Amongst the plethora of GDPR posts and sales pitches it’s proving really difficult to see the ‘wood for the trees’. When struggling with an issue it’s great to have a trusted advisor but in the case of GDPR I would like to quote Tim Turner, his LinkedIn description runs; ‘Data Protection trainer & consultant. Not GDPR certified because nobody is’. I really like this because I think gives us the true picture, that at this stage (ie before this has actually become law) no one can claim with any certainty the implications and how this will be enforced.
Hopefully the name says it all, that here at Trusted Computing we provide IT services that you can rely on and trust to benefit your business so without further ado, we were asked to write a post on GDPR to help ‘debunk’ the subject and without pretending to be an expert here it is!
We need to be fully compliant by 25th May 2018 – I think it will be acceptable that you are able to prove you are taking steps to comply even if the process isn’t complete.
We need consent to process personal data – This is the point on which there has been much debate, the fact is we need a lawful basis to process personal data. There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
One of these is consent, in which case we need to record how clear consent was given and for what specific purpose, whether the consent applies to contact by email, phone or text. We do need to bear in mind this consent can be withdrawn at any time.
The second basis is when the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Thirdly, legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests, the fourth basis sounds as if we could apply this in most cases, surely any sales person believes their products are vital to the prospects interests! However, this actually refers to when the processing is necessary to protect someone’s life.
The fifth, public task, when the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Finally, legitimate interests, where the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
What is actually meant by ‘personal data’? It may be assumed that personal data only refers to truly personal data such as ethnicity, religion, personal telephone numbers, but in truth it has a much wider scope. Simply any data which can be used to identify an individual is included in this, for example an email address for a specific person at a company would constitute personal data while a generic sales or info@ email address would not.
I would also question whether the term data breach is generally understood. Anyone whose bank details are compromised would agree that such an occurrence would be included, but again I believe the scope is much wider. Recently I received an email purporting to be from known contact at a company I have had dealings with and while scam emails are very common in this instant it was clear that the personal contacts had been harvested by a malicious third party. This company are now claiming to have reached full GDPR compliance!
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
It also means that a breach is more than just about losing personal data.
The two key points here I would like to emphasise are;
A data breach is a larger threat than the likelihood of fines for non-compliance with GDPR because of huge reputational damage and the fact that each individual whose data has been compromised is entitled to compensation.
Secondly, I would strongly advise any company to ensure they have a reliable back-up strategies in place as unlawful destruction of data would have devastating effects.
Much of this appears to relate to IT however it is worth considering GDPR covers any records however they are stored. For illustration purposes if a sales rep left their Filofax on the train, would you know what information was lost?
In essence, GDPR means we need to know what information we store, where we store it and why we store it.
Please note we aren’t legal experts this is just how we understand GDPR and would welcome comments and corrections.