Bhavisha Mistry senses the panic in the air as the General Data Protection Regulation’s 25 May deadline draws ever closer. But she’s not sure what all the worry is about.
I’ll say it: I don’t get why people are so scared and negative about the GDPR.
The GDPR is a good thing. We are all ‘persons’ within the definition of personal data. Surely, we care about how our data is processed? If this is the case, then the GDPR can only be seen as positive. It clears up the grey areas and gives organisations the financial incentive to implement it. And it’s not even a complete overhaul of the existing position, so why are we so frightened?
The GDPR fills the gaps that have so far had to be dealt with by case law. Yes, it also adds a portability and erasure right, not to mention potentially huge fines, but these things will be exercised in very prescribed circumstances, something a lot of commentators, GDPR consultants and the like fail to acknowledge.
So let’s break it down. Essentially, when processing personal data you must comply with four things:
- The six principles
- The data subject’s rights
- Adequacy for transfers outside the European Economic Area (EEA)
- Keeping records.
The six principles
- Make sure you notify the individual that you’re processing their data and have a legal basis for processing, eg consent, legitimate interests, contract etc
- Make sure you have a clear reason or purpose for processing and don’t steer away from it
- Don’t take more details than is necessary for your purpose
- Keep data accurate at all times
- Don’t keep data for longer than you need
- Make sure that the data is safe.
The data subject’s rights
There’s been much scaremongering around the individual’s rights. You may have heard the following from panicked colleagues: ‘We’ll have to delete every speck of information on every server in every continent around the world.’ ‘We’re going to have to transfer online identifiers and the like to everyone.’ I may be exaggerating a little, but you get the idea.
However, those rights are only exercisable in certain defined circumstances.
For example, the right to portability doesn’t apply to data processed on the basis of legitimate interests and similarly, for the same legal basis, there is no right to erasure if there is an overriding legitimate interest to justify continued processing. If you familiarise yourself with these rights, you’ll realise they’re not all that scary and, most importantly, you’ll find one that suits you.
There are also technical measures you can take to avoid having to scour every single data set you have, so wise up and figure out what works best for you.
Adequacy for transfers outside the EEA
As is the case now, you need to ensure data is adequately protected if transferred outside the EEA, so check adequacy lists and get model clauses in place, or whatever other method you prefer to use. Nothing new here.
This is just common sense – how else will you be able to show you have complied?
The final word
Now you’ve got the basics, it’s plain sailing from here. The Information Commissioner’s Office has some really helpful guidance – I’d use this over the Powerpoint slides of the aforementioned expert GDPR consultants!
If there’s one final message, it’s this: prior to its adoption, the GDPR had been in consultation stage for many years. Every problem, issue and concern has been carefully scrutinised by the legislators, so you can rest assured that the outcome you find within the regulation is the best one.
Bhavisha Mistry is general counsel and company secretary at Missguided and In-house Division committee vice-chair.