At TMA we know regulatory changes can be challenging and often scary. To help you prepare for the next significant change, the General Data Protection Regulation (GDPR) we have created a Knowledge Bank where you can find all the information you need.
Our Knowledge Bank contains a number of useful guides, FAQs, infographics and more.
25th May 2018
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
Article 5 of the GDPR requires that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
As well as the GDPR, the Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications.
PECR is not new but just sets out some extra rules for electronic communications. You must still comply with the Data Protection Act as well.
Naturally, there is some overlap, given that both aim to protect people’s privacy. Complying with PECR will help you comply with the Data Protection Act, and vice versa – but there are some differences and you must make sure you comply with both.
PECR restrict unsolicited marketing by phone, fax, email, text or other electronic messages.
You will often need specific consent to send unsolicited direct marketing especially if you do so by email or automated telephone calls. The best way to obtain valid consent is to ask customers to tick ‘opt-in’ boxes or provide a signature confirming they are happy to receive marketing calls, text or emails from you.
You should keep clear records of what a person has conducted to, and when and how you got this consent, so that you can demonstrate compliance in the event of a complaint.
Remember that the customer is entitled to withdraw their consent at any time.
A generic consent form will also cater for the requirement of ‘consent to contact for marketing purposes’.
Click here for the useful ‘obtaining consent for marketing’ checklist.
The Information Commissioner’s Office (ICO) launched a dedicated advice line this month to help small organisations prepare for the GDPR.
The phone service is aimed at people running small businesses or charities and recognises the particular problems they face getting ready for the new law.
There is already plenty of reference material available on the ICO website to help organisations employing fewer than 250 people prepare for the GDPR, but this new phone line will offer additional, personal advice to small organisations that still have questions.
People from small organisations should dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support.
In addition to the new phone service, the ICO has also announced plans to:
By the end of the year, the ICO will publish a Guide to the GDPR. It expands the content of the current overview to make it a comprehensive guide along the same lines as the current Guide to Data Protection.
Click here for more informations.
Our Field Compliance Manager, Simon Lovell says you should now be thinking:
The ICO have replaced their ‘Getting ready for GDPR Checklist’ with two new checklists – one for data controllers and another for data processors.
Before undertaking their self assessment checklist to help your organisation get ready for the GDPR, you should first determine whether your organisation processes personal data as a ‘data controller’ or ‘data processor’. The definition of the two terms can be found here.
In some instances, organisations will process personal information as both a controller and a processor. When this is the case, the ICO would advise you to complete both assessments.
GDPR checklist for data controllers
Designed to help you, as a data controller, assess your high level compliance with data protection legislation. Includes the new rights of individuals, handling subject access requests, consent, data breaches, and designating a data protection officer, under the upcoming General Data Protection Regulation.
GDPR checklist for data processors
Designed to help you, as a data processor, understand and assess your high level compliance with data protection legislation. Includes the new requirements for data processors, the rights of individuals, data breaches, and designating a data protection officer, under the upcoming General Data Protection Regulation.