In part 3 of our series of articles on GDPR, we answer some of the questions that our clients have been asking us.
Part 1: Are you Ready?
Part 3: Frequently Asked Questions
With the GDPR now only a few months away, lots of questions are starting to be asked about the specific details as we all absorb the implications and impact on almost every business in Europe. We will collect and answer some of the most common ones here. Please check back regularly for updates.
| Do I need to be ‘GDPR compliant’ ?
The EU creates 5 different types of legal act – Regulations, Directives, Decisions, Recommendations and Opinions. Of all these, Regulations are the strongest because they are immediately legally binding across all member countries equally.
However the invididual states then issue national legislation in order to define the authority, checks and sanctions of the Regulation.
In the UK, we have the “Data Protection Bill 2017-19” currently going through the House of Lords. This is the draft that will soon become the “Data Protection Act 2018”, replacing the now antiquated “Data Protection Act 1998”, on or before the 25th May 2018. This new Act will implement the GDPR, extending and adjust it where necessary to work appropriately for the UK.
Where the old DPA 1998 has been a matter of registration if your business deems itself collecting or processing personal data, the DPA 2018 will automatically apply to every business and of course there are those headline-grabbing fines for data breaches that will certainly be applied.
So the correct answer to the question is: all UK businesses will need to be compliant with the Data Protection Act 2018.
| Will the GDPR still apply after Brexit?
Yes it will. For the UK to be able to trade with EU member states after Brexit, it will have to operate data protection standards that satisfy the requirements of GDPR at a minimum. The Data Protection Act 2018 will ensure these standards continue to be applied in the UK.
| How long do we have to respond to a Subject Access Request?
A Subject Access Request is a formal request by an individual for you to confirm whether you have collected their data, what details you are holding and may follow up with a request for you to correct or erase it.
You are required to give a no-nonsense answer within 1 month. However if the request is complex, you can write to them and explain why there will be a delay, which can be for a maximum of 2 more months.
| Can I charge to provide a response to a Subject Access Request?
In most circumstances you cannot charge. Under the old Data Protection Act 1998, you could charge a fee of £10 but the GDPR says that responses should be given free-of-charge.
However a ‘reasonable fee’ covering the cost of administration can be charged in cases of repetitive or excessive requests from an individual, in order to prevent unfounded demands.
| Does an individual’s right to erasure or the right to be forgotten extend to backup copies?
Yes it does extend to backup copies. Strictly speaking, you must know where all copies of that subject’s data are located and correct or erase those copies as well.
But the GDPR gives a caveat adding “taking into account the availabile technology and the cost”. So it is very possible that in many cases this won’t happen in practice.
But you must remember that not knowing (or claiming you don’t know) where all the copies of the data are located or that other backup copies exist is not acceptable. This is regarded as laziness or incompetance and frowned upon by the authorities.
| Does the GDPR apply to paper-based records?
Yes, it certainly does. The protection of data held in paper records is equally as important as those held in digital format. Far too often businesses focus on the management and security of electronic and severely overlook their responsibilities extend to information being held in filing cabinets and storage rooms.
Hard-copy records are actually harder to manage because these days computer access controls and auditing is somewhat easier than controlling physical access to filing cabinets. If you have a breach of paper-based records (a break-in or a fire), you will probably have a lot more difficulty knowing what was lost or leaked and which individuals that you need to inform that you have breached their data protection rights.