The data protection team at Crowe Horwath has completed a number of GDPR assignments over the last number of months. Here are some of the most frequently asked questions with some practical answers.
Q1. We have collected personal data on our marketing databases over a number of years. Is this now redundant under GDPR?
One of the biggest issues arising with the introduction of GDPR is the area of consent, and, in particular, consent for marketing. Consent under GDPR must be freely given and unambiguous.
The current legislation allows for consent via an ‘opt-out’ tick box. However, the new regulation requires consent through an ‘opt-in’ whereby the data subject ticks a box to agree to receive marketing materials. So organisations should review their databases for proper consent.
One issue obtaining re-consent is the response rate to such requests, which may be historically low. Any non-response to such requests means assumed non-consent and you cannot contact these individuals again.
In practice, many organisations are looking at the new regulation as an opportunity to ‘clean’ marketing databases and to ensure that the databases are more targeted at those who are really interested in receiving your marketing information.
Q2. I attended a networking event and received a number of business cards. Is it ok to use this data to contact the data subject under GDPR?
There is no doubt that the new regulation will change the way business networking works. Consent by a person is outlined as needing to be “specific and unambiguous”, so is receiving a person’s business card considered consent to contact them with relevant information and / or to add them to a marketing database?
The Information Commissioner’s Office in the UK gives an example whereby a data subject puts their business card into a box to be entered into a free draw. In this case the data subject use of data is only for the purposes of entering the draw and nothing else.
The regulation does not provide clear guidance on this matter. If you receive a person’s business card it is unlikely they would expect to be put on a marketing database to receive ongoing marketing material. However, if you receive a business card and ask that person if they can they be added to your marketing database, this would likely suffice as clear and specific consent.
Q3. What effect will Brexit have on GDPR?
Brexit does not mean that UK organisations will be exempt from the basic principles of data protection, which are enshrined into current UK legislation. These are the principles underpinned by GDPR. On 25 May 2018 the UK will be part of EU and thus the GDPR regulation will apply. The UK government are currently working on data protection legislation with the expectation of the exit from the EU. This legislation is likely to reflect the GDPR requirements and may even exceed these requirements.
Q4. We are a small organisation not processing a large volume of data – do I need to appoint a Data Protection Officer?
Not necessarily. Under GDPR, you must appoint a Data Protection Officer (DPO) if you:
- Are a public authority (except for courts acting in their judicial capacity)
- Undertake large scale systematic monitoring of individuals
- Carry out large scale processing of special categories of data or data relating to criminal convictions and offences
Even where the GDPR does not require the mandatory appointment of a DPO, the Article 29 Working Party (WP29 – a group consisting of data protection regulators from all EU Member States, who issue influential guidance and opinions) has noted that organisations may sometimes find it useful to designate a DPO on a voluntary basis.
For organisations that decide they do not require a DPO, WP29 recommends an internal analysis of this decision is carried out and documented to demonstrate all the relevant factors have been properly taken into account.
Q5. I use a third party personal data processors. Does that mean they are fully responsible for data?
No, unlike the current legislation (where only data controllers had direct compliance obligations), GDPR will impose both direct compliance obligations on data processors as well as the data controller.
Under the new regulation it is the responsibility of the data controller to include certain terms in its data processing agreement with the data processor. The following is a list of some issues to consider when reviewing your third party vendor agreements for compliance with the GDPR:
- Overall compliance / readiness with GDPR
- Data breaches – obligation on the processor to inform the data controller of any data breaches
- Data security – what specific security measures has the data processors in place
- Co-operation – in the case where a subject access request is received will the data processor co-operate with finding data within the allocated deadline
- Data Protection Officer – consideration whether the processor requires a DPO
Q6. What should I be doing now to prepare for compliance with the new Regulation?
The following are the six key stages in ensuring readiness for compliance with the new Regulation.
Stage 1: Identifying a person in your organisation who will be responsible for coordinating the project, including meeting deadlines on reporting.
Stage 2: Identifying where your data is, through a data mapping review would typically include core function areas across the entire business.
Stage 3: Complete a self-assessment questionnaire to identify ‘gaps’ in current processes vs GDPR requirements.
Stage 4: Compile an action list to address the gaps and assign responsibility for completion of actions identified.
Stage 5: Ensure those responsible for obtaining, processing and securing personal data are aware of their responsibilities under GDPR by providing training.
Stage 6: Ensure continuous monitoring of the implementation of policies and procedures and ensure data protection is kept senior management’s agendas.
Q7. I have received a Subject Access Request and have written to the requestor for confirmation of their identification. When does the one-month limit to provide personal data to a Subject Access Request commence?
The one-month timeline to provide information to a Subject Access Request commences once you have received confirmation of the identity of the requestor.
Q8. We have a number of CCTV cameras in operation – are these images considered personal data and do I need to give a copy of the image on a request from a data subject?
Yes, CCTV images of data subjects are personal data under the current and new regulation.
If a request for data is received and your organisation still holds the images of the data subject, you are required to provide them. Any images of other people in the CCTV images of the data subject must be redacted.
In practice, CCTV recordings are held for a short period, normally 30 days, so if the request is made after this period there is no obligation on you to provide.
Q9. How do you ‘delete’ data?
You may think when you press delete on your computer data is deleted – it probably isn’t! Deleting digital data is not straight-forward.
However, by creating a policy relating to deletion in conjunction with the IT department or your outsourced IT service provider, you can put data which is not necessary for retention into an archive that has strict access restrictions so the data archived is considered ‘dead-data’ that cannot be accessed.
Q10. Do I need to update my policies and procedures and, if so, what data protection policies and procedures are required under GDPR and where can I get templates?
The key data protection policies and procedures under GDPR include:
- Data Protection Policy
- Subject Access Request Policy
- Breach Management Policy
- Data Retention Policies
- IT Policy (usage of IT equipment)
A key principle under the new regulation is that all policies and procedures must be customised specifically to your organisation. So adopting standard templates is not in line with the concept of the new regulation.
Many organisations may download standard templates but these should not be used as a default. Templates can be purchased from reputable GDPR/data protection service providers who would customise each policy to suit your organisation’s operations.
- 10 Practical steps to get compliant with GDPR
- The impact of GDPR on the hotel sector
- Implications for marketing of GDPR
To find out how we can help you with your data protection requirements contact a member of our Data Protection team.