You could say that when the General Data Protection Regulation (GDPR) came into effect on 25th May 2018, everything changed. Businesses especially saw a noticeable difference, as the rules regarding how they accessed, stored, used and protected data went through a major upheaval.
As a new business, the first thing you need to understand is the terminology and who is who. Here is a quick summation:
Controllers
Controllers determine how and why personal data is collected and are also responsible for notifying the ICO of any data breaches e.g. if any data is stolen or if any is lost by your business.
In many ways, data controllers are data processors too – and are subject to the same requirements – however, their focus is more on deciding the purpose of these data processing activities, not how it is done.
A good example of this is a business using a contacts management app (which manages/stores customer details) that is hosted by a third party. In this scenario, the business is the controller and the third party is the processor. If however, you managed all of your data on a spreadsheet – that you’d created yourself – then you would be the controller AND the processor.
Data controllers are also in charge of making sure a business is compliant with GDPR. This includes checking transparency, data storage, data confidentiality and the accuracy of any data that is collected or stored, as well as ensuring any contracts you have with processors are also compliant.
Processors
Processors are responsible for processing/analysing any personal data that they’ve collected on behalf of the controller. This means anyone with access to personal information and whom uses it e.g. to send marketing emails, is considered a processor.
Data processing is also described as any operation performed on personal data. This can range from storing, collecting, recording, organising, sharing, erasure, consulting, etc. Those in this role are expected to ensure that all data is processed in line with GDPR, and that it is done with the right level of security.
Now, as a processor you would have to meet a specific set of legal obligations. You must keep:
- up-to-date personal data records and details of your processing activities and categories. This includes any details of data subject categories (customers, employees, supplies, etc.) and the categories of processing that are carried out e.g. transferring, hosting, receiving, etc.
- records of any transfers to countries outside the EEA.
- implement security measures such as encryption and pseudonymisation, and must supply proof that you are regularly testing these measures.
- general descriptions of technical and organisational security measures.
- records of their compliance in handling data.
In the event you are responsible for a breach, you would have more legal liability than under the DPA, in which case customers affected by a data breach could make a claim directly against a data processor. NOTE: the size of the penalty would be based on how serious the consequences of your failure to comply and meet obligations are i.e. not providing sufficient security measures or failing to report a breach within 72 hours.
Data Protection Officers
Data Protection Officers are responsible for ensuring that companies adhere to GDPR requirements and remain compliant, as well as act as a point of contact for data protection queries.
Now, you can approach this position in a number of ways:
1) You can keep it internal and appoint someone in the team to be responsible for data alongside their current role.
2) You can hire someone whose job is to solely make sure that you’re compliant. This route is particularly ideal if you’ve got a large business.
3) You can outsource the DPO duties to someone externally.
With options 2 and 3, it is particularly important that you hire a Data Protection Officer if you regularly do large scale processing i.e. if you systematically monitor data subjects on a large scale and have extensive personal information, or if you process large volumes of special category data.
NOTE: if you employ less than 250 people, then you are exempt from this requirement, unless you’re involved in large scale data processing of sensitive personal data.
What about your employees?
Whether you’re a controller or a processor, it is important that you train everyone in your business to ensure that they are fully aware of how to correctly collect, use and manage data. On top of this, you need to make sure that they are knowledgeable of your security procedures to minimise/prevent the loss or misuse of data.
Still not sure how to handle GDPR? Contact our team at Economit.
We can perform an audit of your processes and help you to determine the best course of action for maximising data protection and making your business compliant.
