You might have heard that the General Data Protection Regulation (GDPR) was passed by the EU Commission last year. It’s pretty big news; taking effect from 2018, it effectively replaces the law we’ve had since 1998 - the Data Protection Act. Because it’s a regulation, it comes into force as it was passed by the EU Commission, and it has been made clear that it will not be impacted by Brexit.
But what on earth does it mean for businesses, and more specifically, MadTech startups? Our legal partners Lewis Silkin were on hand to clarify that for us and our alumni.
Enough about me, back to me
The whole law is built around protecting the individual ‘data subject’ – that is, the person whose data you are collecting. Businesses are being put in the data subject’s shoes, and need to think of data collection and usage from their point of view.
Who am I?
You need to understand if you are a Data Controller or Data Processor. A Data Controller determines the purposes for which, and the manner in which any personal data is processed or is to be processed, and is directly responsible for compliance with the law.
A Data Processor processes that data on behalf of the Data Controller, and the Data Controller must have a written contract in place for this. A big change however, is that the Data Processor will now have direct obligations and liability under the law.
It is important to understand which you are as this will determine your obligations and what standard you will be held to. Just to muddy the waters a bit, you can actually be both; any suppliers you engage will be Processors, but if you sell to a client, you may well become the Processor. Clarify this and your liability at the outset, and record in written, signed form.
In line with the individual focus being push through the new law, the definitions of Personal Data and Sensitive Personal Data are expanding.
Sensitive Personal Data
The new rule of thumb is thus – if you are gathering and using sensitive personal data – GET CONSENT! Even more importantly, do not bundle this up in your Ts and Cs. This needs to be obvious, clear, visible, shouting from the rooftops.
This must be processed for a ‘fair and lawful’, i.e. particular, use. If it isn’t on the list of what’s fair and lawful you can’t do it! Generally the conditions here are – with consent, necessary for the purposes of the contract with the data subject, or in the Controller’s legitimate interest. Transparency is key – you need to provide a privacy notice (again, as obvious and as clear and debunked from anything else as possible) and don’t do anything with the data that might surprise your subject!
One thing to point out here is that you don’t always have to have consent as your ground for processing data – but if you do, your Data Subject has to demonstrate their consent, and be free to withhold or withdraw it.
What’s your profile?
Another big area of impact is ‘profiling’. The regulations have introduced a new definition of profiling, with some pretty big requirements for any profiling that constitutes having a ‘legal effect’ – that is, an irreversible impact on the Data Subject. At the moment it doesn’t seem as though behavioural profiling, targeted advertising and the like will be scooped up by this, but it’s subject to more clarification and guidance.
It may be helpful to think of profiling in two ways –
- Does your profiling have a ‘legal effect’ – if it does, you MUST have explicit consent
- Does your profiling not have a ‘legal effect’ – you must inform the Data Subject of it and allow them to object to it (if it’s already happened, you need to be able to reverse it)
Don’t you forget about me, except, please do
Rights being extended under the GDPR are the Data Subject access request and the right to be forgotten. The new one, however, is the right to data portability – Data Subjects will be able to request all of their data and are free to move it to other accounts, including that of any competitors. It’s worth bearing this is mind as you will need to be able to provide them with all of the information you hold about them.
So what can I do?
This may all seem pretty daunting, and with one of the biggest changes being enforced by the legislation being the serious increase in fines for breaches, feel like you’re fighting an uphill battle. There are however, steps you can take to start getting yourself compliant.
• If you’re early stage, the words ‘privacy by design’ are your new best friend. Build the requisite data security measures into your systems early, and get your privacy notices, consent buttons and the like clear and ready from the outset.
• If you’re later stage, you will need to build an audit trail – think when you gathered data, how it was used, all date stamped and demonstrably proven. You’ll also need to reach out to all of your Data Subjects and tell them what information you are holding, with an option for them to ask you to remove it.
• All businesses will need to review their reporting procedures should they find themselves on the wrong end of a breach, and make sure that their processes are adequately set up to manage that breach in accordance with the regulations.
• A good place to start will be to ask yourself – what data am I holding; how did I get it; and where did I get it from? Work back from there and start to unpick the audit trail and how it needs to be collected in the future.
New guidance is due to be issued this Spring, and for anybody who is still a bit stuck, some good starting points are the Information Commissioner's website and the European Commission's website. Our legal partners Lewis Silkin are also on hand to support our network with queries they may have.