I run a business: What has GDPR got to do with me?

GDPR applies to any processing that you perform on the personal data of living individuals in the EU.

So, if your business or your clients are in the EU, you will need to do something to comply with GDPR.

This is true even if your clients are businesses rather than individuals.

“I don’t have any personal data about people. I just have their work contact information.”

Personal data is defined in very broad terms in GDPR.

In layman’s terms, personal data is any data that relates to a living individual who you can or could identify or individualise (i.e. target).

This includes employment-related information, like a work email address or work phone number.

“I don’t process any of the personal data – I just store it.”

‘Processing’ means doing anything with data, including storing it. If you ‘process’ personal data, GDPR applies.

Don’t lose your sanity trying to find ways to avoid GDPR. Assume you are in scope and see how you can comply.

Take a look at my suggestions here and see you get on. It may not be as painful as you think.

GDPR applies to the personal data of living individuals

This includes:

Your employees

GDPR applies to the personal data that you process about current and former employees. It also applies to any data you have about failed job candidates or current applicants.
Your customers

If your business provides good or services to individuals, GDPR applies to the personal data that you process about them.
Your clients’ employees

If your business sells to other businesses, you will communicate with the employees of those businesses. GDPR applies to any personal data that you process about them.
Your clients’ customers

If your clients are businesses rather than individuals, your clients may share personal data about their customers with you. GDPR also applies to this personal data.

For example, let’s say you run a delivery company. You deliver parcels on behalf of various retailers.

Your delivery company’s clients are businesses (retailers).

Each of your clients (each retailer) will share the contact information of its customers with you, so you can deliver the parcels.

This contact information is the personal data of the retailer’s customers.

Both the retailer and you need to comply with GDPR while processing this personal data.

Who is in control? Who is the data controller?

Your GDPR obligations are different depending on whether your business is deciding why something is being done to data or if you are just following the instructions of another organisation.

You are likely to be a “data processor” if you are only processing personal data under instruction from another organisation.

You are likely to be a “data controller” if you are deciding what will be done with personal data.

It is important to be clear about whether you are a ‘data controller’ or ‘data processor’ for each activity that you perform on personal data.

Staying with our delivery company example:

You are a data controller for the processing that you perform on the personal data of your own employees.

It is also likely that you are a data controller for the processing that you perform on the personal data of each retailer’s employees.

It is likely that you are a data processor for the processing that you perform on the personal data of each retailer’s customers, assuming the processing relates to delivery of parcels to the retailer’s customers or some other activity that the retailer has instructed you to peform.

Data Controller Focus

My focus for the remainder of this article is on your obligations as a data controller.

I will write an article that discuss the obligations of data processors soon. In the meantime, if you have a specific question about processor obligations, just ask.

What do I need to do to comply with GDPR when I am a data controller?

The following is from one of my training packs. It lists in plain English many (but not all) of the obligations of GDPR for data controllers.

If you can confidently demonstrate that you process personal data in line with the principles above, you are on the right track.

In layman’s terms, it’s useful to look at it this way:

If you are doing something that would be surprising or concerning to a reasonable person:

You probably need to change what you are doing.

So, where do I start?

The following is a summary of the step-by-step approach that I recommend. I will dig into the detail behind each of these later in this article.

1. List the types of processing activities that you perform on personal data.

You can’t comply if you don’t know what you do. To maintain your sanity later, you’re better off getting an initial list together as soon as you can. But remember: GDPR only applies to personal data. You only need to identify activities that involve personal data.
2. For each activity, identify your lawful basis.

You can’t process personal data unless you have a lawful basis – e.g. consent; contract; legal obligation; legitimate interest.
3. Confirm you can comply with the principles of data protection

For example, is your processing activity transparent, necessary, proportionate, fair, minimal and secure?
4. Confirm you can facilitate the rights of individuals

For example, can you respond within 1 month to an access request, erasure request, or objection?
5. Confirm your data processors can also comply

If you have outsourced some steps in your activities, you are still responsible for protecting the data.
6. Prove all of the above

GDPR does not just require you to comply. It requires you to be accountable – i.e. to prove your compliance.

Guilty until proven innocent!

OK, now let’s dig into the detail of each step.

1. Compile a list of the ’things’ that you do with an individual’s personal data.

For example:

What is the high-level activity?
Using what types of data?
About what types of individuals?
How is it gathered / collected?
Where is it stored?
How is it used?
Who has access to it?
Who is it shared with?
How long is it retained?

If you’re not sure how to do this, take a look at my article that describes this in more detail.

2. For each activity, identify your lawful basis.

GDPR prohibits you from processing personal data unless you have a lawful basis for processing it.

Assuming your business is in the private sector, you are probably limited to one or more of the following four lawful bases:

Consent

The individual has given consent.

Contract

It is necessary for the performance of a contract between you and the individual.

Legal Obligation

It is necessary to comply with a legal obligation.

Legitimate interest

It is in your legitimate interest to do it.

SPECIAL CATEGORIES OF DATA & DATA RELATING TO CRIMINAL CONVICTIONS AND OFFENCES

Within personal data, GDPR has the concept of special categories of personal data (e.g. data about someone’s health, sexual orientation, political opinions, religious or philosophical beliefs etc.) and data about criminal convictions & offences.

It is important to note that the lawful bases that I am discussing here are not all available for these types of personal data. I have not delved into this here: My focus is on personal data that is not regarded as special category or criminal.

What does each lawful basis mean?

This is not a deep-dive into each legal basis but the following should be enough to get you moving.

a) The individual has given consent

You may process an individual’s personal data if they give you their consent.

You can’t rely on consent as your lawful basis if, for example:

You have not told them in plain English what you are going to do with their data.
They have not really freely given you their consent.
They could suffer detrimental impact if they don’t give their consent.
You won’t allow them to withdraw their consent at any time or it is more difficult to withdraw their consent than it was to give it.
You don’t retain evidence of their consent, including details of what they were told when they gave this consent.

Consent is a difficult lawful basis to rely on.

For example, when there is an imbalance of power, it is impossible to say consent was freely given. This is why an employer can seldom rely on consent of an employee as their lawful basis. The employee can always claim later that they felt compelled to give their consent because they feared repercussions of they didn’t give it.

b) It is necessary for the performance of a contract between you and the individual

You may process an individual’s personal data if this processing is necessary for the performance of a contract between you and the individual.

Two key points to remember when relying on this legal basis:

The processing must be absolutely necessary for the performance of the contract.
The contract must be between you and the individual directly.

Contract is not always a valid lawful basis.

For example:

You may believe that using photos of your employees in your brochures and social media is lawful because it forms part of their employment contract. However, this processing is not necessary for performance of an employment contract.

You may believe contract is a lawful basis to allow you process the personal data of your clients’ employees. However, the contract is not between you and the employees (it is between you and their employer). Therefore, this lawful basis does not apply to this processing.

In both scenarios, legitimate interest may be a more appropriate lawful basis.

c) It is necessary for compliance with a legal obligation

You may process an individual’s personal data if this processing is necessary to ensure you comply with a legal obligation

Key points to remember when relying on this legal basis include:

The processing must be absolutely necessary for the legal obligation.
You need to be clear about the legal obligation – In other words, you should know the specific piece of legislation.

For example, when you are paying an employee in Ireland, you are legally obliged to deduct income tax from their salary and pay this to the Revenue Commissioners.

To do this, you need an individual’s PPS number (i.e. an Irish tax reference number).

This processing activity is lawful under GDPR because of this Irish legal obligation.

Legal obligations can seem to contradict data protection obligations.

For example, the principles of GDPR (discussed later) expect you to delete data as soon as possible. Unnecessary retention is an issue.

However, many laws require retention. For example, banks have specific anti-money laundering obligations that require them to store copies of your identification documents.

It is important to understand that data protection does not always take precedence.

As demonstrated with this lawful basis, if you have a legal obligation to do something with someone’s personal data, GDPR does not prevent you from doing this. It just requires you to identify what the obligation is.

d) It is in your legitimate interest

You may be able to justify a certain processing activity on the basis that it is in your legitimate interest to perform the activity.

However, before you rush into using this as your lawful basis for all sorts of activities, you need to prove:

Your legitimate interest is not overridden by the individual’s broader interests, rights and freedoms. In layman’s terms, what you are doing must be reasonable and unsurprising, and could not cause a reasonable person to be concerned or annoyed.
Be clear about what what your legitimate interest is and confirm it is legal.
Confirm that the processing you will perform is necessary to achieve this interest.
Balance your interests with those of the individuals.

For example, legitimate interest may be your lawful basis for using CCTV for the sole purpose of protecting your physical premises.

You need to be careful with this lawful basis.

You can’t assume legitimate interest is a lawful basis for everything you do.

For each activity that you claim is in your legitimate interest, you should go through an objective ‘legitimate interest assessment’.

A legitimate interest assessment (LIA) forces you to:
1. Specify what your legitimate interest is, and confirm it is legal.
2. Confirm that the processing you will perform is necessary to achieve this interest
3. Balance your interests with those of individuals.

For detailed guidance, you can’t beat the guide provided by the UK regulator or the information within the LIA template produced by the Data Protection Network.

3. For each activity, confirm you are in compliance with the principles.

Now that you have identified the lawful bases for your processing activities, you need to evaluate your activities against the principles of data protection.

For example:

Fair, necessary and proportionate

Your processing should be necessary and proportionate to the lawful activity you are undertaking.
Minimum

Your processing should involve the minimum amount of data, for the minimum amount of time, accessible to the minimum number of people
Transparent

You should ensure the individual knows what you will do. Most businesses achieve this by providing a privacy notice online, by email and/or by post.
Accurate

You must take appropriate steps to keep the data up-to-date and accurate.
Secure

The personal data should be kept secure – This involves techical and organisational controls. Your staff are the most likely source of a breach – You need to ensure they have been trained so they know what they can do and can’t do.

A couple of real-world examples may be useful at this point to show how you could consider and apply these principles.

Example 1: Using CCTV to monitor your employees

A business may be tempted to CCTV to monitor employee performance.

CCTV can capture images of individuals. These images are the individuals’ personal data. Therefore, this use of CCTV is subject to data protection regulations.

This use of CCTV will not comply with a number of the principles of data protection. For example:

Necessary: If your objective is to monitor employee performance, is use of CCTV absolutely necessary for the achievement of this objective? Is there a less-intrusive way to achieve the objective? For example, getting a manager to do the job they are being paid to do?

Proportionate: If you are concerned about the performance of a few employees, is it proportionate to record the activities of every employee for every minute of the working day?

Transparent: Are employees aware of your use of CCTV for this purpose?

Example 2: Retention of CV’s & interview notes of failed job applicants

When a business is looking to recruit a new employee, it is likely to receive CV’s and job applications from a large number of people. In the course of the interview process, there will also be interview notes recorded about each interviewee.

CV’s, interview notes etc contain personal data and are therefore subject to data protection regulations.

When the business fills the vacancy, the question of retention then arises. How long should the CV’s and inteview notes be retained?

Most businesses don’t think about this. Interview notes may be destroyed immediately (or simply misplaced). Alternatively, CV’s may sit in the email accounts of employees who were involved in the recruitment process for a long period of time.

Let’s consider some of the principles of data protection:

Minimum (time) vs Fairness: When thinking about the length of time you can retain the data, how long is ‘minimum’? From a data protection perspective, as soon as the vacancy is filled, you don’t need the information about failed candidates. However, from a fairness perspective, it is appropriate to retain the data for a short period of time in case a failed candidate claims that they were discriminated against? You need to identify a fair balance and document why you chose this period.

Minimum (access): Accessible to the minimum number of people: Are these documents stored in a restricted area so only those who need access at this point in time can see them? What about copies of CV’s in employees’ email accounts?

Accurate: Kept up-to-date: Let’s imagine a failed candidate has given you consent to retain their CV in case another role opens up in the near future. Their CV will naturally go out of date as they gain more experience elsewhere. How will you ensure the data is kept up to date?

4. Be ready to facilitate the rights of individuals

OK, at this point, you’re in good shape:

1. You have identified your processing activities

2. You have confirmed your lawful basis for each activity

3. You have ensured your activities are complying with the principles of data protection

When you are a data controller, the next step is to be ready for individuals exercising one of their data protection rights.

How to maintain your sanity

Data protection rights are seldom absolute rights. They may only apply in specific circumstances.

To maintain your sanity, you need to become comfortable with the specifics.

This will ensure you know how to respond when an individual asserts a right that they think they have.

You must be ready to respond (usually within 1 month) if an individual wishes to exercise one of their data protection rights. These rights include:

Right to be informed

I’ve mentioned transparency a few times. An individual has the right to be told in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”, what data you have about them and what you are doing with it.
Right of access

An individual has the right to a copy of any personal data you have about them. After all, it is their data.
Right to rectify

If you have personal data about an individual that is inaccurate or incomplete, the individual has the right to tell you to rectify the data.
Right of erasure

In specific circumstances, the individual has the right to force you to delete their personal data. For example:

– You only have the data because they gave you consent, they have now withdrawn their consent, and you have no other lawful basis to retain the data.

– You are processing it on the basis of legitimate interest but the individual’s interests, rights or freedoms override your interest.
Right to restrict

In specific circumstances, the individual has the right to restrict what you do with their data. For example:

– They believe the data is inaccurate and you are verifying the accuracy

– They claim your legitimate interest is overridden by their interests, rights or freedoms, and you are verifying this claim

– You have no lawful basis for the processing but the individual does not want you to erase the data
Right of data portability

For data you are processing by “automated means” on the basis of consent or contract, the individual has the right to receive a copy of this data in what is described as “a structured, commonly used and machine-readable format”, or to request this data to be transmitted to another data controller.
Right to object

The individual has the right to object to processing that you claim is lawful on the basis of legitimate interest. While you investigate their objection, you must stop processing the data.
Right to be notified

An individual has a right to be notified by you if their data has been breached (e.g. disclosed to an unauthorised 3rd party) and this could present a high risk to them. This feeds into a broader requirement around data breaches, which I will discuss in a later article.

Once again, a couple of real-world examples may be useful at this point to show you how these rights may apply.

Example 1: Right to erasure and contract

While in a contractual dispute with a disgruntled individual, they may claim that they have a right to erasure (a ‘right to be forgotten’) .

This is particularly common when you are asking them to pay for a product or service that you provided.

This right to erasure does not apply where the lawful basis for your processing is a contract between you and the individual. Someone can’t escape paying an outstanding fee by exercising this data protection right!

Similarly, it does not apply if you are legally obliged to process the data.

As I mentioned earlier, data protection rights are seldom absolute and they do not exist to stop you doing a reasonable thing.

Example 2: Right of access & CCTV

CCTV footage of an individual is their personal data. They have a right to a copy of the data. However, it is excessive for them to ask for ‘all footage of me’. They are likely to need to specify dates and times when they were in the area of the CCTV cameras so you can find the footage.

When providing the footage (or any personal data) to the individual, you need to respect the data protection rights of any other individual contained in the footage / data. In the example of CCTV, you need to take steps to hide the identities of all other individuals captured in the footage.

If you keep a lot of personal data about individuals, the right of access is a real pain in the ass. It’s another way that GDPR encourages you to delete data when you no longer need it.

Example 3: Right of access to employee data

The data you have about your employees is their personal data. This includes data ‘about’ them – For example, it may include remarks written in emails by their manager or other superiors.

If an individual submits an access request, it is too late to delete this type of data. You will probably need to disclose it, even it is embarrassing or defamatory.

Example 4: Direct marketing

One of the few absolute rights is the right not to be subject to direct marketing.

For example, if someone notifies you that they don’t want to receive your direct marketing, you must be ready to facilitate this request.

5. Confirm your 3rd parties can comply

OK, we’re almost at the top of the mountain now:

1. You have identified your processing activities

2. You have confirmed your lawful basis for each activity

3. You have ensured your activities are complying with the principles of data protection

4. You are ready to facilitate a data subject’s rights

I have not covered all of your obligations under GDPR but if you have nailed all of the above, you are doing well.

Now you need to worry about the 3rd parties that help you with your processing activities.

Examples of data processors

Most businesses use 3rd parties to perform certain tasks on their behalf. For example:

– You may use a 3rd party to run your employee payroll each month

– You may use an external IT managed service provider to run your IT systems.

You may outsource activities. But you never outsource responsibility.

You will always be responsible for your processing activities. Even if you ask other organisations to help you, you remain responsible.

You need to be sure they all have their act together.

As a controller, GDPR requires that you “use only processors providing sufficient guarantees to implement appropriate technical and organisational measures’ to comply with GDPR.

Examples of how you prove sufficient guarantees:

Contractual agreement

You need to have a contract or other legally binding agreement with your processors to ensure they are obliged to protect the personal data you are disclosing to them.

Article 28 (3) of GDPR covers the basic legal requirements for such a contract, including requirements that the processor:

– Only process the data based on documented instructions from you.

– Ensures their staff are obliged to keep the data confidential

– Puts appropriate measures in place to keep the data secure

– Assists you when an individual exercises one of their data protection rights

– Seeks your prior authorisation for all sub-processors who are, or will be engaged, by them

– Helps you demonstrate compliance with GDPR, including allowing you to audit them
Assessments

Contractual obligations are required but not sufficient.

Where possible, you need to get into the detail with your processor to ensure they are handling the data correctly.

Depending on the nature of your relationship, their location, and the balance of power, this could involve:

– Desk-based research and review of material published online by the processor

– Review of detailed questionnaires that you ask them to complete

– On-site visits and assessments

– Formal audits of their procedures and security measures
Certification

GDPR envisages the development of certifications that an organisation can use to prove their compliance. These certifications do not currently exist.

Right now, external certifications such as ISO 27000 or SAS70 can help prove compliance in certain operational areas. They all provide evidence of an organisation that is doing some things right.

The cost of compliance: Who pays?

GDPR says nothing about who should pay for the costs of compliance.

While some processors regard their obligations as just a cost of doing business, I have seen others insist on being paid by you for their time on compliance-related activity.

It usually comes down to who has the balance of power: If you are a small client of a global processor, you have very little bargaining power.

So, you may have a right to audit, but you may need to pay a processor €5k + time and materials if you choose to exercise this right.

The cost of non-compliance: Who pays?

If a processor does something wrong, both you and the processor may be held jointly liable by the courts.

I have seen processors limit their liability through specific clauses in their contracts. Regardless of how they screw up or the size of the financial impact, their contract may limit their liability to a specific (small) sum of money. You will have to cover the rest of the bill.

Are you ready to take on all the risk if your processor screws up? GDPR should make you think twice about the processors that you choose to work with.

6. Don’t just comply. Prove you comply.

OK, a this point, you have done the ‘real’ world.

However, knowing that you are compliant is not enough.

GDPR requires you to prove your compliance. It’s all about accountability.

Accountability

You are guilty until you can prove your innocence.

What does proving compliance look like?

I describe it as things you will have and things you will do.

Things you will have

When you comply with GDPR, you are likely to have a number of things that prove it. For example:

Privacy Notice

A privacy notice / privacy statement on your website to tell individuals what you will do with their data.

A privacy notice / statement accessible to your employees to tell them what you do with their data.
Privacy Policy

A privacy policy will tell staff what they are, and are not, allowed do with personal data.
Retention Policy & Schedule

A retention policy & schedule will set out how long you will retain specific types of data and how the data will be deleted when its retention period has passed.
IT Security Policy / Procedures

IT security policy & procedures set out how you ensure data is accessible to the minimum number of people, how data is secured, etc.

You should also have clear & proven steps documented to help you recover from incidents such as system failure or data loss – Commonly referred to as an ‘Incident Response Plan’ or a ‘Business Continuity Plan’.
Subject Rights Procedures & Log

You will have a document that sets out how you will facilitate an individual when they seek to exercise a data protection right. A log will record each subject request and how you responded to it.
Data Breach Procedure & Log

You will have a documented procedure that details how you will handle a personal data breach. A log will be used to record all breaches and how you handled them.

Things you will do

Staff training

Staff are your weakest link. You will need to train them so they are clear on their data protection obligations and the impact on you and them if they get it wrong.

Training should be performed on a regular basis using material and approaches tailored to their roles – e.g. different training for people working in HR vs warehouse operatives.
Data Protection Impact Assessments

You will consider the data protection implications of any processing you are performing, or plan to undertake in the future.

If the processing could present a high risk to individuals, you will perform a formal Data Protection Impact Assessment (DPIA). This is a topic for a future article.
Privacy by Design / by Default

You will think about data protection from the start, not as an afterthought.

I will discuss this in a later article.

You have reached your destination

That’s it.

OK, maybe not all of it.

It’s impossible to write a single article that captures all of the in’s and out’s of GDPR.

However, I hope it has helped you get your head around some of the key requirements of GDPR.

I also hope it has given you a sane & logical framework that you can use to get moving.

How do I make progress from here?

I know it can seem like there’s a huge amount involved in complying with GDPR.

It can feel like a mountain of work, with a list of to-do’s that never stops growing.

I think there are two ways you can deal with it:

Get someone else to do it

If you don’t have the time or the interest to do it yourself and if you have the money, you could outsource this so someone else can take the lead and do most of this for you.
Do it yourself

GDPR is not rocket science.

If you want to really nail this, or if you don’t have the budget to outsource this, it’s possible to do this yourself.

With the right approach and support, you can do it.

Outsource or in-house?

I’ve been involved in both approaches: Some clients have outsourced this work to me. Others have done it in-house, with my support.

Based on my experience, I’ve written about the advantages and disadvantages of each approach.

I’ve also identified the key factors to consider when deciding the best approach for you.