GDPR applies to any processing that you perform on the personal data of living individuals in the EU.
So, if your business or your clients are in the EU, you will need to do something to comply with GDPR.
This is true even if your clients are businesses rather than individuals.
“I don’t have any personal data about people. I just have their work contact information.”
Personal data is defined in very broad terms in GDPR.
In layman’s terms, personal data is any data that relates to a living individual who you can or could identify or individualise (i.e. target).
This includes employment-related information, like a work email address or work phone number.
“I don’t process any of the personal data – I just store it.”
‘Processing’ means doing anything with data, including storing it. If you ‘process’ personal data, GDPR applies.
GDPR applies to the personal data of living individuals
GDPR applies to the personal data that you process about current and former employees. It also applies to any data you have about failed job candidates or current applicants.
If your business provides good or services to individuals, GDPR applies to the personal data that you process about them.
Your clients’ employees
If your business sells to other businesses, you will communicate with the employees of those businesses. GDPR applies to any personal data that you process about them.
Your clients’ customers
If your clients are businesses rather than individuals, your clients may share personal data about their customers with you. GDPR also applies to this personal data.
For example, let’s say you run a delivery company. You deliver parcels on behalf of various retailers.
Your delivery company’s clients are businesses (retailers).
Each of your clients (each retailer) will share the contact information of its customers with you, so you can deliver the parcels.
This contact information is the personal data of the retailer’s customers.
Both the retailer and you need to comply with GDPR while processing this personal data.
Who is in control? Who is the data controller?
Your GDPR obligations are different depending on whether your business is deciding why something is being done to data or if you are just following the instructions of another organisation.
You are likely to be a “data processor” if you are only processing personal data under instruction from another organisation.
You are likely to be a “data controller” if you are deciding what will be done with personal data.
Staying with our delivery company example:
You are a data controller for the processing that you perform on the personal data of your own employees.
It is also likely that you are a data controller for the processing that you perform on the personal data of each retailer’s employees.
It is likely that you are a data processor for the processing that you perform on the personal data of each retailer’s customers, assuming the processing relates to delivery of parcels to the retailer’s customers or some other activity that the retailer has instructed you to peform.
What do I need to do to comply with GDPR when I am a data controller?
The following is from one of my training packs. It lists in plain English many (but not all) of the obligations of GDPR for data controllers.
If you can confidently demonstrate that you process personal data in line with the principles above, you are on the right track.
In layman’s terms, it’s useful to look at it this way:
So, where do I start?
The following is a summary of the step-by-step approach that I recommend. I will dig into the detail behind each of these later in this article.
OK, now let’s dig into the detail of each step.
1. Compile a list of the ’things’ that you do with an individual’s personal data.
- What is the high-level activity?
- Using what types of data?
- About what types of individuals?
- How is it gathered / collected?
- Where is it stored?
- How is it used?
- Who has access to it?
- Who is it shared with?
- How long is it retained?
If you’re not sure how to do this, take a look at my article that describes this in more detail.
2. For each activity, identify your lawful basis.
GDPR prohibits you from processing personal data unless you have a lawful basis for processing it.
Assuming your business is in the private sector, you are probably limited to one or more of the following four lawful bases:
The individual has given consent.
It is necessary for the performance of a contract between you and the individual.
It is necessary to comply with a legal obligation.
It is in your legitimate interest to do it.
What does each lawful basis mean?
This is not a deep-dive into each legal basis but the following should be enough to get you moving.
a) The individual has given consent
You may process an individual’s personal data if they give you their consent.
You can’t rely on consent as your lawful basis if, for example:
You have not told them in plain English what you are going to do with their data.
They have not really freely given you their consent.
They could suffer detrimental impact if they don’t give their consent.
You won’t allow them to withdraw their consent at any time or it is more difficult to withdraw their consent than it was to give it.
You don’t retain evidence of their consent, including details of what they were told when they gave this consent.
b) It is necessary for the performance of a contract between you and the individual
You may process an individual’s personal data if this processing is necessary for the performance of a contract between you and the individual.
Two key points to remember when relying on this legal basis:
The processing must be absolutely necessary for the performance of the contract.
The contract must be between you and the individual directly.
c) It is necessary for compliance with a legal obligation
You may process an individual’s personal data if this processing is necessary to ensure you comply with a legal obligation
Key points to remember when relying on this legal basis include:
The processing must be absolutely necessary for the legal obligation.
You need to be clear about the legal obligation – In other words, you should know the specific piece of legislation.
For example, when you are paying an employee in Ireland, you are legally obliged to deduct income tax from their salary and pay this to the Revenue Commissioners.
To do this, you need an individual’s PPS number (i.e. an Irish tax reference number).
This processing activity is lawful under GDPR because of this Irish legal obligation.
d) It is in your legitimate interest
You may be able to justify a certain processing activity on the basis that it is in your legitimate interest to perform the activity.
However, before you rush into using this as your lawful basis for all sorts of activities, you need to prove:
Your legitimate interest is not overridden by the individual’s broader interests, rights and freedoms. In layman’s terms, what you are doing must be reasonable and unsurprising, and could not cause a reasonable person to be concerned or annoyed.
Be clear about what what your legitimate interest is and confirm it is legal.
Confirm that the processing you will perform is necessary to achieve this interest.
Balance your interests with those of the individuals.
For example, legitimate interest may be your lawful basis for using CCTV for the sole purpose of protecting your physical premises.
3. For each activity, confirm you are in compliance with the principles.
Now that you have identified the lawful bases for your processing activities, you need to evaluate your activities against the principles of data protection.
Fair, necessary and proportionate
Your processing should be necessary and proportionate to the lawful activity you are undertaking.
Your processing should involve the minimum amount of data, for the minimum amount of time, accessible to the minimum number of people
You should ensure the individual knows what you will do. Most businesses achieve this by providing a privacy notice online, by email and/or by post.
You must take appropriate steps to keep the data up-to-date and accurate.
The personal data should be kept secure – This involves techical and organisational controls. Your staff are the most likely source of a breach – You need to ensure they have been trained so they know what they can do and can’t do.
A couple of real-world examples may be useful at this point to show how you could consider and apply these principles.
Example 1: Using CCTV to monitor your employees
A business may be tempted to CCTV to monitor employee performance.
CCTV can capture images of individuals. These images are the individuals’ personal data. Therefore, this use of CCTV is subject to data protection regulations.
This use of CCTV will not comply with a number of the principles of data protection. For example:
Necessary: If your objective is to monitor employee performance, is use of CCTV absolutely necessary for the achievement of this objective? Is there a less-intrusive way to achieve the objective? For example, getting a manager to do the job they are being paid to do?
Proportionate: If you are concerned about the performance of a few employees, is it proportionate to record the activities of every employee for every minute of the working day?
Transparent: Are employees aware of your use of CCTV for this purpose?
Example 2: Retention of CV’s & interview notes of failed job applicants
When a business is looking to recruit a new employee, it is likely to receive CV’s and job applications from a large number of people. In the course of the interview process, there will also be interview notes recorded about each interviewee.
CV’s, interview notes etc contain personal data and are therefore subject to data protection regulations.
When the business fills the vacancy, the question of retention then arises. How long should the CV’s and inteview notes be retained?
Most businesses don’t think about this. Interview notes may be destroyed immediately (or simply misplaced). Alternatively, CV’s may sit in the email accounts of employees who were involved in the recruitment process for a long period of time.
Let’s consider some of the principles of data protection:
Minimum (time) vs Fairness: When thinking about the length of time you can retain the data, how long is ‘minimum’? From a data protection perspective, as soon as the vacancy is filled, you don’t need the information about failed candidates. However, from a fairness perspective, it is appropriate to retain the data for a short period of time in case a failed candidate claims that they were discriminated against? You need to identify a fair balance and document why you chose this period.
Minimum (access): Accessible to the minimum number of people: Are these documents stored in a restricted area so only those who need access at this point in time can see them? What about copies of CV’s in employees’ email accounts?
Accurate: Kept up-to-date: Let’s imagine a failed candidate has given you consent to retain their CV in case another role opens up in the near future. Their CV will naturally go out of date as they gain more experience elsewhere. How will you ensure the data is kept up to date?
4. Be ready to facilitate the rights of individuals
OK, at this point, you’re in good shape:
1. You have identified your processing activities
2. You have confirmed your lawful basis for each activity
3. You have ensured your activities are complying with the principles of data protection
When you are a data controller, the next step is to be ready for individuals exercising one of their data protection rights.
You must be ready to respond (usually within 1 month) if an individual wishes to exercise one of their data protection rights. These rights include:
Right to be informed
I’ve mentioned transparency a few times. An individual has the right to be told in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”, what data you have about them and what you are doing with it.
Right of access
An individual has the right to a copy of any personal data you have about them. After all, it is their data.
Right to rectify
If you have personal data about an individual that is inaccurate or incomplete, the individual has the right to tell you to rectify the data.
Right of erasure
In specific circumstances, the individual has the right to force you to delete their personal data. For example:
– You only have the data because they gave you consent, they have now withdrawn their consent, and you have no other lawful basis to retain the data.
– You are processing it on the basis of legitimate interest but the individual’s interests, rights or freedoms override your interest.
Right to restrict
In specific circumstances, the individual has the right to restrict what you do with their data. For example:
– They believe the data is inaccurate and you are verifying the accuracy
– They claim your legitimate interest is overridden by their interests, rights or freedoms, and you are verifying this claim
– You have no lawful basis for the processing but the individual does not want you to erase the data
Right of data portability
For data you are processing by “automated means” on the basis of consent or contract, the individual has the right to receive a copy of this data in what is described as “a structured, commonly used and machine-readable format”, or to request this data to be transmitted to another data controller.
Right to object
The individual has the right to object to processing that you claim is lawful on the basis of legitimate interest. While you investigate their objection, you must stop processing the data.
Right to be notified
An individual has a right to be notified by you if their data has been breached (e.g. disclosed to an unauthorised 3rd party) and this could present a high risk to them. This feeds into a broader requirement around data breaches, which I will discuss in a later article.
Once again, a couple of real-world examples may be useful at this point to show you how these rights may apply.
Example 1: Right to erasure and contract
While in a contractual dispute with a disgruntled individual, they may claim that they have a right to erasure (a ‘right to be forgotten’) .
This is particularly common when you are asking them to pay for a product or service that you provided.
This right to erasure does not apply where the lawful basis for your processing is a contract between you and the individual. Someone can’t escape paying an outstanding fee by exercising this data protection right!
Similarly, it does not apply if you are legally obliged to process the data.
As I mentioned earlier, data protection rights are seldom absolute and they do not exist to stop you doing a reasonable thing.
Example 2: Right of access & CCTV
CCTV footage of an individual is their personal data. They have a right to a copy of the data. However, it is excessive for them to ask for ‘all footage of me’. They are likely to need to specify dates and times when they were in the area of the CCTV cameras so you can find the footage.
When providing the footage (or any personal data) to the individual, you need to respect the data protection rights of any other individual contained in the footage / data. In the example of CCTV, you need to take steps to hide the identities of all other individuals captured in the footage.
If you keep a lot of personal data about individuals, the right of access is a real pain in the ass. It’s another way that GDPR encourages you to delete data when you no longer need it.
Example 3: Right of access to employee data
The data you have about your employees is their personal data. This includes data ‘about’ them – For example, it may include remarks written in emails by their manager or other superiors.
If an individual submits an access request, it is too late to delete this type of data. You will probably need to disclose it, even it is embarrassing or defamatory.
Example 4: Direct marketing
One of the few absolute rights is the right not to be subject to direct marketing.
I have discussed the complexities of direct marketing in Ireland previously but it’s worth noting that if someone notifies you that they don’t want to receive your direct marketing, you must be ready to facilitate this request.
5. Confirm your 3rd parties can comply
OK, we’re almost at the top of the mountain now:
1. You have identified your processing activities
2. You have confirmed your lawful basis for each activity
3. You have ensured your activities are complying with the principles of data protection
4. You are ready to facilitate a data subject’s rights
I have not covered all of your obligations under GDPR but if you have nailed all of the above, you are doing well.
Now you need to worry about the 3rd parties that help you with your processing activities.
Examples of data processors
Most businesses use 3rd parties to perform certain tasks on their behalf. For example:
– You may use a 3rd party to run your employee payroll each month
– You may use an external IT managed service provider to run your IT systems.
As a controller, GDPR requires that you “use only processors providing sufficient guarantees to implement appropriate technical and organisational measures’ to comply with GDPR.
Examples of how you prove sufficient guarantees:
6. Don’t just comply. Prove you comply.
OK, a this point, you have done the ‘real’ world.
However, knowing that you are compliant is not enough.
GDPR requires you to prove your compliance. It’s all about accountability.
What does proving compliance look like?
I describe it as things you will have and things you will do.
Things you will have
When you comply with GDPR, you are likely to have a number of things that prove it. For example:
A privacy notice / privacy statement on your website to tell individuals what you will do with their data.
A privacy notice / statement accessible to your employees to tell them what you do with their data.
Retention Policy & Schedule
A retention policy & schedule will set out how long you will retain specific types of data and how the data will be deleted when its retention period has passed.
IT Security Policy / Procedures
IT security policy & procedures set out how you ensure data is accessible to the minimum number of people, how data is secured, etc.
You should also have clear & proven steps documented to help you recover from incidents such as system failure or data loss – Commonly referred to as an ‘Incident Response Plan’ or a ‘Business Continuity Plan’.
Subject Rights Procedures & Log
You will have a document that sets out how you will facilitate an individual when they seek to exercise a data protection right. A log will record each subject request and how you responded to it.
Data Breach Procedure & Log
You will have a documented procedure that details how you will handle a personal data breach. A log will be used to record all breaches and how you handled them.
Things you will do
Staff are your weakest link. You will need to train them so they are clear on their data protection obligations and the impact on you and them if they get it wrong.
Training should be performed on a regular basis using material and approaches tailored to their roles – e.g. different training for people working in HR vs warehouse operatives.
Data Protection Impact Assessments
You will consider the data protection implications of any processing you are performing, or plan to undertake in the future.
If the processing could present a high risk to individuals, you will perform a formal Data Protection Impact Assessment (DPIA). This is a topic for a future article.
Privacy by Design / by Default
You will think about data protection from the start, not as an afterthought.
I will discuss this in a later article.
You have reached your destination
OK, maybe not all of it.
It’s impossible to write a single article that captures all of the in’s and out’s of GDPR.
However, I hope it has helped you get your head around some of the key requirements of GDPR.
I also hope it has given you a sane & logical framework that you can use to get moving.
How do I make progress from here?
I know it can seem like there’s a huge amount involved in complying with GDPR.
It can feel like a mountain of work, with a list of to-do’s that never stops growing.
I think there are two ways you can deal with it:
Get someone else to do it
If you don’t have the time or the interest to do it yourself and if you have the money, you could outsource this so someone else can take the lead and do most of this for you.
Do it yourself
GDPR is not rocket science.
If you want to really nail this, or if you don’t have the budget to outsource this, it’s possible to do this yourself.
With the right approach and support, you can do it.