Ask a lawyer

How do I comply with the GDPR?

Ask a lawyer

At Rocket Lawyer UK, we’ve helped to answer over 10,000 legal questions from our members since 2012. From doing some analysis we’ve managed to pick out some common issues that businesses and individuals face. This Ask a lawyer blog series will feature step-by-step instructions to help you solve some of these common legal issues, such as tenant eviction, dismissing your employee, business compliance and more!

In ‘Ask a lawyer: How do I comply with the GDPR’, I’ll set out some practical steps and tips for your business.

Step 1: Understand the basics of the GDPR

Remember that the GDPR applies to ‘personal data’. So it’s important to understand what is and what isn’t ‘personal data’. Personal data is any information relating to an individual who can be identified by that information. So for example, my full name (Alan Cheung) is personal data for the GDPR as you can identify me from that information. The GDPR also expands the definition of personal data to include location identifiers and online identifiers (such as IP addresses).

The GDPR also broadens the definition of ‘sensitive personal data’, which now encompass genetic and biometric data. By this, it means fingerprint scanning to unlock a phone and facial recognition software. It even includes ear canal authentication for headphone security!

Any personal data must be processed lawfully and in accordance with the six ‘Data Protection Principles’. Data must:

  1. be processed fairly, lawfully and in a transparent way;
  2. be collected and processed only for specified, explicit and legitimate purposes;
  3. be limited to what is necessary for the purposes for which is it processed;
  4. be accurate and kept up-to-date;
  5. not be kept for longer than is necessary for its purposes; and
  6. be processed securely and confidentially.

This means that you must be clear on what ‘processing’ is and what your business does with personal data internally and externally. ‘Processing’ can mean collecting, recording, organising, storing, altering, disclosing, combining, restricting, destroying or erasing data.

The Data Protection Principles also means that businesses must have a legal basis for processing data. This means that your business must have a valid reason as to why you’re processing personal data. The legal bases are:

  • Consent
  • Performance of a contract
  • Compliance with a legal obligation
  • Vital interests of the data subject
  • Public interest

For further information read Processing personal data. Ask a lawyer if you need more information.

Step 2: Understand your business

Okay. So you’ve had the basic lowdown on the GDPR. But understanding the GDPR isn’t enough. You need to understand your own business as well.

You should complete a business-wide data audit to understand and document what information you hold, what it’s used for, how it’s used and stored, who it’s shared with and who’s responsible for it.

Consider whether you need a Data Protection Officer (DPO) or a Data Privacy Manager, who can be the point of contact within your business for all GDPR and data issues. Read our previous blog on GDPR – What’s a Data Protection Officer? for further information.

Ask yourself whether you send or receive data from outside of the EU. If you do, make sure you’re aware of the special rules on cross border data transfers. For further information read International transfers of personal data.

Step 3: Update your contracts and policies

Updating your internal policies and contracts is a must. If you have a website, you should make a Website privacy policy.

If you employ staff you should make a Data protection and data security policy. This policy is important as it informs staff of how the business is going to comply with the GDPR and how staff are expected to as well. Contracts of employment should be updated as well. Rocket Lawyer’s Employment contract contains new GDPR/Data Protection clauses.

Step 4: Train your staff

You’ll need to train staff (or yourself if you’re a one-man/woman band) to ensure that everyone is aware of the procedures that need to be followed and the responsibility everyone has. In particular, everyone needs to be trained on breach notifications. So what kind of procedure do you have if data is lost or compromised? Is there someone who can be contacted to deal with the issue?

You’ll also need to train staff on dealing with subject access requests (SAR). The new time limit means that businesses must respond to a SAR ‘without undue delay and in any event, within one month of receipt of the request’. This shortens the previous 40-day limit under the old Data Protection Act.

Step 5: Keep records and review them regularly

This is so important for any business. There’s no point in doing all the hard work in complying with the GDPR and getting everything prepared if you can’t prove it. Proper and accurate record keeping is essential. One of the key principles of the GDPR is accountability. This means there is a higher burden on businesses to prove that they are complying with the GDPR.

Remember that the ICO can come knocking on your door at any time and request your records.

To wrap up…

The GDPR is unavoidable. But it’s important you get things right, otherwise there could be serious consequences (and not just lots of stress!). But there is light at the end of this data protection tunnel.

You should get a solicitor to review your current agreements with your customers, vendors and suppliers. A GDPR check will identify which documents need to be redrafted. If you and/or your business need help to comply with the GDPR, Ask a lawyer or if you have a legal issue you’d like me to blog about, contact me.

Alan Cheung