How Does It Affect Me?
The provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) will apply from 25th May 2018. In this article, we answer a few questions that you may have about the GDPR, and how it may affect you.
What is the GDPR for?
In short, the GDPR is intended to regulate the processing (which includes the use and storage) of personal data. Personal data is information that can directly or indirectly be used to identify a person, such as name, location data and email addresses. The intention is that data will only be processed for necessary or explicitly defined purposes, and that such use will be transparent so as to enable individuals to know how (and why) their data is being used.
How does the GDPR affect me as an individual?
The GDPR is intended to be for the benefit of individuals. In particular, it is designed to prevent you from being spammed by relentless marketing materials which you may have unintentionally (or unknowingly) signed up to receive.
However, the knock on effect of the GDPR is that you may also stop receiving useful information unless you positively consent to receiving such information. The risk of fines means that companies and businesses are likely to play it safe – if there is no consent, there will be no contact. As such, if you want to keep receiving emails from a particular company or business, it is important to communicate your consent to them in advance of 25th May 2018.
If I consent, will I be able to change my mind?
Yes – the GDPR gives you an explicit right to withdraw your consent if you decide that you no longer want your data to be used.
How do I know what my data is being used for?
The simplest way is to ask the company or business that is using your data. The GDPR gives you a right to be informed about the collection and use of your personal data, and a right to access your data. The latter right is particularly important, as it will enable you to verify whether the company or business is acting lawfully in their use of your data. As long as your request is not manifestly unfounded, excessive or repetitive, then you ought to be able to find out about how your data is being used free of charge.
How could this affect my business?
The GDPR requires you to be very careful about the ways in which you use personal data that you collect. In particular, it is important to determine, prior to using data, whether a person has consented to that use. For example if a person consents for you to use their data whilst you are providing a service for them, they may not be consenting for you to send promotional material, articles, or possibly even communicating with them in the future to touch base.
Where possible, written consent ought to be obtained from people who you wish to communicate with as soon as possible. Consent needs to be a conscious, positive choice, so no pre-ticked tick boxes. Where possible, provisions in your terms and conditions relating to consent should in clear and plain language, and should be pointed out to the data subject. The individual should also be informed of their right to withdraw consent. For the avoidance of doubt, the individual should also sign a declaration that clearly sets out that they are giving you their consent to process their data.
How do I prepare my business for the GDPR?
By and large, the GDPR is a significant “beefing up” of the current Data Protection Act, the GDPR nevertheless has similar aims, and principles in mind. If your processes and procedures are compliant with the law as it stands now, then compliance with the GDPR is more likely to be a matter of supplementing and enhancing what you are already doing, rather than a wholesale overhaul. Nevertheless, it is likely that you will need to supplement your existing policies, training and security measures, and review your storage and retention of data (including paper) in order to comply with the GDPR.
When approaching this task, it is worthwhile keeping the following in mind:
1. Do you obtain the consent of your clients to use their personal data? If so, is their consent given positively (opt-in rather than opt-out) knowingly and willingly? For example, are consent clauses in your terms of service written in clear language and set out in your terms in a logical and obvious way?
2. Why do you need the information? Is it worth the risk of non-compliance with the GDPR in using the data for particular purposes? Is it possible to find ways to satisfy that purpose without using personal data? How long will it be necessary to store the personal data, in order to satisfy that purpose?
3. Do the terms of consent draw the parameters sufficiently widely for your purposes? Does it cover marketing emails? Does it enable you to process the personal data after the service has ended? How are you going to deal with existing clients’ data going forward?
10th April 2018
This note comprises the view of the author as at 10th April 2018. This note is not a substitute for legal advice. Information may be incorrect or out of date, and may not constitute a definitive or complete statement of the law or the legal market in any area. This note is not intended to constitute advice in any specific situation. You should take legal advice in specific situations. All implied warranties and conditions are excluded, to the maximum extent permitted by law.