Frequently asked questions on GDPR
How will GDPR change the way my business manages personal data?
GDPR places greater obligations on all data controllers and data processors. You may need to appoint a Data Protection Officer (“DPO”) who will be responsible for ensuring that a business collects and secures personal data appropriately. All businesses must embrace a risk-based approach to data protection and are encouraged to implement protective measures corresponding to the level of risks. Data controllers need to take appropriate measures in being transparent and provide accessible information to individuals about their personal data including how it will be used, how long it will be retained and what rights they have in respect of that data. This information can be provided by way of a privacy notice. GDPR says that the information you provide to people must be:·
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language, particularly if addressed to a child; and
- Free of charge.
Do I need to report a data breach and if so, what data breaches do I need to report and what are the consequences for failing to report?
GDPR will introduce a duty on all organisations to report certain types of data breaches to the relevant supervisory authority or to the individuals affected.
You will have to notify the Information Commissioner’s Office of any breach which is likely to result in a risk to the rights and freedoms of individuals as soon as possible and (where possible) within 72 hours of the organisation become aware of the breach. If you fail to notify the breach when required to do so then this can result in a significant fine of up to €10m or 2% of your global turnover. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly. A high risk means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.
What is the big change in consent under GDPR?
Consent must be freely given, specific, informed and unambiguous indication of the individual’s wishes. The individual has to positively affirm consent by action as it no longer is acceptable for businesses to infer and assume consent by silence, pre-ticked boxes or inactivity. You will need to provide simple ways for individuals to withdraw consent. If consent is relied on then an audit trail is needed for who consent, how and when they consented and what the scope of their consent was.
Can we carry on using the existing Data Protection Act (“DPA”) rules on consent?
You are not required to automatically change all existing DPA consents in preparation for the GDPR. But it is important to check your processes and
records in detail to be sure existing consents meet the new GDPR standard. If they don’t then you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing or stop the processing.
Is consent the only way to process data?
No. Consent is one lawful basis but consent is not always the easiest or most appropriate.
What are the alternatives ways to process data (other than by consent)?
You can process personal data without consent if it is necessary for: performing (or taking steps to enter into) a contract with the individual, compliance with a legal obligation, where there is a need to protect the vital interests of the subject or other individual, if it is needed for the performance of a task carried out in the public interest or there is a legitimate interest of the controller or third party that is not overridden by the data subject’s own interests.
I am a private-sector organisation and I am buying data. What are the consent implications?
If you find it difficult to meet the standard for consent then you may need to consider the alternative ways to process data, for example, using personal data for a ‘legitimate interest’. This recognises that you may have good reason to process someone’s personal data without their consent but you must ensure that there is no unwarranted impact on them, and that you are still fair, transparent and accountable in the way you process the data.
What are the penalties for getting it wrong?
Not only do you erode trust and damage your reputation, but you will be left open to substantial fines under GDPR. For less serious infringements the fine is up to €10m or 2% of group worldwide turnover (whichever is greater). Fines for the most serious infringements is €20m or 4% of your worldwide turnover (whichever is greater).