This ultimate guide explains the General Data Protection Regulation (GDPR) with everything you need to know.
Table of contents
- What is the General Data Protection Regulation (GDPR)?
- What are the 7 principles of GDPR?
- What to do when processing personal data
- What are the GDPR legal grounds for processing data
- What is the risk of ignoring GDPR legislation?
- Is absolute GDPR compliance possible?
- What are the 4 P’s of GDPR?
- Do you need a Data Protection Officer?
- What is GDPR Article 27?
- How does GDPR apply in schools?
- What new risks to GDPR did COVID-19 and lockdown bring?
- Get GDPR Compliant
What is the General Data Protection Regulation (GDPR)?
At it’s core the General Data Protection Regulation (GDPR) is about protecting people’s information and data. Your data. My data. Everyone’s data. It sets out in law some key protections for us and what we can, and should, expect of those that we share our data with. As a regulation and a law, it uses some pretty technical language that can be hard to digest or even understand. The principles though are sound. Let us explore the basics, in terms we can understand and then look at some of the more technical language to see if we can decipher and understand it.
What are the 7 principles of GDPR?
In an attempt to keep things simple the GDPR has set out 7 principles for the foundations of GDPR compliance. When we give companies our data we can expect them to follow those 7 Principles of GDPR. They are:
1. Lawful, fair, and transparent
Be open and honest about how you’re using personal data. Don’t be unethical, and make sure you have a lawful reason to do what you’re doing. Don’t ever be shady in your processing – you will lose the confidence of you customers and staff.
2. Purpose Limitation
If you collect data for one reason, don’t assume you can use it for other reasons without checking compatibility with the first purpose. If a customer satisfaction survey is completed, for example, it doesn’t automatically mean that information can be added to marketing lists.
ONLY collect the data you need. Don’t collect extra data ‘because you want it’, or ‘just in case’. This is a biggie and is often seen. Would the people in the CRM be surprised at the level of information you hold on them? Do you genuinely need to process it to achieve the purpose? Before you collect the info, stop and think. If you don’t need it, don’t collect it.
Make sure the data you’re processing is up to date and accurate. Hopefully, this is self-explanatory. If in doubt, check.
5. Storage Limitation – aka retention
Don’t keep data longer than you need it. If your marketing or fundraising lists are over 10 years old, and there’s been no interaction between your organisation and the person on the list for many years, you probably need to have a clean-up. Don’t keep things ‘just in case’. Make sure you have a retention policy and schedule that covers everything from email to paper records. Put processes in place to make sure data is deleted when needed.
Make sure you have appropriate security measures in place for the volume and types of data you process. The legislation cannot give you prescriptive guidance for the measures your specific organisation needs to put in place – that would be impossible. You need to assess what is appropriate to you and the people whose data you need to protect. E.g. The measures a hairdresser needs to have in place would be totally different from an organisation providing medical care.
The principle many people forget about.
Take responsibility for the processing you do and be able to evidence it. Make sure you document the decisions you make relating to data protection and risk. Have your Record of Processing Activity (ROPA) in place. Put Privacy by Design at the heart of every new project. Get your Data Privacy Impact Assessments documented. Do all of this and more.
Ensure you have the right reporting structures in place, along with escalation routes for things that need to be addressed.
Accountability is a huge topic, and much advice is freely available on the ICO website. If you need specific advice, get in touch.
The General Data Protection Regulation integrates accountability as a principle which requires that organisations put in place appropriate technical and organisational measures and be able to demonstrate what they did and its effectiveness when requested. Accountability is a common principle for organisations across many disciplines; the principle embodies that organisations live up to expectations (for instance in the delivery of their products and their behaviour towards those they interact with).
What to do when processing personal data
There are some basic and simple things that organisations must do to demonstrate that they are compliant with the law. At a high level, this includes:
- documenting what personal data is processed
- documenting how, why and for how long data is processed
- having a process for if things go wrong
- consider if you need a Data Protection Officer
We can see that documentation is a key part of demonstrating effectiveness and compliance. If it is not written down, it does not exist – is a good maxim to live by.
Steps to ensure compliance
As we get a bit more technical and detailed we can explore the key steps you need to take to ensure compliance with data protection legislation. These would include:
- Identify what personal data you hold
- Conduct a risk assessment of the personal data you hold and your data processing activities
- Implement appropriate technical and organisational measures to ensure data (on digital and paper files) is stored securely
- Know the legal basis you rely on (consent? contract? legitimate interest? legal obligation?) to justify your processing of personal data
- Ensure that you are only collecting the minimum amount of personal data necessary to conduct your business. Make sure that the data is accurate and kept no longer than is needed for the purpose for which it was collected
- Be transparent with your customers about the reasons for collecting their personal data, the specific uses it will be put to, and how long you need to keep their data on
- Establish whether or not the personal data you process falls under the category of special categories (sensitive) of personal data and, if it does, know what additional precautions you need to take
- Decide whether you will need to retain the services of a Data Protection Officer (DPO)
- Decide if Art 27 EU Rep is required.
What are the GDPR legal grounds for processing data
The GDPR places direct data processing obligations on businesses and organisations at an EU-wide level. According to the GDPR, an organisation can only process personal data under certain conditions and must be based on one of the following legal grounds:
- The consent of the individual concerned
- To satisfy a legal obligation
- A contractual obligation between you and the individual
- To protect the vital interests of the individual
- To carry out a task that is in the public interest
- For your company’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the individual whose data you are processing are not seriously impacted. If the person’s rights override your interests, then you cannot process the data
What is the risk of ignoring GDPR legislation?
GDPR legislation, as it applies in the UK as the Data Protection Law under the Data Protection Act 2018, is indeed that, a law. A law with the protection of data about us all at its heart and, to some extent, giving control of that data back to us. It also places some pretty serious obligations on those that collect, use, and share our data.
As a law it is of course enforceable. What is becoming apparent is, no-one knows to what extent that enforcement will actually take place.
Don’t get me wrong, across the EU we are starting to see some eye watering numbers in terms of fines and some headline cases being brought to trial. Getting it wrong, as can be seen, has some very serious consequences. If you get caught.
The checks and balances built in mean that those of us whose data it is can complain and speed this process along. It requires the legislator to pick it up, but the power is in our hands. In addition, you are seeing a rise of court cases almost along the lines of ‘where there’s blame there’s a claim’, with TV adverts encouraging people to get in touch with the promise of compensation. Attractive to the lay person, no doubt; who remembers PPI?
The reality for many though is that the risk will be low. Of course, it is the right thing to do. It is the law after all. But as it stands, mass enforcement is low, with many reported breaches going unchecked. Times are changing, and as we move to a post-BREXIT world in the UK, both the UK and the EU are coming to grips with what this means and how it applies for GDPR. For now, to addressing the question posed above, ‘What is the risk of ignoring GDPR legislation?’ Well, the risk is fines and enforcement; but that risk, in today’s world, is low.
Is absolute GDPR compliance possible?
Absolute GDPR Compliance – what does that actually mean? To some, it means a tick box; ‘we do x or y or z’. To others it means more of an ‘absolute privacy’ view of the world. But as an organisation trying to navigate your way through 1001 different pressures, what does GDPR compliance mean to you?
As for me, I suppose you could call me a bit of a pragmatist. I believe in privacy, protection of data and the power of data. Otherwise I wouldn’t be able to do what I do and motivate others the way I do. However, I can also see and appreciate the complexities of life and know that sometimes, there are no winners, and that a square peg really does have to fit into a round hole.
When you’re thinking about data, the data you need to run your organisation, the data you need to grow your organisation and the data you might be worried about losing, what does ‘GDPR Compliance’ mean to you?
Is being transparent with your customers and staff just a piece of paper? Or is it a behaviour? A skill? A company ethic?
Is ‘security’ just a barrier to getting the work done, or is it a key part of the organisation that both works to secure your data as well as supporting staff to work collaboratively and efficiently to succeed?
A key part of GDPR/Data Protection is accountability. Yes, it does come with some ‘physical’ things you need to put in place. However, it also comes with things that are more difficult to wrap your hands (and head!) around. Culture. Skills. Business ethics. Behaviours. Values.
If you want to set yourself apart, and really make the most of the ‘digital data age’, then GDPR Compliance can either just be a piece of law, or you can use the principles of Data Protection as a way of working, a way of collaborating, a way of expanding and building a trusted, reliable service for staff and customers alike.
What are the 4 P’s of GDPR?
Elizabeth Denham, CBE was appointed UK Information Commissioner in July 2016. Just prior to the General Data Protection Regulation (GDPR) coming in to force in May of 2018 she was named the most influential person in data driven business in the updated DataIQ 100.
In the information commissioner’s office (the UK’s independent authority) campaign leading up to 25th May 2018, when GDPR became enforceable, Denham said ,‘One of the key requirements in GDPR is accountability; that is being able to demonstrate you are compliant to data protection law’. She further commented, ‘Cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this, not only as they have a duty under law, but because they have a duty to their customers.’
The 4 P’s
The approacThe 4 P’sh to compliance should be very much positive. Aligning to GDPR is an opportunity to take the business through a transformation exercise that not only makes the organisation more resilient, but that can lead to a far better experience for your customers, be they B2B or B2C.
GDPR compliance isn’t going to happen overnight. As recent events have dictated, organisations need to demonstrate flexibility and ensure business continuity. Therefore, a pragmatic approach helps. An organisation can then focus on where the immediate risks are, and how to mitigate or work towards reducing the risk. They can look to creating a security culture, so that organisation wide, all employees adopt the principles of security and privacy by design.
People are sadly the weakest link. There are too many stories that link a simple human error to a data breach as a consequence. One of the 12 steps in working towards GDPR compliance is ensuring all people within the business understand and are aware of what GDPR compliance means. It isn’t a case of a tick box, ‘done that!’; the ‘cyberscape’ is ever more complex. So introducing regular training not only assists in compliance but means you are enabling your ‘human firewall’ to lessen the risk of a data breach via a phishing or vishing attack.
Were you to get a visit from the ICO, one of the documents they would ask you for is a Record of Processing Activity (ROPA). As the name suggests, this contains a general description of your data processes; technical and organisational security measures that make up your safeguards for protecting personal data, e.g. encryption, access controls, training etc.
Do you need a Data Protection Officer?
In the wake of several landmark data-breaches, many organisations are once again finding themselves asking, ‘Do we need a Data Protection Officer?’ Although the guidance under the regulation may seem clear to some, to others the line can feel a little blurred. While having a Data Protection Officer (DPO) may not be ‘compulsory’, not having one creates a risk to any organisation that handles, processes or monitors personal data. A risk that few businesses can afford.
GDPR and DPO
Under the GDPR, appointment of a DPO is compulsory if you:
- Are a public authority or body
- Conduct regular or systematic monitoring of data subjects
- Process special categories of data or criminal convictions on a large scale
And it’s those key words that blur the lines. Because how often is ‘regular’? What constitutes ‘systematic’? How large is ‘large’? Well, the honest answer is that there is no right answer. It really does depend on your organisation, the sector you are in, the amount of effort you have made and the steps you have taken to protect your data subjects from a breach.
Why appoint a DPO?
This is why clients and businesses often chose to appoint a DPO. Even if it may not be compulsory for them, in doing so they can demonstrate to the ICO, their beneficiaries, their customers and their business partners that they have done everything they can to protect them. No system is perfect, all processes carry a degree of risk, and sooner or later, those processes can break down. And the main principle of GDPR isn’t necessarily how successful you were in protecting data against all possible threats. It’s how hard you tried as a responsible stakeholder and business leader to protect the data to the best of your ability with the resources available to you.
And that ability is where the DPO comes in. Under GDPR, your DPO needs to meet certain criteria; they need to be impartial, authoritative, unimpeded, constantly informed and educated in a wide number of disciplines. They also benefit from protected employment status, and it’s very hard to double down on responsibilities without breaking the conflict of interest requirement.
Getting those skills in house comes with a hefty price tag. Many organisations are now finding that they can make cost savings in recruitment, employment and retention by outsourcing the service to a qualified practitioner.
What is GDPR Article 27?
With the end of the transitional period (31st December 2020) looming, you will be interested to learn that Article 27 of the General Data Protection Regulation requires that Organisations that process EU residents’ data, but that are established outside of the EU, must formally appoint a representative under Article 27 of the GDPR in the European Union to represent them on data protection matters.
Processing personal data
If you are processing personal data connected to:
(A) The offering of goods or services, regardless of whether payment is required, to persons in the EU
(B) The monitoring of such person’s behaviour, if that behaviour takes place in the EU
then under Art. 27 (1) GDPR, you must designate in writing a representative in the EU.
‘Representative’ here means a natural or legal person established in the EU who, designated by the controller or processor in writing, represents the controller or processor with regard to their respective obligations under the GDPR.
For example, if you are a UK company not domiciled in the EU after December 2020, the processing of the data of EU citizens that is connected with the provision of goods or services within the EU, then an EU- Based Representative is necessary.
A recent case in Austria against a US company, pursuant to Art. 27 (4) GDPR highlighted some key points around EU Representatives:
- Because the US company was based outside the EU, but their business was involved in the sale of goods to EU citizens, an EU- Based Representative was needed
- Therefore, the EU- Based Representative was a necessary conduit for the proceedings, but the US company was still the liable party. Accordingly, the authority stated that, ‘Pursuant to Art. 27 (5) GDPR, the present decision of the data protection authority is directed against the [US company]’
The European Representative has several key responsibilities:
- Maintaining records: The EU- Based Representative must maintain records of processing activities for the non-EU based company (which is the one that has to prepare and provide such records, pursuant to Article 30)
- Co-Operation and Liaison with supervisory authorities: The nominated EU- Based Representative, as shown in this case, is usually the first point of contact in case of a breach, and they must co-operate with the supervisory authorities in the EU
How does GDPR apply in schools?
Data Protection in Schools
Data Protection within schools has never been more important than it is today. With such a large amount of personal data (pupils, parents and staff included) being processed online it, is essential that schools ensure compliance with GDPR and the Data Protection Act 2018.
All members of staff must handle data securely and confidentially; data protection should be considered internally with the same importance as Safeguarding. The school must, by law, be able to prove that they have the appropriate technical and organisational process in place for this to happen.
All maintained schools and academies must appoint a Data Protection Officer (DPO) by law. Independent schools do not have to do so, unless they are processing large amounts of special category data. However, this doesn’t mean they can process data to any lesser standard. The laws around data protection remain exactly the same. However, in these cases it must be asked: is the current data protection lead role being carried out to the same standards as safeguarding within the school?
What schools should consider
So, how does GDPR apply in schools? Basic reference points would be:
- Is the school registered with the Information Commissioner’s Office (ICO) as a data processor? (Failure is against the law and could lead to an automatic fine)
- Are regular (termly) compliance audits undertaken to prove accountability?
- Is there a Retention policy followed by staff?
- Do you arrange regular data protection training for staff?
- Are you aware who has access to personal data and why?
- Do all staff have knowledge of how to respond to a Subject Access Requests (SAR)?
- Could staff recognize a data breach such as an email sent to wrong parent?
- Has the school conducted Data Protection Impact Assessments (DPIAs) on any new processes used within the school? (eg Zoom, Teams etc)
Beyond these basic requirements, the data protection lead should also be updating the SLT and Governors on ongoing changes to the law and for any requirements that are particularly relevant in the current crisis, such as:
- How to handle SAR or FOI requests regarding exam gradings. This is particularly relevant as it may affect students going forward with 11 plus results.
- Key Privacy concerns surrounding COVID 19 “back to work” safety measures. (eg recording of health data)
- How to conduct safe online home schooling.
We all understand that this is a particularly difficult time for schools in preparing for probably the hardest school term ever, and realise the law will not allow you to drop your standards on data protection.
Data Protection Agreements: Eliminating commercial risk by complying with law
Becoming compliant with the GDPR is a change management project, and like all such projects, its success of failure will rely on both a continued high level of support from senior management and the engagement from staff in changing the actions- and the culture- of an organisation.
A typical change management programme is advanced over a period of months, to allow for the culture change to bed-in before further change is introduced.
This paper is intended to be a short introduction to the ‘Why?’ of requiring data protection agreements to be put in place, as well as the ‘How?’ of their contents.
Processor and Controller Legal Duties: A binary choice
A ‘processor’ refers to a person, company, or other body which processes personal data on behalf of a controller . They don’t decide how or why processing takes place, but instead carry out processing on the orders of a controller. A Data Controller must ensure there is a Data Protection Agreement (DPA) in place with all Processors before the first piece of personal data is processed . Where a Processor, has sub-processors in the chain it stands as their Controller. It is also obliged to inform the Controller of those sub-processors, and they have the power to object to them .
As a Data Processor with its own sub-processors a company is obliged to make sure that any DPA put in place with its sub-processors mirrors the DPA put in place higher up that chain, who stand as the ultimate Data Controllers .
The GDPR states that the Processor makes available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR  and that the Processor allows for and contributes to audits conducted by the Controller or a third party on the Controller’s behalf. And at the end of the data processing by the Processor and on the Controller’s instruction, the Processor deletes or returns the personal data received from the Controller .
The GDPR specifically forbids data controllers from using processors who cannot provide ‘sufficient guarantees to implement technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.’ 
Overview of mandatory provisions of Data Processing Contracts
The GDPR prescribes the provisions which must be included in a Data Processing Contract between a Controller and a Processor. A Controller and Processor should enter into a Data Processing Contract which must, at a minimum, contain the following details:
The subject matter, duration, nature and purpose of the data processing;
The type of personal data being processed;
The categories of data subjects whose personal data is being processed; and
The obligations and rights of the Controller.
A Data Processing Contract should also contain the following mandatory provisions:
That the Processor will only process personal data received from the Controller on documented instructions of the Controller (unless required by law to process personal data without such instructions) including in respect of international data transfers;
That the Processor ensures that any person(s) processing personal data is subject to a duty of confidentiality;
That the Processor takes all measures required pursuant to Article 32 GDPR (Security of Processing) including but not limited to implementing appropriate technical and organisational measures to protect personal data received from the Controller;
That the Processor obtains either a prior specific authorisation or general written authorisation for any sub-processors the Processor may engage to process the personal data received from the Controller. The Processor must further ensure that where a general written authorisation to the Processor engaging sub-processors is obtained, the Controller has the opportunity to object in advance to each individual sub-Processor to be appointed by the Processor;
That any sub-processors engaged by the Processor are subject to the same data protection obligations as the Processor and that the Processor remains directly liable to the Controller for the performance of a sub-processor’s data protection obligations;
That the Processor assists the Controller by appropriate technical and organisational measures to respond to data subject rights’ requests under the GDPR;
That the Processor assists the Controller to ensure compliance with obligations under the GDPR in relation to security of data processing (Article 32 GDPR), notification of data breaches (Articles 33 and 34 GDPR) and data protection impact assessments (Article 35 and 36 GDPR);
That, at the end of the data processing by the Processor and on the Controller’s instruction, the Processor deletes or returns the personal data received from the Controller; and
That the Processor makes available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and that the Processor allows for and contributes to audits conducted by the Controller or a third party on the Controller’s behalf.
Other provisions which may be included in data processing contracts
There are a number of other provisions which Controllers and Processors may wish to include in Data Processing Contracts which are not mandatory for inclusion under the GDPR.
Such provisions may include but are not limited to:
Liability provisions (including indemnities);
Detailed (technical) security provisions; and/or
Additional cooperation provisions between the Controller and Processor.
Such additional provisions may be agreed between Controllers and Processors on a case-by case basis.
What new risks to GDPR did COVID-19 and lockdown bring?
Having recently been asked to present at a webinar on ‘Lockdown Risk’, it got me thinking.
How has the Lockdown changed an organisation’s Data Protection status?
For most, in a new world where ALL organisations have been forced to reconsider their working arrangements, the pressures of trying to run a ‘Business as Usual’ approach during Lockdown in a new, decentralised model has been extremely challenging. So, information security and data protection took a back seat.
During Lockdown, survival in all senses of the word is understandably what had to, and did, come first. And being innovative and finding ways of putting in quick alternative solutions (work arounds) became the new norm.
Unfortunately, it was the same case for the ‘cyber criminals’ too*.
Add to this trying to monitor non furloughed employees’ performance when working remotely in their own homes. Evidence already suggested that 3rd party suppliers were a huge risk factor. A risk that has now increased significantly.
This got my GDPR alarm bells ringing!
Back to Basics
It’s time to go back to the basics of the original GDPR foundations:
- The need to identify risks to your business.
- Breaking down silos caused by the new regime.
- Rebuilding trust internally and externally throughout your organisation.
How do you do this?
- Policies and processes will need refreshing, and ‘ROP’ (Records of Processing) updating.
- With any equipment, networks, environment changes there is still the need to deliver Education and Awareness.
- Ensure that you can still evidence that you have the Organisational and Technical controls in place and tested.
- Remember, you are still responsible for making sure your contracts and outsourced providers (3rd parties) are GDPR compliant. They too will have had to change.
- Cyber-crime pre-COVID 19 was already costing the global economy over $2 trillion
- Online shopping fraud has risen by 46% since the start of Lockdown, ‘making it one of the biggest crime growth areas’ in the UK.
- Human error accounts for 95% of internal breaches. There has been a big spike in email and phone scams as criminals look to seize on people’s vulnerabilities around COVID 19
- When it comes to coronavirus, your personal information may not be your first thought.; if you’re worried, ICO have put together some information to help: https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/
Other useful sites:
Get GDPR Compliant
The road to GDPR compliance is relatively straight forward. There is a lot of advice, help, guidance and templates on the Information Commissioners Website. It is entirely possible in most cases to implement the GDPR your self. The only question will be the learning curve and time required which might be better spent on your core business. When it comes to achieving compliance it is usually best practice to get the help of a trusted GDPR solution company. It will save both time and money in the medium to long term.
Choosing a GDPR solution company
There are many GDPR solutions with a market awash with sole trader and one man bands. Whilst they have their place it is our experience that the first decision is to choose a GDPR solution that is a registered Limited Company. There are certain checks and balances that a Limited Company brings. This will narrow the field but still leave you with a broad spectrum of solutions to choose from.
Is there a list of due diligence checked, rated and reviewed trusted GDPR solution companies?
Yes there is a LIST. ALLOWLIST works with trusted GDPR solution companies. As part of the onboarding there are checks on Limited Company status, that professional indemnity insurance and public liability insurance is in place. Companies that are LISTED are subject to customer rating and reviews. It doesn’t guarantee but it provides a level of assurances.
Finding your ideal GDPR solution company
Using the powerful search features of ALLOWLIST it is possible to search the suppliers based on your very specific requirements. That could be the sector that you work in, the qualifications you want the supplier to have, the location of the supplier and so much more. This puts the power of selection in your hands. In addition all you have to do is ASK us and we can help you, for free, to shortlist the GDPR solution companies that could be right for you. We are industry professionals of over 20 years standing.