A quick guide to GDPR
for Associates
1April 2018

A quick guide to GDPR
Like everybody else, over the last few months we have been trying to read,
understand, digest and interpret the new GDPR regulations.
This is our take on it and hope it acts as a helpful guide.
NB - we strongly advise that each associate take their own steps including thinking
about legal advise if you are unsure of how these regulations affect you directly to
ensure you are fully compliant.
Remember these regulations will take time to settle and test cases are likely in the
coming months.
2April 2018

Areas in need of focus
1. The Headlines
2. ICO expectations
3. The 6 principles and Accountability
4. Data controllers vs. Data processors - which one
are you?
5. Enhanced Data subjects’ rights
6. Dealing with Subject Access Requests (SARs)
7. Privacy statements
8. Keeping data safe
9. In the event of a breach
3April 2018

The headlines
GDPR went live on the 25th May 2018
• GDPR is new European-wide law that applies to every business in the UK
and EEA - big or small, sole trader or big corporate - that collects personal
data, even if you only undertake a few cases a year.
• The previous legislation was the Data protection Act of 1998….. 20 years
on, the world is a very different place due the explosion of technology and
social media. This regulation reflects the changes now needed to keep
data safe.
• The key focus is giving data subjects back their/our privacy and reflecting
the way they/we live our lives now.
• There are enhanced rights for data subjects.
4April 2018

The headlines
• Despite Brexit and even though Article 50 has been
triggered, it will take two years for our exit from the EU to
be agreed therefore the UK Government have made it
clear GDPR became fully enforceable on 25th May 2018.
• The fines for breaches & non compliance are bigger- up to
4% of global turnover or up to £20 Million……….never mind
the reputational damage!
Tip - Make sure you have registered with the ICO- see link below for details on how and costs -
https://ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers-
20180221.pdf
TIP - Think about it as a cultural shift not just a tick box exercise.
5April 2018

ICO expectations
• That every business, big or small is taking it seriously – compliance
is mandatory
• That you are on route to GDPR compliance and can evidence what
you are doing. You are not expected to have everything in place by
the 25th May 2018
• That there is evidence of what you have done and intend to do and
that your journey to GDPR compliance has begun
The 3 big issues that ICO are likely to zoom in on are:
1. Handling a SAR
2. Managing and communicating a data breach
3. A Cyber attack
6April 2018

The 6 Principles
1. Lawfulness, fairness and transparency - Personal data shall be processed lawfully, fairly
and in a transparent manner in relation to the data subject
2. Purpose limitation - Personal data shall be collected for specified, explicit and legitimate
purposes and not further processed in a manner that is incompatible with those purposes
3. Data minimisation - Personal data shall be adequate, relevant and limited to what is
necessary in relation to the purposes for which it is processed
4. Accuracy - personal data shall be accurate and, where necessary, kept up to date.
5. Storage limitation - Personal data shall be kept in a form which permits identification of
data subjects for no longer than is necessary for the purposes for which the personal data
are processed
6. Integrity and confidentiality - Personal data shall be processed in a manner that ensures
appropriate security of the personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage, using appropriate
technical or organisational measures
7April 2018

And Accountability……..
• The accountability principle in Article 5
(2) means that controllers are responsible for
and should be able to demonstrate their
compliance with the GDPR data processing
principles listed in Article 5 (1)
8April 2018

Controller or processor?
• “data controller” means a person who (either alone or jointly or in common with other
persons) determines the purposes for which and the manner in which any personal data are
to be processed.
• “data processor”, in relation to personal data, means any person (other than an employee of
the data controller) who processes the data on behalf of the data controller.
• “processing”, in relation to information or data means obtaining, recording or holding the
information or data or carrying out any operation or set of operations on the information or
data, including:
a) organisation, adaptation or alteration of the information or data,
b) retrieval, consultation or use of the information or data,
c) disclosure of the information or data by transmission, dissemination or otherwise making
available, or
d) alignment, combination, blocking, erasure or destruction of the information or data
• TIP – Familiarise yourself with the below:
https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-
guidance.pdf
Page 9 points 25-27 are important
9April 2018

Enhanced Data subjects’ rights
Data subjects have enhanced rights compared to the Data protection act 1998:
1. Right to be informed - can ask what information you are holding on them
2. Right to access - allows them to see what information you have on them
3. Right to rectification - allows them to have incorrect information corrected
4. Right to erasure/right to be forgotten (new**) - as it says, to have their
information removed completely
5. Right to restriction - as it says, data subjects can request restrictions around
what you share
6. Right to data portability (new**) - can request their information be transferred
to another place/company
7. Right to object - to direct marketing, scientific research etc.
TIP - Make sure you know what the new rights are so that you can respond quickly and effectively
to any requests that come through.
TIP - Ensure you know the new 6 principles and in particular the responsibilities within
‘accountability’
10April 2018

Dealing with a Subject Access Request
(SAR)
Requests can now be made via the phone as well as email or post but you should take
reasonable steps to verify who they are first.
1. You must respond to their request should they wish their information to be
removed, rectified or deleted – it is their right!
2. You must provide the info within 30 days of the request
3. You can not apply any charge to the request – For information see link below re
medical records
TIP - write yourself a simple process about how you would deal with this,
documenting it is important
TIP - Remember it is their right, don’t make it difficult for them to get hold of their
information
http://www.firstpracticemanagement.co.uk/blog/posts/charging-for-information-
requests-to-end-under-gdpr/
11April 2018

Privacy policy
A privacy policy is a statement or a legal document that discloses some or all of the ways a party
gathers, uses, discloses, and manages a customer or client's data. It fulfils a legal requirement to protect
a customer or client's privacy.
Being transparent and providing accessible information to individuals about how you will use their
personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data
Protection Regulation (GDPR). The most common way to provide this information is in a privacy policy.
The document must state clearly:
1. Who you are
2. What you are going to do with their information
3. Who it will be shared with
4. Whether you share information with third parties
5. How they contact you if they have concerns
TIP - Write a simple, plain English document that says what information you receive, what you do with it
and how they can contact you if they need to?
12April 2018

Keeping data safe
It’s your responsibility to take all reasonable
steps to ensure any personal data you have
access to is safe and secure - that applies to
physical documents as well as electronic
13April 2018

Keeping data safe
Physical
• Wherever you work in your home/office it
should be lockable and so should any cupboards
housing any physical personal data.
• Be careful if you carry paper documents around
with you /in your car on the train - are they
safe?
• Have a good filing system in place so you can
find documents quickly.
• Do you destroy paper documents securely?
• TIP - Think about conducting a mini risk
assessment and documenting things to show
what you have been thinking about and are
planning to do.
Below is an interesting article on LinkedIn about a
small business and their approach
GDPR- a small business case study (mine)
https://www.linkedin.com/pulse/gdpr-small-business-case-
study-mine-janine-coombes
Online
• Don’t keep sensitive data/photos on
your mobile. Transfer them to your
PC asap
• Have you got sufficient anti-virus and
firewalls in place? Free versions are
sometimes deemed un-safe
• Are you password protecting
documents when you transfer?
14April 2018

In the event of breach
It is your responsibility to inform the ICO of a breach as quickly as possible.
1. Call the ICO within 72 hours and advise them of what has occurred.
2. Be prepared with as much detail as possible i.e. what and how did the breach
occur?
3. What measures you have taken to address the issue - be open and honest -
The ICO do not take kindly to those who try and hide or are obstructive.
4. Be prepared to inform the data subject(s) who have been affected and provide
them with the same info as you provide the ICO - remember their enhanced
rights.
TIP - Write an easy guide on how you will deal with a breach should one occur and include the contact
telephone/email for the ICO, so you have it to hand easily.
TIP - Be honest and transparent with the ICO, they don’t take kindly to obstructions .
TIP - Don’t panic!
15April 2018

Still got questions?
• Check the ICO website https://ico.org.uk/for-
organisations/guide-to-the-general-data-protection-
regulation-gdpr/
• https://www.youtube.com/watch?v=tTeTm7hHC0U
• Free webinars area available through
http://www.virtual-administration.com/gdpr-
webinar/webinar-dates/
16April 2018