GDPR: One year, six questions
Just over a year has passed since the General Data Protection Regulation came into force in the UK. On the 8th July 2019 news broke of the ICO’s intent to fine British Airways a substantial fine of £183.39m – serving a timely reminder of the importance of GDPR compliance.
Data protection and privacy compliance is firmly established as a key factor in many risk profiles and senior decision makers are undoubtedly taking notice.
Many queries we receive from clients pop up time and time again, so with that in mind, our Employment and Commercial teams have pulled together some of the most frequently asked questions.
I’ve heard we need to delete everyone from our customer mailing list if we have not obtained consent to email them. Is this true?
This is still a very common question that we receive. Businesses are frequently concerned that they need to delete their mailing lists if they cannot evidence that they have obtained explicit and freely given consent.
However, this is not always the case. Consent is just one of the six grounds for processing personal data under the GDPR. For marketing to existing customers and clients, you may be able to rely on “legitimate interests” if you can evidence that how you use the data is proportionate, the use of the data has a minimal privacy impact, and individuals would not be surprised or likely to object.
Of course, other obligations will apply including that you set out your processing activities in your privacy notice. You’ll also need to consider any additional obligations in relation to direct marketing, including the Privacy and Electronic Communications Regulations 2003, particularly where you want to send marketing to consumers.
Do we have to get our employees’ consent to put their photograph on our website? And what if an ex-employee wants their photograph removed from the website?
If an individual can be identified directly from the photograph, or together with other available information, the photograph will be classed as personal data. Typically, photographs will also be clear enough to reveal information concerning the individual’s health, racial or ethnic origin, or religious belief, so the image is likely to actually be classed as a special category of personal data, often called ‘sensitive personal data’.
The legal bases for processing sensitive personal data are limited, including with the individual’s explicit consent, to protect an individual’s vital interests, or where it is necessary for carrying out employment obligations (such as paying sick pay).
For employee photographs for marketing purposes, the only applicable legal basis will be consent, so you will need to get your employees’ explicit consent to put their photographs on the website. In addition, as the GDPR requires that consent can be withdrawn at any time, you will need to remove their photograph should they request this (unless you can find another legal basis to keep it there!).
‘Controllers’ and ‘Processors’ – these terms sound as though they are from a below-average sci-fi movie. What do they actually mean to my business?
In a nutshell, the terms are used to apportion responsibility for data processing activities and ensure that the flow of personal data between organisations is clear throughout supply chains.
Controllers determine the nature and means of processing personal data. In other words, controllers decide what personal data to collect and what to do with it.
Most businesses are likely to be controllers in some capacity. For example, employers will typically be controllers in relation to all processing of their employee’s personal data.
Processors undertake certain processing activities on behalf of controllers. For example, a database company that stores another company’s client information is acting as its processor. Processing includes collecting, structuring, using, disclosing and even deleting personal data; if you do those things for another business, you may well be acting as a processor.
In practice, what clients often find is that neatly defined labels of ‘controller’ and ‘processor’ do not always reflect the commercial realities. It’s often difficult to identify which party is fulfilling which role, particularly where multiple organisations are involved in the provisions of more complex services. In these situations, seeking specialist legal advice is key.
Once we’ve collected the personal data, how long can we keep it for?
This is a very common question, probably because the GDPR does not set out retention periods. Instead, it contains a general principle of storage limitation.
What this means in practice is that businesses are free to set their own data retention periods, so long as they can reasonably justify the period chosen. Of course, in some situations, the period is set out in legislation or regulation.
Any period you decide should be properly documented in a retention schedule and set out in your privacy notices and policies. Keeping data for long periods is a common area of non-compliance. It’s also something that we understand the ICO receives a lot of complaints about.
In response, we see many businesses de-identifying or anonymising personal data at the end of its life cycle, enabling them to retain their valuable data and continue to generate aggregated insights.
Do we have to deal with a data subject access request (DSAR) that we know has been submitted as a nuisance?
We have seen a surprising trend in queries concerning ex-employees and job applicants submitting requests to access their personal data from the employer. Frequently, the individual is making the DSAR to annoy the organisation, or in anticipation of a potential employment claim.
An individual’s right to make a DSAR is a key element of the GDPR, and has been a fundamental right in data protection legislation for many years. If you receive a DSAR from an individual, you are no longer able to charge a fee and you must provide the information without undue delay and, in any event, within one month.
Whilst you are free to ask the employee in more detail what information they are after, the reasoning behind the request is not relevant to your legal obligations. The GDPR does provide that if a DSAR is manifestly unfounded or excessive, the organisation can charge an administration fee or refuse to act on the request. However, this is a high threshold and employers should not be cavalier in using this exception.
If my business only has one or two employees, do I still need to comply with the GDPR? What about if I just engage one self-employed contractor?
One of the common misconceptions of the GDPR that we hear from clients is that it only applies to employers of over 250 employees. This is not correct – there is no exemption for small businesses.
Whilst there is a provision in the GDPR on ‘Records of processing activities’ which only applies to organisations employing 250 or more employees, the vast majority of obligations apply to businesses of all sizes.
This means that if you are employing only a couple of people, or engaging a single contractor, you will still need to adhere to data protection obligations. This includes considering your legal bases for processing the individual’s data, providing the individual with a privacy notice, and determining data retention.