This document summarizes key provisions of the General Data Protection Regulation (GDPR) and actions businesses should take to prepare for compliance. It outlines requirements for data audits and accountability, including keeping records of processing activities. Consent under GDPR must be freely given, specific, informed and unambiguous. Legitimate interests can also justify processing if it passes tests of being necessary and balanced against individual rights. Privacy notices must provide full transparency about data collection and use. Contracts with data processors must impose security and confidentiality obligations. Businesses should seek legal advice to ensure GDPR readiness.
2. KEY TOPICS
1. Data audit and accountability
2. Consent
3. Legitimate interests
4. Transparency and privacy notices
5. Contractual terms
3. DATA AUDIT AND ACCOUNTABILITY
Article 5
2. The controller shall be responsible for, and be able to demonstrate compliance
with, the main principles relating to processing to personal data (‘accountability’)
including:
• Lawful, fair and transparent;
• Collected for specified, explicit and legitimate purposes;
• Adequate, relevant and limited to what is necessary;
• Accurate and, where necessary, up to date;
• Kept no longer than is necessary;
• processed in a manner that ensures appropriate security.
4. DATA AUDIT AND ACCOUNTABILITY
Article 30 (records of processing activities)
Applies if you have over 250 employees, process sensitive personal data, or
the processing is not occasional
Controllers and processors must keep a record of processing activities under
their responsibility, including:
• Purpose of processing (controllers only);
• Description of categories of data subject and data;
• Categories of recipients;
• Any transfers outside EEA;
• Retention periods;
• A description of the technical + organisational security measures.
5. Nature of data/document
When was the data collected/received
Is the data subject a client/customer/supplier/prospect
Does the personal data reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or does it concern health or a natural
person's sex life or sexual orientation? (Sensitive data)
On what legal basis is the data being processed:
For the purpose of performing a contract with data subject
Data subject has consented to processing for that purpose
If consent is basis, what record do you have of consent? When and how was consent given?
In your legitimate interests, is necessary for purpose and on balance is fair taking into account rights and expectations of data subject
Processing is necessary for compliance with a legal or other obligation to which the controller is subject
Is the data kept no longer than is necessary for the purposes for which the personal data are processed?
Is the data being processed for the purpose it was originally collected?
Is the data adequate, relevant and limited to what is necessary for the purpose?
Is the data accurate and, where necessary, kept up to date?
What (if anything) has the data subject been told about the processing of the information?
Where is the data being processed (is any data processed outside EEA?)
Are you the data controller (i.e. do you determine the purposes and means of the processing of personal data) or are you the processor (i.e. it processes the data on behalf of
and on the instructions of someone else)?
Is the data processed in a manner that ensures appropriate security of the personal data?
Does the processing involve any automatic decision making or profiling?
Is it possible for the data subject's data to be easily amended, transferred and/or deleted upon a request from them.
Is the data shared with any third parties?
Risk of non-compliance high/medium/ low
Risk that data breach be likely to result in risk to rights and freedoms of data subject high/medium/ low
6. CONSENT
1. Article 29 Working Party Guidelines released in December
2. Expect updated guidelines from ICO
3. Definition
‘consent’ of the data subject means any freely given, specific,
informed and unambiguous indication of the data subject's wishes by
which he or she, by a statement or by a clear affirmative action,
signifies agreement to the processing of personal data relating to him
or her
7. CONSENT
1. Controller has to be able to demonstrate consent
2. Request for consent must be distinguishable from other matters
3. When assessing whether consent is freely given, utmost account
shall be taken of whether, inter alia, the performance of a contract,
including the provision of a service, is conditional on consent to the
processing of personal data that is not necessary for the
performance of that contract.
8. CONSENT
1. Obtaining consent does not negate the controller’s obligations to
observe GDPR principles, especially fairness, necessity and
proportionality
2. Consent may cover different operations, as long as these
operations serve the same purpose
3. Data subject has a right to withdraw consent as easily as giving
consent
4. Controller is expected to make sure information is understandable
for minors
9. CONSENT
1. Where explicit consent is required the guidance recommends a
signed statement or if using electronic consent, a two stage
process. Explicit consent is required for:
a) Processing special categories of data (sensitive date);
b) Transfer outside of EEA;
c) Automated decision making.
2. After the processing activity ends, proof of consent should only be
kept for as long as necessary to defend claims
10. CONSENT
1. Duration of consent depends on context and scope of original consent
and the expectation of the data subject. ICO draft guidance suggests 2
years as a default position
2. If consent is withdrawn then processing actions subject of the consent
must stop. If there is no other lawful basis for retaining the data should be
deleted or anonymised
3. You cannot silently switch to a different lawful basis (i.e. legitimate
interests) or use that as a back up
4. Parental consent for children runs out when they come of age and so you
need to send reminders to re-affirm consent
11. LEGITIMATE INTERESTS
“processing is necessary for the purposes of the legitimate interests
pursued by the controller or by a third party except where such
interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data,
in particular where the data subject is a child”
12. LEGITIMATE INTEREST
1. Purpose Test: Identify a legitimate interest:
GDPR mentions use of client or employee data, marketing, fraud prevention, intra-group
transfers, or IT security as potential legitimate interests, but this is not an exhaustive list
2. Necessity test: is the processing necessary for that purpose?
‘Necessary’ means that the processing must be a targeted and proportionate way of
achieving your purpose. You cannot rely on legitimate interests if there is another
reasonable and less intrusive way to achieve the same result
13. LEGITIMATE INTEREST
1. Balancing test: do the individual’s interests override the legitimate
interest?
You must balance your interests against the individual’s interests. In particular, if they would not
reasonably expect you to use data in that way, or it would cause them unwarranted harm, their
interests are likely to override yours. However, your interests do not always have to align with
the individual’s interests. If there is a conflict, your interests can still prevail as long as there is
a clear justification for the impact on the individual
2. You can rely on legitimate interests for marketing activities if you can
show that how you use people’s data is proportionate, has a minimal
privacy impact, and people would not be surprised or likely to object –
and if you don’t need consent under PECR
14. TRANSPARENCY AND PRIVACY
NOTICES
1. If collected from data subject, at the time data is collected, controller shall provide the
following:
a) Identity of controller and data protection office where applicable
b) Purpose of processing data and legal basis (including legitimate interests if applicable)
c) Categories of data concerned
d) Recipients or categories of recipients of the data
e) If the data is going to be transferred outside EEA
f) How long the data will be stored
g) Rights of the data subject to rectification, erasure, restriction, portability and objection
h) Right to withdraw consent (where applicable)
i) Right to lodge a complaint with ICO
j) Whether the provision of personal data is a statutory or contractual requirement
k) The existence of any automated decision making
15. TRANSPARENCY AND PRIVACY
NOTICES
1. If not collected from data subject, controller shall provide the privacy notice within
a reasonable period but in any event on the earlier of one month and the first
communication with data subject
2. Privacy notice should include
a) Same as above plus:
i. Categories of data
ii. The source of the personal data
3. No need to provide privacy notice if:
a) Data subject has the information already (i.e. from the original data controller)
b) Provision of information proves impossible or would involve disproportionate effort
c) The personal data must remain confidential subject to an obligation of professional secrecy
d) Where it would render impossible or seriously impair the achievement of the objectives of the
processing
16. TRANSPARENCY AND PRIVACY
NOTICES
1. Key points from guidance:
a) If you have a website then this is the recommended way to deliver privacy notice
b) It should be clearly distinguishable from other non-privacy related information such as contractual provisions
c) A link to the privacy notice should be each page of your website
d) For apps the privacy notice should never be more than two taps away
e) The first layer of a notice should include information on processing which has most impact or could surprise the
data subject
f) The purpose of, and legal basis for, processing personal data should be clear. It is not sufficient to say:
i. “we may use your personal data to offer personalised services”
ii. “we may use your data to develop new services”
g) If you change your privacy notice, the changes should be communicated. You cannot just publish the new notice
h) Threshhold for disproportionate effort is high, but not having contact details is a factor
17. CONTRACTS WITH DATA
PROCESSORS
1. Processing by a processor must be governed by a contract
2. Must set out the nature and purpose of processing, types of data
and categories of data subject and obligations and rights of the
controller
3. Must include prescribed terms including:
a) Process only on written instructions
b) Confidentiality and security
c) No engage sub-processors without prior consent
d) Assist controller to meet obligations under GDPR
e) Delete or return data at end of contract
f) Submit to audits by controller
18. WHAT NEXT
1. Keep an eye on the link below for new guidance:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-
gdpr/whats-new
2. Ask your legal advisers for assistance to make sure you are GDPR
ready.
19. For further information or legal advice on GDPR compliance,
please contact:
Jon Rathbone
Director, Head of Corporate and Commercial
Tel: 01242 586832
E-mail: jdr@hughes-paddison.co.uk