the correct policies and procedures in place?

This is a key question for many data controllers – particularly within the airline industry. As a data controller, it is incumbent on you to make sure that your data processors’ systems meet the same standards as your own. Both parties should have a written agreement in place to this effect.

Want to know more? Give us a call or email us on Tel:01865 600 410 | info@GDPRsystems.co.uk