GDPR Consultant

Looking for a GDPR Consultant?

As GDPR applies to everyone, we can provide GDPR consultancy to help with your compliance and reduce the risk of data breaches. 

If your company has experienced a data breach, or you think you have, contact us immediately. We have partnerships with senior contacts in data security who will be able to support with even the most serious of cases – but acting fast is always critical. 

We’ll help you to minimise the data breach, investigate and plug the security holes they used, improve your processes so that errors don’t happen again, and assist you with reporting to the Information Commissioner’s Office. 

All of the services we provide you will involve us advising about GDPR in some way, so it’s woven into everything we do. We’re happy to store data on your behalf, whether it’s scans of your employees’ passports, your purchase invoices or providing your email and website hosting. 

In doing this, we take responsibility for the security of the data, ensuring it can only be accessed through encrypted channels fully compliant with GDPR. 

gdpr consultant

Data Processor vs. Data Controller

These terms are key to the GDPR, although for most small businesses, they’re fairly simple to understand. A data controller decides what data needs to be collected and stored. A data processor typically follows instructions from a controller, and acts on their behalf. The ICO has a great guide for further reading, and if you’re confused, a GDPR consultant will be able to tell you more. 

One of the most common examples is Google Analytics, on this site. Andach is the data controller – we decide what data to collect, from whom, and why. Google is a processor – they store and manage the data on our behalf. 

Simply using a data processor doesn’t mean you don’t have responsibility under GDPR. You need to ensure that you have contracts in place where the processor acknowledges what they have to do, what they have to collect, and how and when to delete it. 

Questions? Get in touch with us Today!

Whatever the nature of your business, we're happy to help you with advice or audit. From the simplest query to complex questions, Andach has experience with complicated GDPR situations, and we'll work with you to understand your situation and make sure you're fully compliant. 

We can also offer IT security advice for firms with specialist requirements, or for those who have recently suffered a data breach. 

Contact Us

What are my responsibilities?

1) Lawfulness, fairness and transparency

Whenever you use personal data, you must identify a “lawful basis" for processing this data.

You must not process data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.

You must also be clear, open and honest with people from the start about how you're using their data.

Lawfulness

For processing data to be lawful, you have to identify why you’re processing the data in the first place. 

You also can’t (fairly obviously) do anything otherwise unlawful with their data, for example infringe copyright, breach a duty of confidence or human rights. 

Fairness

You must only handle personal data in a way that people would reasonably expect. This can depend on how you have obtained the personal data. For example, if you mislead people or deceive them when personal data is obtained, it’s not going to be fair to use it. 

Note that simply negatively affecting an individual doesn’t mean the processing is automatically unfair – it matters if the detriment is justified. For example, it’s OK for the police to use someone’s personal data to prosecute them for breaking the speed limit – even if they don’t like it!

Transparency

You must ensure that you tell people how you’re going to use their personal data in a way that is clear and honest. Don’t use jargon or “legal-ese”. A GDPR consultant can help you draft this text. 

This applies whether or not you have collected the data directly from the individual concerned, or from another source. 

2) Purpose Limitation

You must be clear from the start about why you are processing personal data.

You also need to document this and record it in privacy information you give to individuals - usually as a  “privacy policy". 

How should we specify this?

This relates closely to the “transparency” principle above. In summary, you should have a clear privacy policy, and if you’re being transparent (and documenting properly), you’re almost certainly complying with this. 

Companies of less than 250 people need only document activities that:

  • Are not occasional, or;
  • Are likely to be intrusive or adversely affect individuals, or;
  • Involve “special category” data or offence data. 

 

When could we use data for new purposes?

You can use data you’ve already connected for another, or for a new purpose if you’ve got permission, have a legal requirement to do so, or the new purpose is “compatible” with the old one. This can be complicated, so definitely consider asking a GDPR consultant if you’re unsure. 

In justifying this, you should consider:

  • Whether the individual would reasonably expect you to process their data in this way
  • Whether the data is sensitive
  • Whether there are possible consequences for the individuals
  • Whether there are appropriate safeguards. 

Commonly businesses will want to process data for analysis reasons, to create dashboards and management information. This will usually be compatible, but do seek advice if you’re unsure. 

3) Data Minimisation

Put simply, you should hold the minimum amount of data you need to fulfill the purposes you have set out. 

Specifically, GDPR states this must be “adequate, relevant and limited to what is necessary". 

Helpfully, GDPR doesn't define these terms explicitly.

How do we decide this if the GDPR doesn't define the terms?

GDPR compliance is about considering why you’re holding data, what your organisation uses it for and what the circumstances are surrounding the data. It’s not about prescribing specific courses of action for everyone to follow. 

For example, you may be a construction business, and need to ask your staff if they have certain medical conditions – which might make working with certain machines more dangerous. You shouldn’t obtain or keep this data for someone who’s only working in the office – it’s clearly irrelevant. 

Especially if the data you’re processing is special category data (see below), then it’s important you engage with a GDPR consultant to establish that you’re doing this right. 

Adequate

This is an often misunderstood element of the GDPR, and something you hear commonly as a GDPR consultant. “But I thought it was about not collecting data!”

No, rather the GDPR is about collecting the right data, and being clear about how you use it. An example could be for a sports club. When you’re just starting up, if you all know each other, then you can probably do everything you need with just names and email addresses. 

If the club were to grow to a few hundred people, then clearly having information be remembered isn’t appropriate. You’re not going to be able to do everything you need to do with an email list, and you’re going to need to keep track of membership subscriptions, etc. 

So in this case, you need to collect more data in order to process everyone fairly and properly. 

4) Accuracy

Your data must be accurate and up to date. 

How does this affect historical records?

It needs to be clear what you intend someone’s personal record to show. If someone moves house then clearly, you need to update their address in your database as soon as you become aware. 

But if you have reason to record previous addresses (for a credit check, for example), then recording that someone used to live in their old address is perfectly accurate. 

How proactive are we supposed to be?

This depends on the importance of the data. For example, it’s important to be accurate about whether someone has a driving license – if you’re a taxi agency you’ll want to check this against DVLA records to ensure they don’t have any points, for example. 

It’s usually reasonable to assume that people have given you accurate information, however. 

What do we do if someone tells us the information we hold is wrong?

Check it. Then correct it. 

People have the absolute right to have incorrect personal data rectified – but this doesn’t mean you have to accept their word that your data is wrong. If the data was important (like the driving license example given above), then you should confirm this before making any changes. If they’re telling you you’ve misspelled their name, probably best to fix it immediately. 

5) Storage Limitation

You can't keep data for longer than you need to. You need policies on what this retention period is - which might be different for different categories of data. 

You can keep data for longer than this only if you're keeping it for archival in the public interest, scientific/historical research, or statistical purposes. 

How long are we allowed to keep data?

As with a lot of things in the GDPR, this is not explicitly set out in the rules. You need to consider the needs of your business, and weigh this up against the rights of the individual. 

This principle isn’t just about legal compliance. Holding data for longer than you need increases the chance of holding inaccurate data – which will make your management information wrong. Also, holding data is expensive, you’re paying good money to store information that you might not need. 

What should we consider when we set retention periods?

Consider:

  • Why you’re holding this category of data. 
  • Practically, how long will it take for the data to become irrelevant? 
  • Is it necessary to hold data after a certain event has occurred? 
  • Are there any specific legal or regulatory requirements? Taxes or financial audit, or health and safety records? 

If you’re unsure, ask us as a GDPR consultant for advice. For example, you will need to keep some information on employees once they leave – to comply with pension arrangements or provide references, for example. But you’re never going to need their emergency contact details once they’ve resigned, so these should be deleted. 

6) Integrity and Confidentiality

This clause is all about security. This could range from physically locking up records to encrypting data. 

It's one of the more technical parts of the GDPR, and if you're processing special category data we strongly recommend seeking professional advice here. 

What is it we need to protect against?

Put simply, you need to ensure that your data can’t be accessed, deleted or changed by anyone who doesn’t have the right to do so. As usual, this will need a different response for separate categories of data. 

Your salesmen might need access to phone numbers of customers, for example. But they don’t need access to credit card information, which should definitely be encrypted. 

You need to consider both physical security (the obvious – lock up files that aren’t in use, and ensure computers require a password after a certain amount of inactivity), and IT security. 

How should we secure our computer systems?

As you’ve probably guessed if you’ve made it this far down the page, there isn’t a one size fits all solution for this. Instead, you need to consider the nature of the data processed, how your computer systems work and respond accordingly. You may want to consider an active directory implementation to help ensure that files you host are only shared with staff that should have access to them. 

You should definitely consider a GDPR consultant to advise on this area if you’re processing special category data (see below). 

If you’re operating in an industry that has its own requirements (such as PCI legislation for credit card storage), then you have to comply with that and GDPR. 

7) Accountability

You must take responsibility for complying with the GDPR, and for what you do with personal data. 

You should have appropriate records and documentation to demonstrate this compliance. 

Processors and controllers

This section of the GDPR clarifies that as a data controller, you’re still responsible for complying with the legislation, even if you use a number of data processors. 

Data breaches

To err is human, and even the best organisation might have a data breach happen at some time. Regardless of whether you need to formally report this, you need to keep a record of any personal data breaches, no matter how minor. 

You need to report a breach to the ICO if there is a “risk to people’s rights and freedoms”. For example, if hackers take your customer database, this could be used to commit identity fraud, and you would need to report this. But if you inadvertently delete an internal list of staff phone numbers, this isn’t going to result in any kind of risk, so you don’t have to report. 

If you do need to report, you must do this within 72 hours of becoming aware of the breach. 

You should seek immediate advice if you suspect you have a reportable data breach. This could indicate a serious security problem for your company and you should engage with a professional GDPR consultant as soon as possible. 

Special Category Data

The GDPR defines special category data as:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life;
  • data concerning a person’s sexual orientation.
ICO Guidance

These are the only valid reasons to process special category data:

  • (a) Explicit consent
  • (b) Employment, social security and social protection (if authorised by law)
  • (c) Vital interests
  • (d) Not-for-profit bodies
  • (e) Made public by the data subject
  • (f) Legal claims or judicial acts
  • (g) Reasons of substantial public interest (with a basis in law)
  • (h) Health or social care (with a basis in law)
  • (i) Public health (with a basis in law)
  • (j) Archiving, research and statistics (with a basis in law)
GDPR Section 9

Special category data is far more rigorously controlled than any other data. If you are processing this, then you should certainly ask a GDPR consultant to review your privacy policy and reasons. It’s likely that you will have other regulations to follow if this is being collected, and the GDPR will be in addition to these requirements. 

Separate rules apply for data about criminal allegations, rules or proceedings. It even applies if you’ve inferred or guessed the information, rather than it being explicitly confirmed to you. 

If you believe that processing this data is likely to result in a high risk to individuals, then you also need to fill in a Data Protection Impact Assessment. A GDPR consultant will be able to help you with this, and we strongly advise you seek assistance if this is the case. 

Data Protection Officer (DPO)

You should consider appointing a Data Protection Officer for your company. Under the GDPR, you must appoint a DPO if:

  • You are a public authority or body (except for courts acting in their judicial capacity);
  • Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

Your DPO can be a member of your staff, or an external GDPR consultant or company. We are happy to be appointed to be your Data Protection Officer if you have identified a need for one. Contact us today to find out about our services.