question mark 3

Hey JEM:   About this GDPR thing…

Listed below are some the questions we get asked most often – both from companies that we are working with, or individuals just wanting to find out more.

If you have a query that isn’t included, drop us a line – we’ll answer it for you, and potentially add it to this list.

If you want to know, you can be sure someone else does too!
Who does the GDPR apply to?
To quote from Article 3:  This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place within the Union or not.

And. […applies to] processing of personal data of data subjects who are in the Union by a Controller or Processor not established in the Union where the processing activites are related to:

  1. the offering of goods and services, irrespective of whether a payment of the data subject is required, to such data subjects in the union OR
  2. the monitoring of their behaviour as far as their behaviour takes plave within the Union.

(It also applies to overseas territories that come under the jurisdiction of the member States)

So: these rules apply to any company based in the EEA:  or any company transacting with an EEA citizen in the EEA, even if they are based outside.

Hope this is clear!

Does GDPR affect me and my company?
  • Are you a citizen of the EEA?
  • Does your company exist in the EEA?
  • Does your company sell products or services to citizens of the EEA?

Answer any of the questions with a ‘Yes’, and then GDPR applies to you as a citizen (ie you have Rights), and your Company (ie your company has Obligations).

Importantly:  size doesn’t matter…

Who or what is a Data Controller?
A Data Controller:
  • Is a company, not an individual (The Board represents the company).
  • Is Responsible “for determining the means and method of processing personal data”.
  • Takes Responsibility for achieving and maintaining compliance.
  • Is Accountable to the Regulator for demonstrating compliance.
  • Picks up the penalty notices if the Regulator decides they are deserving.

The Controller (ie the Board) will usually delegate responsibility to specific staff or agencies to deliver their compliance.. These individuals may be held to account by the Board, but it is the Board who are accountable to the Regulator.

It is often the case that a company will be both the Data Controller, and a data processor – for example when NOT outsourcing your HR records but keeping them in the filing cabinet.

They may use a ‘Data Processor’  – a 3rd party, such a  Cloud Host (AWS), a mailing service (MailChimp), a logistics company (DHL) etc. –  to “process” the personal data, but there will be a clear Data Processing Agreement (DPA) between the two explaining exactly what and how personal data is to be handled.

JEM can supply examples and templates for building a DPA.

It is possible to be a ‘joint controller’ with another body when the responsibility is shared. A Joint Controller Agreement (JCA) outlining which of the responsibilities are led by which party is  required, and should be part of the Privacy Notice of both parties. (JEM can advise,  and have a JCA template if you think this may apply to you).

What exactly is meant by 'Processing data'?
“Processing” has a very wide definition. It covers storing, manipulating, reading, changing, using, deleting, and a host of other “-ing” words.

Even ‘just looking at’ counts as processing.

If you’ve got it, you’re processing it.  If you are collecting it, you are processing it. If someone in your company is seeing it, you are processing it.

Which is why using something like Microsoft Office and ‘One Drive’, their Cloud Storage system,  means you need a Data Processing Agreement (DPA)  between you and Microsoft. They are storing (‘processing’) personal data that you have put there.  Similarly you should have a DPA with Salesforce when they are hosting your company systems.

And if you are an on-line B2C retailer that uses DHL to deliver your products, you are passing personal data to them to enable that delivery. They are then ‘processing’ personal data on your behalf – for example adding to driver’s route-sheets, storing it their invoicing systems to bill you correctly, etc.

Do I need a Data Processing Agreement (DPA)?
Do you (by which I mean your company – see “Who or what is a Data Controller?”)  ask someone else to process your data?  Yes?  – then you need a Data Processing Agreement.

If you already have a DPA in place then you may need a GDPR compliant Data Processing Amendment (confusingly also called a DPA…)

The DPA is simply a contract between two consenting parties, outlining the data services that are offered and accepted, and the rules that surround that agreement.

As a Controller, you are obliged to make sure that everything you promise your data-subjects in your Privacy Notice holds true from your Processors.

In the eyes of the Regulator both Controller and Processor are expected to comply with the GDPR – although it will be the Controller that they will come to investigate first. And the Controller is expected to have ‘controlled’ the personal data it passes to the Processor – by contractually specifying the limits of what can and cannot be done with that data.

Additionally as a Controller you probably want it agreed by contract that any penalty notices you receive as a result of the Processor’s failings, you can recover from the Processor. You would put this in your DPA.

The fly in the ointment is that the ‘big boys’ you may be using as a Processor – AWS, Microsoft, Salesforce, etc.  – want you to follow their interpretation.  To be fair, they have hundreds of thousands of customers, and if there was a different DPA created by each of them, to varying levels of quality, it would be an adminstrative nightmare.  So while ‘officially’ the Controller sets the DPA ‘rules’, in reality, it is the big Processors that have created a standard DPA covering all their customers, and that they expect you to sign.

The plus side is, it saves you time and effort: there is a ready-made DPA which is pretty much nailed on to meet your data-subjects’ needs. The not-so-plus is that these are their terms and conditions which you may not like, or you would expect to dictate yourself.  We have already come across clauses that if YOU were in control you wouldn’t include but which their lawyers have put in to cover them.  We have challenged one or two of these, and effectively been told to ‘put up and shut up’.

If you are dealing with smaller and midsize companies though, by being prepared you hold the cards – as you should.   At JEM we have some templates that can guide you in drawing up either a Data Processing Agreement or Amendment. And even if you are signing up with the major players on their terms, it is worth noting what they have included and excluded. Call us if you’d like some help.

Who owns the data?
Personal Data is ALWAYS  owned by the Data Subject.

You may have a legal basis for processing it (and frankly, you’d better have!), but it is not your data – it is theirs.

As a Data Controller or Processor you are obligated to look after it according to the Regulations, and be able to demonstrate that you do so  – known as “The Seventh Principle” – but while it is Personal Data (i.e. can be used to identify a ‘natural person’,  ” directly or indirectly”) it is never your data.

 

Shall I say it one more time?  Personal Data belongs to the person whose data it is.

Do I need a DPO?
Whether you are a Data Controller or a Data Processor, you only need a Data Protection Officer (DPO) if:
  1. You are a public body;
  2. Your core activities require regular and systematic monitoring of personal data on a large scale*
  3.  Your core activities involve the large scale * processing of sensitive personal data.

*Unhelpfully, large-scale is undefined.

In practice, most health-related organisations will need to appoint a DPO

Your DPO can be an employee or an outsourced contractor but he/she must have a suitable professional qualification such as certification.

A key point is that they must be free of the “purposes and means” of processing personal data within the organisation. This means that they are unlikely to have an operational role or responsibilities within IT or any role where there might be a conflict of interest. They must also have direct access to the Board (or equivalent levels of overall responsibility) and must be provided with the resources to do the job. In practice the last point will mean access to all information systems and to receive details of all data protection issues in a proper and timely manner.

The DPO is also a ‘protected role’ which means that they cannot be instructed on how to carry out their duties nor disciplined or fired for reaching conclusions that are unpopular within the organisation.

How long have I got to respond to a Subject Access Request (aka a SAR or DSAR)?
In short, you have 1 month. However this is variable if the amount of information asked for is large or involves retrieving it from legacy systems. In such circumstances you should respond to the person (data subject) making the request within the initial month saying that you require extra time (up to 2 additional months).

You should conduct a ‘reasonable check’ to ensure that the person making the request is who they say they are.

If a third party request is made of you then you should treat it as if the request comes from the individual themselves. Treat third party requests from solicitors or insurers with caution as some have a habit of asking for data that exceeds the purpose for which it is sought. You have a right to ask the third party to clarify the request but if they insist that they need everything, then you may wish to contact the data subject directly and give the data to them, suggesting that they may wish to pass on only the relevant parts of their data.

How much information do I need to tell someone who submits a SAR?
A Subject Access Request is a way of exercising the right to see all the data you hold about a Data-subject.  The key word is “ALL”.

This is why a Data Inventory is important – do you know where “ALL”  the data is?  How long will it take you to check ‘anywhere it might be’, if you have to look ‘everywhere it could be’?   You’ve only got a month, and a business to run.

So make sure you can identify where all that data is, and can lay your hands on it quickly and efficiently. The filing cabinet; the sales leads database; the staff database; the disaster recovery plans. Etc, etc, etc.

There are some areas where reduction of the volume is possible, and redaction of the information in any given file is required. But you cannot demand or assume – if the data-subject says they want it all, you have to give them all.

Let’s look at some examples:

Sometimes it is necessary to redact or re-write information when it involves another person.  That is, redacting information that is not about the subject themselves. Consider a performance review:  “Susan Smith thinks that David has the potential to be promoted into role X” . This should be re-written as “It has been considered that David has the potential…”  That Susan has an opinion is data about her. David is entitled to know that an opinion has been expressed and what it is, but not by whom.  Before the SAR is passed back to David,  it is important that it is redacted or altered to ensure that the information is available, but not at the expense of the rights and freedoms of another.

(Of course, simply sharing this information, let alone the attribution, has been an area of contention with HR professionals, particularly in the area of succession planning. It is incumbent on the HR department to think carefully about what is recorded, AND to consider the upside of transparency in the first place.  But if it is recorded, it has to be released).

Similar example: medical records.  “It has been calculated that Stuart has a 38% increased chance of cancer, since his mother also has cancer”. Whether or not Stuart knows about his mother’s condition is irrelevant, it is not the role of the surgery when responding to the SAR to share that information with him. And potentially others, such as an insurance company asking for details to assess him for a policy decision. It is his mother’s data, not his.   Just delete those last 6 words before passing over the copy of the record.

Redaction or alteration can be time consuming but it should not be ignored.

What about limiting the volume of data?  It might be possible to reduce by specifying a time-period, or focus on a specific incident:

Tell me everything you’re processing about me”. Steve – that’s going to take us some time, you’ve been a customer for 20 years: is there anything specific you are looking for?”  “I want to know about all the insurance policy applications I’ve made in the past 5 years, and the reasons you rejected me”.

Here the Data Subject has been asked to pinpoint the data they are looking for, and has obliged. He didn’t have to,  but it is easier for all concered if you can have that dialogue.  Note – you cannot use this a sneaky way to limit what you tell them if there is something you want to hide. They are entitled to it all, and can ask for it all. Get it right in the first place…

In Summary: a SAR should share everything you’ve got about a data-subject:  but not include data belonging to anyone else.  And you can potentially reduce the volume by asking for their permission to focus on specifics.

Do SARs always have to be free?
Short answer: YES.

You cannot charge a fee for providing the data subject with a copy of their data, unless it is “manifestly excessive”: e.g a repeat request within 6 months; or the effort and time taken to collate and redact a huge amount of data is such that it is considered “excessive”.  In the latter case you are only allowed to charge a nominal fee, and you have to be confident enough to prove that it was excessive when  challenged.  We believe that in most cases being unable to produce a reply to a SAR without “excessive effort” would be considered a failure on your part in looking after the data, or that the collection of the data has been excessive in the first place. We advise against even attempting it.

The only other way you can charge a fee is if the requester asks for an interpretation or report on their data.

You cannot charge a fee even for postage, so we suggest that you send it via an encrypted email with a separate password.

For considerations of information security, it is better to provide the information electronically anyway, but if the data subject insists that they receive the data in a paper format, you may in turn advise that your policy is that the data subject attend to collect their data in person.  This not only saves money, but also adds an addditional layer of security – you can more easily check that the output is delivered to the data-subject.

We suggest that you make such conditions clear in your Privacy Notice, and that all staff are aware of what general rules you are putting in place for responding to SARs.

I’ve got 72 working hours to report a Serious Breach, yes?
No.

You’ve got 72 elapsed hours.

Put it this way: if you discover it on a Friday you won’t be getting much time off over the weekend.

Some companies ask I tick a box to *stop* marketing when I first sign-up to their website – I thought consent had to be “positive”?
Initially everyone thought that the relationship between GDPR and Direct Marketing meant always having to have ‘positive consent’ to send out Direct Marketing emails to people.

And there was a huge worry that existing mailing databases that had been gleaned over many years were suddenly useless – who knew if and when (and how) consent had been given, and how was it recorded anyway?

Then it was realised that in fact the Privacy and Electronic Communications Regulations, PECR,  still applied. A marketer needs to comply with both GDPR and PECR.  Essentially the PECR allows Direct Marketing if you have expressed interest in products from, or concluded a transaction with a company. GDPR insists that each communication includes an ‘Opt Out’ option, but with PECR you don’t have to ‘Opt In’ to start with.

The mere act of giving your email address to them in the first place is expressing an interest,  and allows them to hit you with relevant (important word)  marketing,  – what GDPR adds is the opt-out on the bottom.

So those companies offering an opt out at the ‘sign up’ process are perfectly OK to do so. They are offering you the chance at this point to say ‘no thank you’, rather than waiting for the first marketing to arrive with its ‘opt out’ option.

2 points to note:

  • Withdrawal of Consent to Direct Marketing still has to be recorded and observed by the company: if you say ‘no’ but still receive it, you are entitled to be upset.
  • GDPR “positive consent” and the other 5 legal bases for processing  ARE still very relevant for what else happens to your data.
How do I know if my use of someone’s data is a Legitimate Interest?
As a company (also known as a Data Controller),  you have to meet one of 6 legal bases to process personal data: and you have to be able to  show that you have
  1. considered what data you have
  2. worked out which of the 6 reasons applies to the purpose for which you are using ( ‘processing’) it
  3. Shared that reason with the data subjects – usually via the Privacy Notice.

One of the 6 is “Legitimate Interest” (LI):   whereby as a provider of good or services,  or as an employer, you consider that your use of their data is justified for busines reasons, and in the words of the Regulation, your need outweighs any risks to their “Rights and Freedoms”.

And how do I prove that?  You conduct a Legitimate Interest Assessment (LIA).  A reasonably lengthy process looking at such things as what you want to achieve; why this particular data is needed; are there other less intrusive ways of achieving it; what mitigations you have put in place to protect the rights and freedoms, and so on.

For each data element for which you decide that LI is the best / only basis for processing, you should record a separate LIA, making notes as to how decisions were reached as an aide memoire when you come to review,  and be prepared to defend those decisions.  Because  the basis of Legitimate Interest for data procesing can be challenged by the data subjects, specifically if they don’t agree with your assessment that your need outweighs their rights and freedoms.

During that challenge you will have to “suspend” processing while you investigate (It is one of the data-subjects’ Rights).

JEM can walk you through the questions and process: we have templates to record LIA outputs, and can help interpret the answers (does it help or hinder your case for LI?).  At the end of the Assessment, you will be able to decide if Legitimate Interest is a viable and defensible basis for processing (or can be made viable by including additional mitigations and safeguards), and have a record of how you reached that conclusion.   Contact us for details on this service.

When do I need a Data Protection Impact Assessment (DPIA)?
From the Article 29 Working Party (the precusor to the European Data Protection Board) guidelines on DPIAs:

It has to be stressed that in order to manage the risks to the rights and freedoms of natural persons, the risks have to [be] identified, analyzed, estimated, evaluated, treated (e.g. mitigated…), and reviewed regularly. Controllers cannot escape their responsibility by covering risks under insurance policies.

And how do you do this? With a DPIA.

Do I need to do this for every process we have or are intending to introduce new to our environment?

No – there is a ‘ready reckoner’ flow chart,  which starts with question, Q1:  Is this processing activity likely to result in High Risk to a data-subject’s rights and freedoms?

If the answer is “No”, then you don’t need a formal DPIA. It does beg the question, how do you know if it likely to result in High Risk…?  You do an informal DPIA.

If you have answered Q1 with a “Yes” (or even a “Maybe”) then  Q2: Is there an Exception?

If “Yes”, then again, there is no need to perform a DPIA.

Nevertheless, and as with all GDPR,  you should record that you have asked these two questions, and the reasons that you have come to this conclusion.

If there is no Exception, then you need to start down the formal DPIA route.

A DPIA is owned by the Controller – and as with everything GPDR related, they are responsible and accountable to the Data Protection Authority (in the UK, the ICO).  It is likely to be carried out by the Project Manager (of the new system being proposed), but  usually under the guidance or tutelage of a DPO or equivalent. It may involve the relevant Data Processors and the data subjects themselves being asked for comment.

In keeping with the GDPR Principle of Privacy by Default and Design, it should take place as early in the project as is possible, and potentially be repeated as the project changes scope, functionality, and solutions: which may affect any risk and mitigations already established.  It is worth pointing out that DPIA is considered a process, not an event: even after the project is finished and the product delivered, there is an expectation that assessments of the data protection impact will continue throughout the life-cycle.

How do I run  a formal DPIA ( and build the ongoing review programme)?   That’s far too involved for an FAQ!   Call or email us if you’d like specific advice.

What’s the difference between DPA 2018 and GDPR?
As far as your Rights and Obligations, very little,  if anything.

DPA-2018, put in place to provide for a smoother Brexit transition, contains the same stuff as GDPR, but clarifies some additional powers, rights and obligations for the security services and the privacy authority (the ICO). These were some of the addendums by which each member state was allowed to vary the Regulation so as to meet their own local conditions –  you will see some similar paperwork being produced in each of the member states.

But in practical terms for the likes of you and me, for the moment you may consider them one and the same.

What is the difference between a Privacy Notice and a Privacy Policy?
A Policy describes a way an organisation works. It is a system of principles to guide decisions,  and is a statement of intent.

It is something that an employee will read and agree to as a decription of the ‘rules’ of the company.

The Policy may say, for example:  “OurCo. will not purchase any Cloud-based software to store Personal Data”.

The Notice explains to the data subjects what this means in practical terms:

“Your Invoice data is maintained in a local database kept in our datacentre”,  and simultaneously:  “Your HR data is kept in the filing cabinet”. Both statements, although quite different, describe to a data-subject how the single Policy directive is being actioned. They don’t need to know the Policy is not to buy Cloud Services, just what the outcomes mean to them.

Quite often much of a Notice does overlap and look like the Policy,  but they fulfil different functions.

What is the difference between a Privacy Statement and a Privacy Notice?
No difference at all – they are used inter-changeably.
What is the difference between a Privacy Statement and a Fair Processing Notice?
No difference at all.   Fair Processing is the old name for the Notice (or Statement…) under the 1998 Data Protection Act.   For those people who were used to complying with that regulation, it is often still used, since habits die hard.
John gives me Janet’s details as his Emergency Contact. Do I have to get her consent?
No.  Even though this is personal data of Janet, it is considered John’s “in case of emergency (ICE)”  data, and you may assume he has obtained consent from Janet in order to share it with you.  Obviously you have to treat it with the same respect and security precautions as you do all of his personal data.

There are a few things to consider though:

  • You should make John aware that you expect HIM to have gained that consent, and that he should tell Janet that he’s given her contact details to you.  She should also be invited to read your Privacy Notice.
  • The very DAY John leaves, you delete that ICE data.  You may keep his financial, employment, HR records for whatever period you or the regulators (e.g. HMRC) deem appropriate and have recorded in your data retention policy:   but you have absolutely no need to keep ICE details one minute past his exit.
  • Often such data is present in ‘business continuity’ documents – which are kept off-site at strategic home addresses (no point his manager trying to contact John when the only record of his ICE phone number has just been destroyed in a fire…). Make sure your HR  processes and procedures are ready to remove that data from not only your central databases but anywhere it is stored (indeed all those places where it is stored should be listed in your Data Mapping  / Data Inventory).
Can I put staff photos on the website?
Short Answer:  Yes you can.  But there are conditions.

Long Answer:

Staff Photos count as personal data.   To process personal data you need to have in place one of the 6 legal basis for doing so.

A quick summary recap. These bases are:

  • Consent
  • Contractual
  • Regulatory
  • Legitimate Interest
  • Public Interest
  • Vital Interest

Let’s see which of these would apply in these circumstances:

Vital?  No – you can hardly claim that putting someone’s picture on the website is helping prevent injury or death.

Public?  Unless you are a public body such as council, who believe it is their public duty to put pictures of the Chief Exec. on their website, there is no good case for using this reason.

Legitimate?  If you perform a Legitimate Interest Assessment (q.v.), you will see that it is very unlikely to pass this test – UNLESS for example you are a modelling or acting agency where your staff or clients’ images are your products.

Regulatory?  Nope, not a single regulatory reason for posting a photo.

Contractual?  Except perhaps in very rare roles, it certainly isn’t a necessary condition of performing their tasks as a member of staff. Making it contractual is a long shot, and one that the courts would be unlikely to uphold.

Which leaves Consent.    And that’s the one that you will need to go for.  However, using Consent has quite a few caveats.

Remember, you need to gain that consent is a positive manner, you need to explain what they are specifically giving consent to before they ‘tick the box’ and date that consent, and you need to record that consent.

You also need to ensure that that consent is not tied to any other purpose or usage of the image. They’ve given consent for a web photo.  You want a TV campaign? – you need to repeat the process, with that specific use stated.

And you need to enable them to withdraw that consent at any stage, in a manner that was as easy as giving it.

JEM  provide a template form (along with many others…) to our clients that allows the HR function to gain consent, record consent, and if it is withdrawn, record that on the same form*.

Then: what happens if they withdraw consent – do I have to remove their image from the website?  Yes, you do.

Given that web-images can be managed relatively easily, you should set (and publish) a time limit by which your web manager should replace those images – 2 weeks perhaps, a month at most.

* Don’t forget that this activity is ‘discoverable’ under a SAR – a data-subject is allowed to see when they provided and/or withdrew consent. Which is why you need to record it.

ALSO: you will have these photos stored in your HR system, somewhere. Make sure they are included in your Data Inventory (and a process for deleting them if / when consent is withdrawn)

Can I put staff photos on their name badges?
Staff Photos count as personal data.   To process personal data you need to have in place one of the 6 legal basis for doing so.

If you use staff badges for access control, then you could complete a Legitimate Interest Assessment (LIA) demonstrating that a photo ID is a necessary part of the company’s security arrangements. It would be necessary to include this in your Privacy Notice as well as your Security / Privacy Policy.

See also FAQ on Legitimate Interest

For tightly controlled access areas (e.g. a lab containing listed drugs or chemicals) you may even wish to make it a Contractual condition, alongside other security measures.

Remember that these photos will not only be on the name badges but also stored in your HR system, somewhere. Make sure they are included in your Data Inventory.

Can I put staff photos in a marketing brochure?
See FAQ on website photos: you will need Consent recorded for the use of photos in a brochure, and all the processes around recording and withdrawing should be in place too.   Note that is should be a separate consent to website, it is not enough to try to have a coverall “I consent to you using my image in marketing campaigns” – each channel should be a specific ‘tick box’.

You will need to think about different exclusions when consent is withdrawn: after all, you cannot be expected to retrieve marketing material that has already gone for publication or distribution.

Nevertheless, a withdrawn consent should be adhered to at the next possible production – if it is an annual brochure changing every year, that is relatively straightforward. But a re-print may be different: it’s something you need to think about, and document your decision – and decision-making process.

That decision should also be included in your consent request such that people are aware of what they are signing.

And don’t forget, that photo will be stored somewhere in your systems, so make sure that you have the processes in place to remove it if / when consent is withdrawn,  or the staff member leaves the company. This will include storage at any 3rd party design and print companies that you use.