An article giving you insight into GDPR and how Dezrez is working hard to help your compliance of the new regulations.
As you know, the General Data Protection Regulation (‘GDPR’) – the replacement for the Data Protection Act (‘DPA’) – comes into force on 25 May 2018.
We wanted to take this opportunity to let you know what we are doing ahead of the deadline to help to ensure that you can remain compliant ahead of the new regulations coming into force.
While plenty has been made of the new fines regime (€20 million or 4% or annual global turnover – whichever is higher), less has been said about the practicalities of GDPR. This is the first in a series of articles where we will explain the key concepts around GDPR, how they apply to you and how our systems will help you towards compliance.
Disclaimer: As always, with something this complex, we can’t cover all bases and its’ important that you take appropriate advice as everybody’s circumstances are different. We’ve included some links to resources at the end of this article which may help.
GDPR vs DPA
Both pieces of legislation are concerned with the protection of personal data. So, a lot of what is contained within the GDPR already existed under the DPA. A few key differences are around:
- Fines – fines under GDPR are much larger than under DPA
- Breaches – reporting of data breaches is now mandatory
- Consent – consent must be provided and there must be clear privacy notices around how data will be used
- Right of erasure – data must be deleted if requested
What is personal data?
Personal data is simply “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
As you can see that is a vast definition.
Most important is understanding what data you currently collect and how it is used. Take time to audit what you hold on paper, and in software. We see different companies recording data in different ways, for example…
Your key responsibilities under GDPR
There are a few key things (this isn’t an exhaustive list) you need to ensure you have in place under GDPR:
- A process for dealing with data breaches (they need to be notified within 72 hours of discovery)
- Ensuring that your staff are fully aware of their responsibilities regarding personal data
Software is a tool to aid compliance, and not the whole answer
As we mentioned earlier, key to your compliance is understanding what data you hold, how you hold it and ensuring you portray this accurately in your privacy notices. As we release further guidance
Remember GDPR is about all the personal data you hold, regardless of format. You are likely to be holding data in multiple formats (think paper agreements) and your approach to complying with GDPR needs to ensure that all of these things are considered.
- What data you collect
- Why it is collected
- How it is used
- How long it is kept for
- The individual’s rights under the GDPR
Lawful bases for processing personal data
There are six lawful bases for processing personal data:
1. Contractual – where it’s necessary for performance of a contract
- Legal obligation – where the data controller has a legal obligation
- Consent – an individual has given you clear consent for processing their data
- Legal obligation – the processing is necessary for you to comply with the law (not including contractual obligations)
And two you’re less likely to encounter:
- Vital interests – the processing is necessary to protect someone’s life.
- Public task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
No one bases for consent is better than another – you must choose the most appropriate basis for processing data.
We’re going to look at two of the key basis for processing data in this article.
The concept of legitimate interest is an important one. It is one of the most flexible lawful basis for processing data. It can cover:
- Scenarios for marketing in instances where consent has not been obtained
- Reasons for not deleting data when requested
The ICO defines a three- part test for using the legitimate interest basis
- you need to identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
You need to prove all three points before using the legitimate interest basis for processing data. It works two ways – it covers the interests of the data subject and the data controller.
How this will work in practice is still a little unclear. The ICO have yet to publish their guidance on use of legitimate interests for direct marketing – this has been delayed until early 2018 and we will update you as soon as this has been released.
If you are relying on legitimate interests – you must include it in your privacy notices. You must also keep details of your assessment of the three-part test to demonstrate compliance if required.
Consent: Transactional vs marketing
A lot of confusion arises around what constitutes processing of data for marketing purposes, and therefore requires consent. Communications which are transactional in nature do not. Examples of transactional communications include:
- Sending a registered applicant some details of suitable properties
- Sending documents from the system (e.g. sales memorandum)
Right of Erasure and Legitimate Interests
What would you do if an applicant asked you to delete their data two weeks after viewing a property?
You have a legitimate interest in ensuring that the applicant does not arrange a sale directly with the vendor therefore you would have the right not to comply with this request.
Likewise, record of a property you have sold would need to be retained for HMRC purposes therefore you could not fully comply with that request.
It’s important that you have a process for dealing with such requests so that they are recorded, reviewed and responded to by an appropriate person. Remember the GDPR is about protecting your interests too!
What Dezrez are doing to help your compliance
Here’s what we’re doing at the moment in readiness for GDPR
|Area||What we’re doing|
|Consent||Transactional emails do not require consent – we’re looking at how consent is captured in our systems and will provide detailed guidance on this in early 2018. We’ll also be explaining what you need to do regarding existing data you hold|
|Right of erasure||You’ll be able to erase data from the software if requested when GDPR comes into force|
|Contracts||As a data processor, our contracts with you, the data processor need to contain some key information regarding our respective rights, obligations and responsibilities. We’re in the process of updating our terms and conditions and will provide these well ahead of the deadline.|
We wanted this guide to be brief, understandable and easily digestible. If you want to read more on the GDPR, here are some useful links:
12 Steps to Take Now (https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf )
Example Privacy Policies (https://www.econsultancy.com/blog/69256-gdpr-how-to-create-best-practice-privacy-notices-with-examples)
ICO Guidance Of What needs to be provided in a Privacy notice ( https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/ )