Are you GDPR compliant?: ICO guidance update on Personal Data and Principles

Almost ten months has passed since GDPR first became enforceable on 25 May 2018 and it is possible to begin to consider its true impact and application. The Information Commissioner has referred to its impact as “an ongoing compliance journey”. For business operating in Europe, it is important to carry out an internal data audit from time to time to ensure compliance with the regulations. If you are unsure on compliance, need a review of your terms or updating your contracts, make an enquiry with us today using the enquiry form on this page.

The Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection, has provided support guidance to businesses in respect of GDPR, which they have continued to expand upon since implementation. This guidance has now been amalgamated into the ICO’s ‘Guide to the General Data Protection Regulation’ (the ICO Guide) which refers to guidance given by the EU wide Data Protection Board’s Guidance. Businesses should pay attention to the ICO Guide to ensure compliance, and also consider the Data Protection Act 2018 passed by Parliament at the same time as GDPR, which expands on the regulations and lists exemptions specific to UK based businesses.

Key helpful clarifications given in the ICO Guidance that are well worth considering for any business are:

The definition of “Personal Data”

As an organisation you must ensure you are handling personal data correctly. The ICO Guide now gives a more comprehensive definition of what actually constitutes personal data:

• Personal data only includes information relating to natural persons who:
  • can be identified or who are identifiable, directly from the information in question; or
  • who can be indirectly identified from that information in combination with other information.
• Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
• Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
• If personal data can be truly anonymised then the anonymised data is not subject to the GDPR.
• Information about a deceased person does not constitute personal data and therefore is not subject to the GDPR.
• Information about companies or public authorities is not personal data. However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.

The ICO Guide provides ways for businesses to identify what actually is “Personal Data”. The identifiers are:

• An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals. A name is perhaps the most common means of identifying someone.
• A combination of identifiers may be needed to identify an individual.
• The GDPR provides a non-exhaustive list of identifiers, including:
  • name;
  • identification number;
  • location data; and
  • an online identifier.
• ‘Online identifiers’ includes IP addresses and cookie identifiers which may be personal data.
• Other factors can identify an individual.

In order to determine whether your business holds “Personal Data” for the purpose of GDPR a business should ask the following questions of its data:

• If, by looking solely at the information you are processing you can distinguish an individual from other individuals, that individual will be identified (or identifiable).
• You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual.
• If an individual is directly identifiable from the information, this may constitute personal data.

The General Principles

GDPR is based upon General Principles to be adhered to (Art. 5). It provides that any personal data should be:

1. processed lawfully, fairly and in a transparent manner in relation to individuals;
2. collected for specified and legitimate purposes and not used in a manner that is incompatible with those purposes;
3. adequate, relevant and limited to only what is necessary;
4. accurate and, where necessary, kept up to date;
5. kept for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; and
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The ICO Guide now expands upon each Principle in a helpful way through discussion on what each Principle entails and how they apply, using practical examples as well as information on their correct and incorrect application.

An important note is that if you rely on existing consent to process Personal Data, you cannot swap this for another legal basis of processing without further consent to do so.  Businesses should always ensure that they obtain customer consent before storing and/or processing Personal Data for a particular Principle and updating such consent if the reason for holding Personal Data changes.

Who GDPR applies to

GDPR applies to any business operating within the EU, or any business outside the EU who in the course of its business provides goods and services to customers in the EU.

GDPR places obligations on “Data Controllers” and “Data Processors”. What you are will depend on how you use the data you hold.

Data Controllers are organisations that obtain data and use it for a particular purpose: for example, if you are collecting data for executing sales orders.

Data Processors store data:  for example, if you store customer contact details for marketing purposes after a sale.

You may be both a Data Controller and Data Processor, or you may act as a Data Controller and outsource data to a Data Processor: for example, if you forward data onto a third party cloud storage provider for storing customer records or mailing lists. You are legally liable for any personal data processed. As a Data Controller you also have a duty to ensure that any third party organisation you have shared data with are also GDPR compliant.

Next Steps

Compliance with GDPR is mandatory for those carrying on businesses in Europe, therefore the updated ICO Guidance is welcomed. Organisations should familiarise themselves with the ICO Guidance on an ongoing basis as it acts as a key resource to ensure compliance.

Does your business process Personal Data? Are you compliant and up to date with the Data Protection Act 2018?

It is important to ensure you have up to date terms of business and that your contract terms reflect the current laws on data protection. This is increasingly important for internet based businesses and marketing businesses.

If you are unsure about your compliance and would like a review of your terms of business or website terms, speak to us today by clicking here.