The General Data Protection Regulation (GDPR) came into effect on 25 May, 2018. While the GDPR has introduced a number of changes to data protection laws in the EU/Ireland, a lot of the principles and laws had been in existence in the previous data protection framework. The GDPR emphasises accountability, transparency and security by data controllers and processors and unifies the data protection regulation within the EU.
Introduction of the GDPR has certainly raised awareness of data protection and privacy rights and obligations for many individuals and businesses. Many retail sites/shops and businesses offering services have flooded email inboxes of their shoppers/subscribers with GDPR and Privacy Policies notifications. For many organisations, collecting email subscribers’ consent and updating their privacy policies may have been just a tip of the iceberg. Organisations have also been tasked to implement enhanced security measures, to have protocols in handling data breaches and data subject requests, and to ensure suppliers’ compliance with the GDPR, etc.
Despite all the measures and work organisations had to carry out to get GDPR ready at an organisational level, many employees in these organisations may still feel unsure about how the GDPR will affect their day-to-day work from now on. This article aims to provide a practical guide for organisations and their employees and attempts to answer some questions many employees may have in relation to how GDPR will change their day-to-day practices in work.
What data is regarded as personal data?
While many people may have already been familiar with these concepts, it is useful to set out these terms first. Pursuant to the GDPR, personal data means any information relating to an identified or identifiable natural person (“data subject”). This could be a name, contact information, an identification number, a job title, location data, and features specific to the physical, physiological, genetic, mental, economic, culture or social identity of that natural person.
Even where organisations operate in a B2B model and deal solely with business entities, processing of personal data is likely to be involved if that business is registered using an individual’s details or if the organisation holds contact details of individual employees of that company that allow for identification of those individuals.
What is legal basis?
Article 6 of the GDPR sets out a number of legal bases which can be relied on for data processing activities.
- Consent from the data subject to the processing of his or her personal data for one or more specific purposes;
- The performance of a contract to which the data subject is a party;
- To take steps at the request of the data subject prior to entering into a contract;
- Compliance with a legal obligation;
- To prevent serious loss or damage to the health or the property of the data subject;
- To protect the vital interests of the data subjects, where it is inappropriate to get their consent;
- For the administration of justice;
- For the legitimate interests, especially legal interests, of the Company except where the data subject’s fundamental rights and freedoms override such interests.
What do employees need to do differently when handling personal data of clients, customers, or other business contacts?
For most businesses, majority of the processing of personal data is covered by the legal bases of contractual obligation, legitimate interest, and legal obligations. Any data processing carried out on these legal bases should be carried out as normal going forward. However, organisations may need to insert a section in their terms of engagement or service provision agreement that they may need to process certain data for the purpose of that contract.
The GDPR creates a hurdle for data processing that is not necessary for the performance of contractual obligations, legal obligations or protection of legitimate interest of the company, i.e. marketing. Processing of personal data for marketing purpose normally requires consent, but there may be an exception in the context of B2B marketing, which will be dealt with in the next section. In the context of B2C marketing, valid consent is required before any marketing emails or calls can be sent or conducted.
While most data processing activities should be carried out as normal, employees should remain conscious of the legal basis of the processing activities. Again, it is important that all data processing activities must be necessary and justified by one of the legal bases set out in Article 6 of the GDPR.
Do employees need to acquire consent from every single business contact they have built in the past years?
This largely depends on how and for what purpose the contact information was collected and for what purpose employees intend to use the contact information. In most circumstances, if the contact information was obtained in the normal course of business dealings, it is safe to use such contact details to carry out most of business operations except for marketing communications. In the context of marketing communications, organisations and its employees may be able to rely on soft opt-in to conduct their marketing emails or calls.
The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 which transposed the Privacy and Electronic Communications Regulations of the EU into Irish law provides an option of soft opt-in for marketing communications. A common circumstance where soft opt-in applies often involves marketing of a product or service that is of a kind similar to that supplied to the customer in the context of a sale previously. This means if organisations and their employees obtained contact details of a client or a customer in the past in the context of a sale, there is no need to obtain consent from the client/customer in order to use the contact details for marketing of similar products/services provided they were given an opportunity to opt out when their details were first collect and in every communication thereafter. When a client or customer chooses to do opt out, employees should stop sending marketing communications and remove the person from their marketing list immediately.
Where soft opt-in does not apply, the pre-GDPR position of the Data Protection Commissioner on direct marketing is that B2C marketing via email requires consent from the customers, while B2B marketing via email does not necessarily require consent from the business contacts but an option to opt out must be provided.
This position is subject to change as the DPC updates their websites after the GDPR came into effect.
The new ePrivacy Regulation governing electronic regulations may also bring update to B2B marketing in the near future. It was intended to be implemented in line with the GDPR in May 2018, but it is likely that it will come into force in 2019. It will repeal Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).
What if a client or a customer makes contact with employees and wants to exercise his/her right as a data subject?
The GDPR and the Data Protection Act 2018 grant a number of rights to data subjects, including right of access, right to data portability, right to object to processing, right to deletion, etc. Many of the rights are not new, but the GDPR has enhanced some of the rights and made the public more aware of them.
Employees should be conscious that data subjects can request access to any data held by their employer on them. This means that the data subject may gain access to any file in relation to him/her, including any comments or notes made by employees. Thus, employees should be more aware of the likelihood of data subject access request in their daily communications with colleagues and avoid leaving any unnecessary or inappropriate comments or notes in client or customer files.
What else should employees know?
Employees should be aware that organisations which are data controllers now have a duty to notify the DPC of a data breach within 72 hours, unless the breach is unlikely to result in a risk to the rights of data subjects. This means that every employee now has a duty to report to his/her supervisor upon discovering any data breach. For example, if employees discover that their email log in password was compromised and was used by someone else unlawfully, they should treat this as a potential data breach and report it into their supervisor immediately. Or if employees sent an email containing client data to a wrong email address, they should also treat this as a potential data breach. Employees should not assume that a colleague has already notified the breach.
Conclusion
Employees in most organisations should not be overly concerned about carrying out data processing activities going forward. The GDPR does not stop organisations and their employees from processing personal data. The majority of data processing activities should be carried out as normal where the legal basis is legitimate interest, contractual obligation, and/or legal obligation. It creates a hurdle marketing communications as valid consent must be obtained.
In response of the GDPR and the Data Protection Act 2018, employees should be more “data sensible” and more aware of the likely consequences of their daily activities. If ever unsure, it is always a good idea for employees to check with their manager or get in touch with a solicitor.
For more information contact Gerard Rudden at gerard.rudden@arqsolicitors.com or Sally Sun at sally.sun@arqsolicitors.com.
This article is for general guidance only and should not be regarded as a substitute for professional advice.