Highly Sensitive Personal Data Compliance
The General Data Protection Regulations (GDPR) which became law throughout the EU applies to all entities that process personal data. However law firms and financial services organisations who handle highly sensitive client information need to be extra vigilant in terms of their compliance or potentially risk heavy penalties.
- Introduction to GDPR
- Categories of Personal Data
- Data Protection Needs Assessment
- Third Party Suppliers & Data Processing
- An Individual’s Rights
- Privacy Statement Requirements
- Dealing with a Data Security Breach
- Subject Access Requests
- Appointing a Data Protection Officer (DPO)
- Security Requirements
Introduction to GDPR
The General Data Protection Regulation is about being upfront with your customers in terms of:
- being lawful, fair and transparent;
- the purpose of the personal data you are collecting about them;
- what you are going to do with it;
- how long you are going to store it for,
- keeping the data up to date, and;
- how secure the personal information you have on them is.
From the implementation date of 25 May 2018, failure to comply with the GDPR can result in heavy fines from the Regulators.
Categories of Personal Data
Personal data includes:
- a name
- an identification number – client, mobile, telephone
- an address/email
- location data
- an online identifier (IP address)
- one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
There are also special categories (previously referred to as sensitive categories) that are also considered as personal data referring to:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs or;
- trade union membership;
- genetic data, biometric data for the purpose of uniquely identifying a natural person;
- data concerning health or
- data concerning a natural person’s sex life or sexual orientation.
Data Protection Needs Assessment
As a business, you need to identify all the personal data that you collect. Once identified, you need to be able to have a reason for having it, where it is stored, how you obtained or collected it and why it was originally gathered. This needs to be in your Privacy Statement.
Third Party Suppliers & Data Processing
You also need to address the security of that data both in terms of encryption and accessibility.
If you share that information with third parties, i.e. courier companies, IT companies, web designers, these are considered data processors identified as “any operation or set of operations which is performed on personal data or on sets of personal data”.
You will need to have a written signed contract with them ensuring their compliance with the data, the conditions to process, the security conditions and that data is deleted or returned on completion.
A Data Processor can also be directly sued by the Regulator.
For data to be processed, it is only lawful if:
- the data subject has given their consent;
- it is necessary for the performance of a contract or to take steps prior to entering into a contract;
- necessary for compliance with a legal obligation to which the data controller is subject;
- in order to protect the vital interests of a person;
- necessary for public interest or official authority;
- for the legitimate interests of a data controller/3rd
An Individual’s Rights
An individual has the right:
- to ask for data to be transmitted to another controller
- the ‘right to be forgotten’, provided that their right wouldn’t conflict with current Employment Law requiring records to be kept for a said amount of years depending on the circumstances.
- to know what they are giving consent to;
- if an individual is silent or there are pre-ticked boxes or inactivity on their part, this does not mean an individual is giving consent (each processing activity/purpose must also have its own number of tick boxes);
- to withdraw consent at any time;
- to be given options for both yes and no in intelligible language.
Privacy Statement Requirements
Every organisation must have an up-to-date Privacy Statement. This must:
- identify and give the contact details of the Data Controller;
- state the purpose and legal basis for processing;
- state the legitimate interest (if there is one);
- state the recipients or categories of the Personal Data (i.e. Google Analytics would have access to your client’s personal data);
- if applicable – transfers of personal data abroad (i.e. Mailchimp goes to USA, your servers may be located outside of Ireland – you will need to do a link in your privacy statement to the Hosting accounts privacy statement);
- state how long you will be holding the information (retention period);
- state the right of the consumer to have access to that information;
- state the right of the consumer to have the information rectified;
- state the right to be forgotten/erasure;
- state the right to restrict processing;
- state the right to object to processing;
- state the right of the consumer to move all their data to another company;
- state their right to withdraw consent if processing is based on consent;
- state their right to lodge a complaint;
- give provision of a statutory or contractual requirement or necessity to enter a contract – obligation to provide and consequences of failure;
- state the existence of automated decision-making including profiling – meaningful information of the logic involved and significance and consequences.
Dealing with a Data Security Breach
A Breach is “a breach of security leading to accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Companies must have in place procedures to detect, report, record and investigate a breach (we suggest having templates ready to go in case).
If there is no risk, you do not have to report to the Regulator but if the data breach is likely to result in a risk to the rights and freedoms of individuals, it must be reported.
If it is a breach, this must be reported to the Regulator within 72 hours unless your data is anonymised or encrypted which provides no risk.
If the breach will bring harm to an individual, you must report it to the individual describing the nature of the breach, the categories and approximate number of data subjects and number of records concerned and communicate the name and contact details of your Data Protection Office or other contact point. You must also describe the likely consequences of the personal data breach with the measures taken to address the breach including mitigation measures.
Subject Access Requests
It is a good idea to put in place a ‘Subject Access Request’ procedure. This means that if a customer phones up your company and requests to have all the information you have on them, you have a procedure in place for getting this to them. You cannot charge them, you have 1 month to answer their request, you can only refuse if there is a justifiable reason.
Appointing a Data Protection Officer (DPO)
A DPO needs to be appointed if:
- you are a public authority or body;
- your core activities consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- your core activities consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
You need to keep records of processing activities except if you have less than 250 employees and there is no Special Category of personal data processed.
- Restrict your IT systems to minimise security breaches;
- Have access on a need to know basis*;
- Password protect and device encyption;
- Have back-up procedures in place.
*Many businesses are implementing business wi-fi separate to open wi-fi to all.
The GDPR is not simply about ticking the boxes or merely updating website privacy policies nor seeking more explicit email marketing opt-in consents or whatever, but moreover is about behavioural practices when handling personal data.
Professional services firms which are already hitherto regulated in Ireland (be it by the Central Bank of Ireland or Law Society/IFSRA or whichever) need to be aware of how the GDPR stipulations (e.g. with regard to reasonable retention periods for data) are implemented within each given regulatory context.
The apparent lack of high profile prosecutions for GDPR breaches to date should not be a cause for complacency!
- There are many resources online on this subject but you can read the primary text of the regulations here which is indexed by key issues and chapters.