The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the most comprehensive overhaul of the way personal data is stored, processed and communicated in this country. As an organisation that handles a significant amount of personal data, it is our responsibility to outline our procedures in a transparent manner and explain what we are be doing to comply with the new regulations.
We have also outlined the basis of the new regulation in a simple and straightforward way. The GDPR is complex and this is not intended to be a complete overview of all the duties we / you need to undertake in order to be compliant. However, it is hoped that by publishing this document, this will enable you to understand how important it is to comply with GDPR, review your organisation’s data processing activities and produce your own policy document.
Introduction to General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016 and came into effect on 25 May 2018. The GDPR replaces the Data Protection Directive 95/46/EC and is intended to harmonise data privacy laws in order to protect the data privacy of all EU citizens. GDPR applies to all organisations (controllers and processors) processing the personal data of EU residents.
For data processing to be lawful under GDPR, organisations must identify and document the legal basis for each of its data processing activities before it processes personal data.
As with the Data Protection Act, you need to gain consent from the person in order to process their data but there are much stricter rules under the GDPR. Following the introduction of the Act in May 2018, your data processing activity must be communicated in a transparent manner – with particular attention paid to the question of consent.
Failure to comply with the GDPR creates a significant risk for your business. For example a personal data breach could result in a ‘Stop Order’ forcing a shut down of all data processing activity. Organisations in breach of the GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater) for the most serious infringements. It is important to note that these rules apply to both controllers and processors and ‘clouds’ will not be exempt from GDPR enforcement.
GDPR principles
- Lawful fair and transparent – data collection must be fair, for a legal purpose and it must be clear how the data will be used
- Limited for its purpose –it can only be collected for a specific purpose
- Data minimisation – only necessary data must be collected
- Accurate – Data must be accurate and kept up to date
- Retention – Data should not be stored for any longer than necessary
- Integrity – Data must be kept safe and secure
It is not enough just to comply with these principles, you must be able to demonstrate compliance. This means having updated policies about how personal data is managed, responsibilities allocated, staff trained and systems audited. It also means bringing in technical measures to improve safety and security.
Consent
Under the GDPR there is a higher standard for consent. Consent is defined as a ‘freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data to him or her’
Consent must be clear and provided in an intelligible and accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Organisations need to ensure that their technology systems to allow for demonstrating consent as well as easy withdrawal of consent.
Individuals have the right to object to the processing of their personal data for direct marketing purposes.
Breach notifications
Under the GDPR, the supervisory authority needs to be notified of any data breach without undue delay and within 72 hours. Controllers must also notify data subjects of a data breach involving their personal data unless the breach is unlikely to result in a high risk for the rights and freedoms of the data subjects, or appropriate technical and organisational measures such as encryption were in place at the time of the breach.
Right of access
The right of access is substantially different under the GDPR. Everyone has the right to obtain confirmation as to whether or not personal data concerning them is being processed as well as details as to the purpose for which this data is processed.
The GDPR introduces a best practice recommendation that where possible, organisations should provide data subjects with remote access to a self-service system in order to be able to access this information.
Right to be forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase their personal data, stop any sharing of their data and potentially prevent third parties from processing the data too. The right to be forgotten is not an absolute right and there are certain grounds on which the right to be forgotten can be refused including the right to freedom of expression and information, or where the personal data is processed in the exercise or defence of legal claims.
Data Subject Rights
The full list of data subject rights introduced or strengthened by the GDPR are as follows:
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
- Personal data will be securely archived after full payment is received
- Personal; data will be kept in a secure archive account for a maximum of 7 years
Data portability
GDPR introduces the right for an individual to receive their personal data and to have the right to transmit that data to another controller. This is not an absolute right and only applies in certain circumstances.
Privacy by design
Privacy by design requires data protection to be included in the designing of systems from the start and to be embedded in all data processing activities. The controller shall implement appropriate technical and organisational measures in an effective way in order to meet the requirements of this regulation and protect the rights of data subjects’ Only data absolutely necessary for the completion of its duties can be processed and access to personal data is limited to those who carry out the processing.
Privacy notices
Information about how and why you process someone’s data is different under the GDPR. The information you provide to people about the way you process their data must be:
- Easily accessible and written in clear and plain language
- Provided free of charge
- Concise, transparent and intelligible
In addition to explaining how you collect personal data, your identity and how you intend to use the data, you will also need to specify:
- the legal basis on which you are processing the data
- your data retention periods
- that individuals have the right to complain to the ICO if they believe there is a problem with the way you are handling their data
It is recommended that current privacy notices are reviewed so that they comply with the GDPR.
For all the latest information about the GDPR please see the ICO website at https://ico.org.uk
Preparing for GDPR checklist
- Review the ways you currently obtain consent and make sure there is a procedure in place to withdraw consent
- Check if you collect any genetic or biometric information and implement procedures for protecting this data
- Ensure there are procedures for dealing with data
- portability and right to be forgotten requests
- Make sure company policies on personal data will be
- Updated according to the six data protection principles
- Check and update your privacy notices
- Undertake a data audit and compile a data register
- Ensure staff have adequate training
- Review your risk assessment procedures
Our current procedures
When a client / customer supplies personal data to dsl, this is given to us in the form of a spreadsheet sent via a secure portal found on our website: www.dsluk.net outlining the name, address and contact details for the customers, together with details of the debt amount.
This data is then used to contact defaulters to collect debts.
We also send invoices and statements via email.
Secure Data Portal
Customers are issued with a unique reference number and password that enables the transfer of data via an encrypted portal, following safe receipt dsl carry out a GDPR compliance check of the data and then start the debt collection process.
DSL customers will still receive paper versions of invoices and statements, unless you request otherwise.
How does DSL use personal data?
In order to collect debts, DSL staff use personal data supplied to us in order to contact individuals and organisations via the following methods:
- Text messages
- Telephone calls
- Letters
- Emails
- Personal visits
Data sharing
From time to time, it is necessary for DSL to share personal data with the following:
- CCJ Register
- Land Registry
- Tracing agency
- County Court
- Sheriff’s Office, Scotland
- High Court
- Solicitors
- Banks
- Credit Services Association
- Royal Veterinary Association
- AllPay
- Fathom (DSL’s IT company)
- Companies House
- Insolvency Practitioners
- Step Change
- Locksmiths
- Police
- Merchant card provider (Global Iris)
- Should it become necessary to send personal data outside the UK, the relevant customer will be advised and permission sort to continue before data transfer takes place.
Risk Register
In order to ensure that we are GDPR compliant, we are compiling a risk register to identify any areas of potential risk for data breaches. As we have less than 250 employees, we will also document processing activities that:
• are not occasional; or
• could result in a risk to the rights and freedoms of individuals; or
• involve the processing of special categories of data or criminal conviction and offence data.
DSL Data Systems are managed and supported by Fathom, Fathom Security Policy accompanies this policy.
