Looking for a GDPR Consultant?
As GDPR applies to everyone, we can provide GDPR consultancy to help with your compliance and reduce the risk of data breaches.
If your company has experienced a data breach, or you think you have, contact us immediately. We have partnerships with senior contacts in data security who will be able to support with even the most serious of cases – but acting fast is always critical.
We’ll help you to minimise the data breach, investigate and plug the security holes they used, improve your processes so that errors don’t happen again, and assist you with reporting to the Information Commissioner’s Office.
All of the services we provide you will involve us advising about GDPR in some way, so it’s woven into everything we do. We’re happy to store data on your behalf, whether it’s scans of your employees’ passports, your purchase invoices or providing your email and website hosting.
In doing this, we take responsibility for the security of the data, ensuring it can only be accessed through encrypted channels fully compliant with GDPR.
Data Processor vs. Data Controller
These terms are key to the GDPR, although for most small businesses, they’re fairly simple to understand. A data controller decides what data needs to be collected and stored. A data processor typically follows instructions from a controller, and acts on their behalf. The ICO has a great guide for further reading, and if you’re confused, a GDPR consultant will be able to tell you more.
One of the most common examples is Google Analytics, on this site. Andach is the data controller – we decide what data to collect, from whom, and why. Google is a processor – they store and manage the data on our behalf.
Simply using a data processor doesn’t mean you don’t have responsibility under GDPR. You need to ensure that you have contracts in place where the processor acknowledges what they have to do, what they have to collect, and how and when to delete it.
Questions? Get in touch with us Today!
Whatever the nature of your business, we're happy to help you with advice or audit. From the simplest query to complex questions, Andach has experience with complicated GDPR situations, and we'll work with you to understand your situation and make sure you're fully compliant.
We can also offer IT security advice for firms with specialist requirements, or for those who have recently suffered a data breach.Contact Us
What are my responsibilities?
For processing data to be lawful, you have to identify why you’re processing the data in the first place.
You also can’t (fairly obviously) do anything otherwise unlawful with their data, for example infringe copyright, breach a duty of confidence or human rights.
You must only handle personal data in a way that people would reasonably expect. This can depend on how you have obtained the personal data. For example, if you mislead people or deceive them when personal data is obtained, it’s not going to be fair to use it.
Note that simply negatively affecting an individual doesn’t mean the processing is automatically unfair – it matters if the detriment is justified. For example, it’s OK for the police to use someone’s personal data to prosecute them for breaking the speed limit – even if they don’t like it!
You must ensure that you tell people how you’re going to use their personal data in a way that is clear and honest. Don’t use jargon or “legal-ese”. A GDPR consultant can help you draft this text.
This applies whether or not you have collected the data directly from the individual concerned, or from another source.
How should we specify this?
Companies of less than 250 people need only document activities that:
- Are not occasional, or;
- Are likely to be intrusive or adversely affect individuals, or;
- Involve “special category” data or offence data.
When could we use data for new purposes?
You can use data you’ve already connected for another, or for a new purpose if you’ve got permission, have a legal requirement to do so, or the new purpose is “compatible” with the old one. This can be complicated, so definitely consider asking a GDPR consultant if you’re unsure.
In justifying this, you should consider:
- Whether the individual would reasonably expect you to process their data in this way
- Whether the data is sensitive
- Whether there are possible consequences for the individuals
- Whether there are appropriate safeguards.
Commonly businesses will want to process data for analysis reasons, to create dashboards and management information. This will usually be compatible, but do seek advice if you’re unsure.
How do we decide this if the GDPR doesn't define the terms?
GDPR compliance is about considering why you’re holding data, what your organisation uses it for and what the circumstances are surrounding the data. It’s not about prescribing specific courses of action for everyone to follow.
For example, you may be a construction business, and need to ask your staff if they have certain medical conditions – which might make working with certain machines more dangerous. You shouldn’t obtain or keep this data for someone who’s only working in the office – it’s clearly irrelevant.
Especially if the data you’re processing is special category data (see below), then it’s important you engage with a GDPR consultant to establish that you’re doing this right.
This is an often misunderstood element of the GDPR, and something you hear commonly as a GDPR consultant. “But I thought it was about not collecting data!”
No, rather the GDPR is about collecting the right data, and being clear about how you use it. An example could be for a sports club. When you’re just starting up, if you all know each other, then you can probably do everything you need with just names and email addresses.
If the club were to grow to a few hundred people, then clearly having information be remembered isn’t appropriate. You’re not going to be able to do everything you need to do with an email list, and you’re going to need to keep track of membership subscriptions, etc.
So in this case, you need to collect more data in order to process everyone fairly and properly.
How does this affect historical records?
It needs to be clear what you intend someone’s personal record to show. If someone moves house then clearly, you need to update their address in your database as soon as you become aware.
But if you have reason to record previous addresses (for a credit check, for example), then recording that someone used to live in their old address is perfectly accurate.
How proactive are we supposed to be?
This depends on the importance of the data. For example, it’s important to be accurate about whether someone has a driving license – if you’re a taxi agency you’ll want to check this against DVLA records to ensure they don’t have any points, for example.
It’s usually reasonable to assume that people have given you accurate information, however.
What do we do if someone tells us the information we hold is wrong?
Check it. Then correct it.
People have the absolute right to have incorrect personal data rectified – but this doesn’t mean you have to accept their word that your data is wrong. If the data was important (like the driving license example given above), then you should confirm this before making any changes. If they’re telling you you’ve misspelled their name, probably best to fix it immediately.
How long are we allowed to keep data?
As with a lot of things in the GDPR, this is not explicitly set out in the rules. You need to consider the needs of your business, and weigh this up against the rights of the individual.
This principle isn’t just about legal compliance. Holding data for longer than you need increases the chance of holding inaccurate data – which will make your management information wrong. Also, holding data is expensive, you’re paying good money to store information that you might not need.
What should we consider when we set retention periods?
- Why you’re holding this category of data.
- Practically, how long will it take for the data to become irrelevant?
- Is it necessary to hold data after a certain event has occurred?
- Are there any specific legal or regulatory requirements? Taxes or financial audit, or health and safety records?
If you’re unsure, ask us as a GDPR consultant for advice. For example, you will need to keep some information on employees once they leave – to comply with pension arrangements or provide references, for example. But you’re never going to need their emergency contact details once they’ve resigned, so these should be deleted.
What is it we need to protect against?
Put simply, you need to ensure that your data can’t be accessed, deleted or changed by anyone who doesn’t have the right to do so. As usual, this will need a different response for separate categories of data.
Your salesmen might need access to phone numbers of customers, for example. But they don’t need access to credit card information, which should definitely be encrypted.
You need to consider both physical security (the obvious – lock up files that aren’t in use, and ensure computers require a password after a certain amount of inactivity), and IT security.
How should we secure our computer systems?
As you’ve probably guessed if you’ve made it this far down the page, there isn’t a one size fits all solution for this. Instead, you need to consider the nature of the data processed, how your computer systems work and respond accordingly. You may want to consider an active directory implementation to help ensure that files you host are only shared with staff that should have access to them.
You should definitely consider a GDPR consultant to advise on this area if you’re processing special category data (see below).
If you’re operating in an industry that has its own requirements (such as PCI legislation for credit card storage), then you have to comply with that and GDPR.
Processors and controllers
This section of the GDPR clarifies that as a data controller, you’re still responsible for complying with the legislation, even if you use a number of data processors.
To err is human, and even the best organisation might have a data breach happen at some time. Regardless of whether you need to formally report this, you need to keep a record of any personal data breaches, no matter how minor.
You need to report a breach to the ICO if there is a “risk to people’s rights and freedoms”. For example, if hackers take your customer database, this could be used to commit identity fraud, and you would need to report this. But if you inadvertently delete an internal list of staff phone numbers, this isn’t going to result in any kind of risk, so you don’t have to report.
If you do need to report, you must do this within 72 hours of becoming aware of the breach.
You should seek immediate advice if you suspect you have a reportable data breach. This could indicate a serious security problem for your company and you should engage with a professional GDPR consultant as soon as possible.
Special Category Data
The GDPR defines special category data as:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life;
- data concerning a person’s sexual orientation.
GDPR Section 9
These are the only valid reasons to process special category data:
- (a) Explicit consent
- (b) Employment, social security and social protection (if authorised by law)
- (c) Vital interests
- (d) Not-for-profit bodies
- (e) Made public by the data subject
- (f) Legal claims or judicial acts
- (g) Reasons of substantial public interest (with a basis in law)
- (h) Health or social care (with a basis in law)
- (i) Public health (with a basis in law)
- (j) Archiving, research and statistics (with a basis in law)
Separate rules apply for data about criminal allegations, rules or proceedings. It even applies if you’ve inferred or guessed the information, rather than it being explicitly confirmed to you.
If you believe that processing this data is likely to result in a high risk to individuals, then you also need to fill in a Data Protection Impact Assessment. A GDPR consultant will be able to help you with this, and we strongly advise you seek assistance if this is the case.
Data Protection Officer (DPO)
You should consider appointing a Data Protection Officer for your company. Under the GDPR, you must appoint a DPO if:
- You are a public authority or body (except for courts acting in their judicial capacity);
- Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
Your DPO can be a member of your staff, or an external GDPR consultant or company. We are happy to be appointed to be your Data Protection Officer if you have identified a need for one. Contact us today to find out about our services.