GDPR – Processing Personal Data

Data Protection and GDPR are concerned with the processing of personal data. There are vast number of ways in which personal data can be processed. Here we discuss the more common ways personal data is used and where the processing could cause risk to your organisation.

Direct Marketing Activity

The compliance requirements for the delivery of unsolicited information has become more onerous. Under GDPR there is an explicit requirement for data subject consent to electronic communication (phone, text, e-mail). Where the individual has an existing relationship, or where they are an officer of an organisation and you are communicating on that basis, other rules apply.

Liabilities principally arise where, you do not obtain the data fairly,

  • Contact individuals who have opted out
  • Have not kept a record of communications where the subject has declined the option to opt out
  • Fail to keep general Data Protection rules and records

First Compliance can assist you to demonstrate that you have given due consideration to the rights of the subjects and provide a structured set of guidelines for your particular environment.

Surveillance – CCTV/GPS

Recording recognisable images or markers of individuals is the processing of personal data and is subject to data protection legislation (GDPR). Recording must occur in a manner that respects the rights of the individual and for a specific justifiable purpose. The collection of personal data which does not conform with the acts, or that is used for a purpose not stated, would be difficult to protect in a court of law.

Given the prevalence of these forms of surveillance, there are established norms and rules around obtaining, retention, processing and access. There is an obligation to be compliant and to fully document and demonstrate compliance, to avoid exposure penalty. An unlawful recording is unusable by law enforcement authorities, is inadmissible in court, and could act against the purpose for which it was intended.

Areas accessible to the public
Systematic Monitoring of publicly assessable areas typically necessitates the completion of a Data Protection Impact Assessment.

The key issues are;

  • Ensuring that data is adequate, relevant and not excessive for it’s purpose
  • Ensuring that data is obtained and processed fairly
  • Subject/processor contracts
  • The ability to provide copies of the data to subjects
  • Data storage and retention

The Office of the DPC ‘would expect that the data controller would have carried out detailed assessments’ of the risks to the subjects to ensure that the activity is proportionate.

First Compliance can provide advice, risk and impact assessments, and guidance on how best to avoid unlawful processing and hands on support to minimise your exposure.

Data Protection and CCTV

Your Staff & Customers’ Personal Data

The performance of background checks and vetting processes prior to employment needs to the handled with caution. As does the processing of your employees data. This is all personal data.

Access to credit history is typically unlawful, as is access to other forms of information that you do not disclose to the employee/interviewee for comment. These forms of personal data need to be handled appropriately and a robust policy to cover employee related data is essential in a modern business.

In addition to your obligations to protect individuals, there are also obligations to retain data for purposes like tax, equal rights, immigration and etc.

First Compliance can guide you on the obtaining, storage, retention, and use of this data, and help to protect your business form unnecessary claims in this regard.

eCommerce & Selling Online

Many aspects of business have moved online; sales, client interaction and many standard operational functions that are better performed digitally. In all of these activities the fundamental rights of the individuals need to be respected. There is an obligation under GDPR for the Controller to demonstrate compliance.

There is a broad and ever increasing number of activities that fall under this category, however you can ensure good practice by answering six basic questions:

  • Is this personal data?
  • Have I obtained it lawfully?
  • Am I complying with the principals?
  • Do any special rules apply?
  • Do I have the processes in place to manage my obligations?
  • Do I have appropriate contractual cover in place to ensure that other parties involved in this process do not expose me to harm?

If you are not sure of the answer to any of these questions you need to make it your business to find out. Failing to comply with basic data protection rules relating to the protection of personal information can expose your business to harm.

First Compliance can advise you on the safeguards and precautions that you need to take to deliver your service lawfully, to administer your new obligations under GDPR.

Data Protection for online businesses - eCommerce

Sensitive Personal Data

Sensitive data in the context of Data Protection (GDPR) means Religious of philosophical beliefs, cultural or ethnical origin, political opinion, trades union membership, Genetic or biometric identifiers, physical or mental health, sex life or sexual orientation, suspicion of having committed an offence, and a conviction for an offence. Notably, it does not include your financial data.

Processing of these forms of data is explicitly prohibited, save for specific circumstances. Where it is allowable, there are special rules around the obtaining, processing, disclosure and other use of sensitive data.

Do you have information relating to persons that falls into these categories? First Compliance can help you to manage this data lawfully and avoid the liabilities associated with unauthorised use.

International Transfer of Personal Data

Personal data controlled by you may flow freely within the EEA (European Economic Area). There are some other approved states (Switzerland, Guernsey, Isle of Man, Faroe Islands, Jersey, Andorra, Israel, New Zealand and Uruguay). Special rules apply for Canada. Transfer is restricted to all others that do not ensure an adequate level of protection, most notably the US.

You need to take action if:

  • Your organisation is part of a greater organisation
  • You uses third parties to administer aspects of your operations
  • Partner with others to deliver service
  • You avail of processing services hosted by a multinational
  • And any of these result in personal data moving to unapproved locations

Additionally, in today’s economy, many of your partners in business will also use others to deliver aspects of their data processing. You need to ensure that you have taken the appropriate safeguards to demonstrate compliance in this regard.

First Compliance can advise you on the cross border transfer of personal data under your control, and assist you minimise any possible liabilities that your organisation could be exposed to