GDPR data privacy compliance help

How to get ready for GDPR – follow our 6 step action plan

GDPR compliance is not an option – it’s the law, but it’s also your opportunity to improve existing business operations and to build competitive advantage. Here at Business Clan we are taking a pragmatic and risk based approach to GDPR compliance.

Reading time – about forty minutes. Alternatively, skip to the key takeaways (a 10-second read) and bookmark this page to read later.

What’s covered – if you are new to GDPR, then first read our overview and get to grips with what your legal duties and responsibilities are. If you are ready to dive in, then follow our 6 Step Action Plan to progress your journey to GDPR compliance. Afterwards, if you still have questions, then read our FAQ.

Help – our team of specialists are here to help with training, consultancy and implementation. Get in touch for a FREE initial consultation.

Updates

  • 17/06/2018. A link to HR Solutions’ guidance on the authority/justification for retention periods has been included in the FAQ on “How long can you keep personal data for?”.
  • 24/03/2018. The data protection fees in the FAQ section How to register has been updated.

Overview

This section covers what the GDPR is, its objectives and scope, and who needs to comply.

1. What is GDPR?

GDPR (the General Data Protection Regulation) relates to the collection, processing and protection of an individual’s personal dataPersonal data means any information that can be used to identify an individual (whether at home or at work) including, for example, name, email address, location data and online identifiers. within the European Union (EU). It also addresses the export of such data outside of the EU.

The GDPR came into force on 24 May 2016 but, due to its two year implementation period, will only be enforceable from 25 May 2018. It applies to all member states and will continue to be adopted by Britain even after we have left the EU. The government announced a new Data Protection Bill in the 2017 Queen’s Speech and this Bill is now going through Parliament.

How long is the GDPR and where is it online?

The GDPR comprises 99 articles and 173 recitals, and is much more comprehensive than its predecessor, the Data Protection Directive (Directive 95/46/EC). The original text (156 pages including the associated Directives) has no indexing. Luckily, there are easier to read versions (e.g. privacy-regulation.eu and gdpr-info.eu) with hyperlinked headings, a handy table of contents and a search facility. In addition, the UK’s Information Commissioner’s Office has produced easy-to-read information and guidance which is available on their website.

2. What is personal data?

Personal data is defined as any information that can be used to identify a living person (called a data subject). It includes addresses, phone numbers, online identifiers (such as those stored by cookies) and factors specific to the physical, physiological, genetic, mental, economic, cultural and social identity of a data subject. This definition of ‘personal data’ reflects the fast pace of technological development.

It does not matter whether the data is of a personal nature or business related; if it is reasonably likely (see Recital 26) that you can identify the natural person either directly or indirectly, then it is personal data.

The Regulation does not apply to anonymous data.

3. What are the objectives?

The GDPR is about achieving three objectives related to the collection, processing and protection of an individual’s personal data. The objectives are:

  1. protect the rights of EU individuals in relation to their own personal data;
  2. require data processors and controllers to act lawfully and fairly; and
  3. allow the free movement of personal data within the EU.
4. Who has to comply?

Anyone, regardless of their legal entity, who collects or processes personal data of EU residents must comply under GDPR unless the processing falls outside the scope (Article 2) of the Regulation e.g. if it falls under law enforcement regulations, it is for national security purposes, or it is carried out by individuals purely for personal/household activities.

This means it applies to data processors as well as data controllers (click here to understand the difference). Where data is transferred e.g. from a data controller to a data processor, both parties are equally accountable (see Article 28 (4)).

Post Brexit, UK data controllers and data processors will still need to comply with GDPR. The new Data Protection Bill is currently going through Parliament and will become law in 2018. This will replace the existing UK Data Protection Act and incorporate GDPR legislation.

5. What do you need to do?

As a data controller or data processor you must adhere to the principles of the GDPR. As this is the crux of the GDPR, we have highlighted the principles in the section covering your legal duties and responsibilities.

Once you know what you have to do under GDPR, the next step is to action it. You can do this by following our 6 Step Action Plan which incorporates the ICO’s 12 Steps To Take Now.

6. Who will enforce GDPR?

In the UK, the ICO (Information Commissioner’s Office) is the appointed independent authority responsible for upholding information rights and data privacy.

The ICO has the power to issue administrative fines. The maximum amount depends on the type of infringement; for the most severe infringements fines may be up to 20 million Euros or 4% of an organisation’s global annual turnover of the preceding financial year (whichever is higher). The fines apply against both data controllers and data processors (where the total combined amount does not exceed the maximum penalty). However, in each individual case fines will be effective, proportionate and dissuasive (Article 83).

The ICO has confirmed that it will not be making early examples of organisations for minor infringements and it prefers the carrot to the stick approach.

Visit the ICO website for official advice and guidance.

7. What's all the fuss about?

There are three reasons why there’s a lot of media attention and why many business owners and managers are concerned:

  • the scarily high fines if you don’t comply;
  • the work involved to ensure compliance; and
  • the difficulty in understanding what you need to do to comply.

Throughout the legislation, you are expected to follow best practice and, as is often the case with regulations, the articles and recitals are open to interpretation. For example:

  • you will need to do a balancing test, when collecting and processing personal data under a legitimate interest, to determine whether your legitimate interest is outweighed by the rights and freedoms of the individual; and
  • you will need to put into place comprehensive but proportionate governance measures.

At the end of the day, if you are challenged, it will be the ICO who decides whether your balancing test has been done fairly and whether your governance measures are comprehensive and proportionate.

Six step action plan

The following action plan is designed to help you comply with GDPR. If you already adhere to the principles of the Data Protection Act, then it will be a case of tightening up your best practices and implementing a few additional processes and procedures.

6 Step Action Plan

1

PLAN

Work out what you have to do

2

NOTIFY

Tell people what you will do

3

ENACT

Do what you say you will do

4

RECORD

Prove what you are doing

5

RESPOND

Inform, notify & act promptly

6

REPEAT

Review & maintain compliance

Step 1 – PLAN

Work out what you have to do

You need a clear road map to minimise risk and avoid costly mistakes later on. We have broken this stage into four tasks:

Task 1 - designate someone to take responsibility

Once key decision makers in your organisation are aware of what GDPR is and how it will impact your organisation, designate someone to take responsibility for GDPR compliance. You may wish to consider contracting out this role, particularly if you are a small organisation.

Only public authorities and organisations that either carry out large scale systematic monitoring of individuals (e.g. online behaviour tracking), or carry out large scale processing of special categories of data or data relating to criminal convictions and offences, are required to formally appoint a Data Protection Officer (DPO). If you are unsure, then the Article 29 Working Party has published guidelines about DPOs (click to download) and an FAQ.

The designated person (including a DPO) does not have to have any special qualifications. However, he/she should have professional experience and knowledge of existing and impending data protection law (e.g. the new UK Data Protection Bill) which is proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires. Further guidelines are available on the ICO website.

Your designated person (or DPO) will also need to be familiar with the Privacy and Electronic Communications Regulations (PECR). PECR is complementary to the GDPR and the UK Data Protection Act, and relates specifically to people’s privacy rights in relation to electronic communications.

For more information about how to register and to find out about how the fees will be changing under the new Data Protection Bill, visit our FAQ: How to register?

Task 2 - carry out a data audit and, if necessary, data protection impact assessments

A data audit needs to cover all personal data that your organisation collects and processes including:

  • how and why you process it (i.e. establish your legal bases under GDPR);
  • who has, or rather who should have, access to it and establish whether it is adequately protected:
    • internally – how is it accessed, managed and reviewed,
    • externally – who do you share it with (e.g. payroll service provider, marketing agency, delivery company);
  • whether you are keeping only what is necessary and keeping it only for as long as is necessary; and
  • whether the information is accurate and up to date.

There are various tools to help you capture the information from the audit. A visual data mapping and process tool may be helpful (e.g. Skore) together with a spreadsheet such as the ICO’s template for data controllers which can be downloaded here.

You may also be required to carry out data protection impact assessments (DPIAs) to help you identify and assess the impact of your data processing on the rights and freedoms of individuals. For further information about DPIAs and when you need to conduct one, see our FAQ.

Task 3 - review your data protection & security measures

Personal data must be processed with appropriate security and confidentiality.

Article 32 of the GDPR states that appropriate technical and organisational measures are to be put in place to ensure a level of security appropriate to the risk whilst taking into account available technology and the costs of implementation.

The ICO has yet to provide updated guidance with regard to Article 32, but a good starting point is their existing guidance located under the heading of ‘security’. There is also a practical guide to IT security for small businesses which includes reference to the government’s Cyber Essentials scheme.

International transfers

If your organisation transfers personal data to third parties for processing or hosting, then you need to make sure that the organisation receiving the personal data has provided adequate safeguards.

The ICO website provides further guidance about international transfers.

The Privacy Shield framework

One way to help determine whether a receiving company has adequate data protection safeguards, is to establish whether it is on the Privacy Shield list.

Since 12 July 2016, the European Commission has deemed the EU-US Privacy Shield framework adequate to enable data transfers across the Atlantic under EU law. However, be aware that US laws may change and overrule the safeguards put in place for processing EU data. If that happens then the EU (and UK) may rule that the Privacy Shield is no longer valid, meaning that data stored or processed on US servers would suddenly fall foul of European / UK law. This happened with the predecessor of the EU-US Privacy Shield framework (the Safe Harbour agreement which became invalid in 2015).

Task 4 - review your processes and procedures

Decide what processes and procedures you need to put into place in order to process personal data lawfully and fairly, including:

Step 2 – NOTIFY

Tell people what you will do

Transparency is key to processing personal data fairly and you must inform people about how you will collect and use their personal data.

Task 1 - update your data privacy processes

Privacy notices need to be informative and transparent about:

  • the identity and contact details of the data controller;
  • what personal data you collect;
  • how you will use personal data including your legal basis for processing and how long you will keep the data;
  • who you share personal data with or the categories of recipients;
  • how you protect personal data; and
  • what rights data subjects have in relation to their personal data and how individuals can exercise their rights.

In particular, privacy notices should be written in language that is clear and easy to understand, particularly if addressed to a child, and it must be made easily accessible and available free of charge.

The ICO has provided examples of good and bad privacy notices.

Task 2 - review your notification processes

Consider all points of capturing personal data and the different media you use to capture it. Communicate your privacy information, where possible, at the first point of collection using the same media.

You can give privacy information orally, in writing, through signage and electronically.

The ICO provides a handy checklist covering what, where, when and how to provide privacy information including how to test and review your procedures.

Step 3 – ENACT

Do what you say you will do

Make sure you train your staff, so that they carry out what you say (in your data privacy notices) that you will do.

Train your staff

All staff should be aware of your organisation’s legal duties and responsibilities under GDPR, what your policies and procedures are, and what their specific roles are to help ensure compliance.

The ICO’s data protection training checklist for small and medium sized organisations may be a useful starting point.

Remember that changes to your privacy policies and complaint handling procedures, may need to be communicated to staff and appropriate training for new staff incorporated into your on-boarding process. You should also check that you have adequate policies and procedures in place for when employees leave (and, in particular, that access to all personal data held by your organisation is removed immediately).

Keep a record of all training.

Step 4 – RECORD

Prove what you are doing

Under the accountability principle, you need to be able to demonstrate compliance.

Maintain a record of your compliance

The ICO has provided guidance on how to demonstrate compliance which includes:

  • implementing appropriate technical and organisational measures such as appointing a data protection officer, staff training, internal audits of processing activities and reviews of internal HR policies;
  • implementing measures such as data protection by design and by default (see the ICO website for more information) which could include:
    • data minimisation,
    • pseudonymisation (i.e. semi-anonymising personal data),
    • transparency,
    • allowing individuals to monitor processing,
    • creating and improving security features on an ongoing basis, and
    • carrying out data protection impact assessments (DPIAs);
  • maintaining relevant documentation* on processing activities.

Although documentation is an explicit provision of the GDPR, for small and medium-sized organisations with fewer than 250 employees, the documentation requirements are limited to certain types of processing activities where, for example, it is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences. However, documenting your processing activities can improve your data governance and in turn help you to comply with other aspects of the GDPR.

The ICO has provided templates for documentation purposes – the one for data controllers can downloaded here: the ICO documentation template for controllers.

Step 5 – RESPOND

Inform, notify & act promptly

The GDPR stipulates how you must respond to subject access requests and handle data breaches and complaints.

Handling subject access requests

What you need to know:

  • Verification – You must verify the identity of the person making the request, using ‘reasonable means’.
  • Without delay and within one month – You must respond and provide the information without delay and at the latest within one month of receipt.
  • Free of charge – Under GDPR you can no longer charge a data subject when he/she requests to see their personal data unless the request is manifestly unfounded or excessive.
  • Manifestly unfounded or excessive requests – If the request is manifestly unfounded or excessive, then you can choose to charge a fee or not to respond. If you do this, then you must explain why and inform the individual without undue delay and, at the latest, within one month. You must also inform the individual of their right to complain to the supervisory authority and of their right to judicial remedy (i.e. a legally binding decision).
Handling personal data breaches

Under GDPR you must protect your data subjects’ personal data.

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

Not all breaches are notifiable and this depends on the level of risk to the rights and freedoms of individuals.

  • If there is likely to be a risk to the rights and freedoms of individuals, then you must notify the relevant supervisory authority and you must do so within 72 hours of the organisation becoming aware of it.
  • If there is likely to be a ‘high risk’ to the rights and freedoms of individuals, then you must notify those individuals directly.

For further guidance see the ICO’s website.

Handling complaints

The ICO expects organisations to handle and resolve complainants raised by individuals with respect to their personal data rights.

A complaints procedure will help you to resolve matters without undue delay. When you receive a complaint, make your procedure known to the individual and be sure to inform them of their right to take the matter to the ICO if they feel that a satisfactory outcome has not been achieved.

Individuals have three months from their last meaningful contact with you to raise any concerns with the ICO.

Step 6 – REPEAT

Review & maintain compliance

Remember that processing activities may change over time. As and when they do, you will need to test, record and, if necessary, amend your processes and procedures, and retrain staff.

Key takeaways

  1. Doing nothing is not an option. If you are a data controller or data processor, you are accountable for collecting, processing and protecting personal data lawfully and fairly, and you have to be able to demonstrate compliance. You won’t be able to do that unless you understand your legal duties and responsibilities.
  2. Transparency is essential. Tell people when you collect their personal data, what you will use it for (your legal bases) and inform them of their rights via appropriate privacy notices.
  3. Compliance is an on-going task. You need to assess compliance whenever your business processes change and, if necessary, perform a data protection impact assessment (DPIA). Follow our 6 step action plan to GDPR compliance.
  4. It’s not black and white. If in doubt, put the privacy rights of individuals first and handle complaints well.

If you have questions or need help, you can reach our compliance team here.

FAQ

How is the GDPR different to the Data Protection Act?

The key differences between the GDPR and the Data Protection Act are that under GDPR:

  • the scope is broader, the rights of the individuals are greater (in some cases) and the obligations of the data processors and data controllers are more extensive;
  • where you process personal data from multiple EU Member States, you will have just one lead supervisory authority to deal with;
  • there are new accountability measures;
  • most breaches will have to be reported within 72 hours; and
  • the potential fines for breaching the rules are much higher.
Why comply?

Throughout the GDPR you are expected to follow best practice. The extent to which you implement best practice is, as with many business decisions, about managing risk. However, you do have to comply and be able to demonstrate compliance – it’s the law!

If you don’t comply then you will be breaking the law, which is a criminal offence; you may receive a large fine; your brand and reputation may suffer; and a significant breach could put your organisation out of business.

What is the difference between a data controller and a data processor?

A data controller is the person or organisation that collects personal data and determines the legal basis for collecting and processing that data. A data processor processes personal data on behalf of a data controller and must also comply with GDPR. A data processor also needs a legal basis for processing data (whether via contract or legal obligation).

How to register?

If you handle personal information about individuals, then unless you are exempt, you need to register (notify the ICO) and pay a fee. The fees collected will fund the ICO’s data protection work whilst any fines will be passed back to the government.

Before the 25 May 2018, you may need to register under the Data Protection Act (DPA). You can check here, if you need to register. On and after 25 May 2018, you will need to register, unless you are exempt, and pay a fee. The ICO has published a guide: The data protection fee – a guide for controllers. This details the exemptions and covers how much you have to pay.

The new fee structure is dependent on your number of staff (full or part-time) and turnover of your organisation:

  • Tier 1 – micro organisations
    A maximum turnover of £632,000 for your financial year or no more than 10 members of staff.
    The fee for tier 1 is £40.
  • Tier 2 – small and medium organisations
    A maximum turnover of £36 million for your financial year or no more than 250 members of staff.
    The fee for tier 2 is £60.
  • Tier 3 – large organisations
    This applies if you do not meet the criteria for tier 1 or tier 2.
    The fee for tier 3 is £2,900.

You don’t need to pay a fee if you are processing personal data only for one (or more) of the following purposes:

  • Staff administration
  • Advertising, marketing and public relations (to existing, past or present clients and suppliers)
  • Accounts and records
  • Not-for-profit purposes
  • Personal, family or household affairs
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system such as a computer

However, remember that you still need to comply with all other legal duties and responsibilities under GDPR.

For more detailed information about the fees, how to pay and the exemptions available, please read the ICO’s guide.

Do we need a Data Protection Officer and what is their role?

Only some organisations need to appoint a Data Protection Officer (DPO) but all organisations need to designate someone to be responsible for complying with the GDPR.  For more information see task 1 of the 6 step action plan above.

What is a lead supervisory authority?

The ICO (Information Commissioner’s Office) is the UK’s data protection regulator, also referred to as the supervisory authority.

If you operate in more than one EU member state and carry out cross-border processing of personal data, or you carry out processing which substantially affects individuals in other EU states, then you need to determine who your lead supervisory authority is.

Your lead supervisory authority will be where your organisation makes its most significant decisions about its processing activities; and they will regulate your compliance with the GDPR.

What is the Article 29 Working Party?

The Article 29 Working Party (sometimes referred to as WP29) is an independent advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission.

The Working Party publishes guidance on various data protection topics and advises the EU Commission on the adequacy of data protection standards in non-EU countries.

Is there a certification process?

In the same way that there is no system to demonstrate compliance under the Data Protection Act, there will be no system under the GDPR.

However, there will be a voluntary system of certification (see Article 42 and the ICO’s website) which will enable data controllers and data processors to demonstrate their compliance and will help brands to build and maintain trust in how they control and process personal data.

Do small businesses have to comply with GDPR?

Yes – anyone who collects or processes personal data of EU residents must comply with the GDPR unless the processing falls outside the scope of the Regulation.

Do B2B companies need to comply with GDPR?

Yes. GDPR applies to everyone who collects and/or processes personal data i.e. any information that relates to and identifies a natural living person.

Does GDPR apply to personal data in manual and paper-based systems?

Yes – GDPR applies to all personal data that can be accessed in any ordered filing system, even if it is paper-based and the data has to be accessed manually (see Recital 15). 

Does GDPR apply to personal data that is also in the public domain?

Yes. If you collect and/or process personal data i.e. any information that relates to and identifies a natural living person then, even if it is already in the public domain, GDPR applies to you, unless you are an individual using that data for personal or household activities

What is the difference between a privacy impact assessment (PIA) and a data protection impact assessment (DPIA)?

They are both tools which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.

Privacy impact assessments (PIAs) have been part of the privacy and data protection landscape since the early years of the Data Protection Act (DPA). PIAs facilitated best practice, but were not a legal requirement under the DPA.

Data protection impact assessments (DPIAs) were introduced in the GDPR. Unlike PIAs, DPIAs are a requirement under GDPR, but only when you introduce a new technology and the processing is likely to result in a high risk to the rights and freedoms of individuals.

Even though DPIAs are not always required, you may wish to use them as a tool in privacy by design approaches and as a way to demonstrate compliance. In addition, they help to spread awareness of privacy throughout your organisation.

The ICO produced a guide on how to conduct privacy impact assessments and a template for recording the process and results which you can download.

For further information about DPIAs, visit the ICO website.

What is pseudonymisation?

Pseudonymisation means semi-anonymising personal data. It is a process whereby the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field.

The process of pseudonymisation makes the data neither anonymous nor directly identifying. This helps to significantly reduce the risks associated with data processing, whilst maintaining the usefulness of the data.

Data that has undergone pseudonymisation (see Article 4 (5)) is only classed as personal data if, together with easily accessible other data, it can be attributed to a natural person.

Completely anonymised data is outside the scope of the GDPR.

Is consent necessary for email marketing campaigns?

Yes. Unless your lawful basis for processing personal data is legitimate interest, then consent is required.

The ICO recommends that all marketing campaigns are permission-based. This is because other rules also apply to direct marketing e.g. the Privacy and Electronic Communication Regulations 2003 (PECR).

Under GDPR, permission-based marketing involves explaining clearly what a person’s details will be used for (via notification) and providing a simple way for them to opt out. You also need a policy and procedure in place (which all staff are aware of) for dealing with complaints.

For more detailed information check the ICO’s Direct Marketing Checklist and read their Direct Marketing Guidance. Also, you should be aware that there are specific rules in relation to marketing to children (see Step 2 above about privacy notices and gaining consent). The ICO’s website also provides further guidance about Children and the GDPR.

Is notification required for placing cookies on websites?

Yes. Cookie laws have been around since May 2011 when the Privacy and Electronic Communications Regulation 2003 (PECR) was amended. Under this law you must notify your website users about your use of cookies.

Under GDPR you must notify users of your use of cookies and, where necessary, obtain consent for storing cookies on their device.

What types of cookies require consent?

There are three consent models:

  • information only (no consent);
  • implied consent (opt-out);
  • explicit consent (opt-in).

Consent is not required for cookies that are ‘strictly necessary’ e.g. to make a website work for e-commerce. However, you still need to make your visitors aware that ‘strictly necessary’ cookies are being used and for what purpose.

Theory versus practice

In theory, all other cookies (i.e. those that are not strictly necessary) require consent under GDPR. However, the ICO has said that in some cases implied consent may be a more practical option than the explicit opt-in model and, in relation to first-party analytical cookies, that it is unlikely to consider regulatory action where there is a low level of intrusiveness and risk of harm to individuals.

To put this into context, you need to understand the difference between first-party cookies and third-party cookies:

  • First-party cookies are those that are placed on a website visitor’s device to track them whilst they are on, or revisit, that particular website.
  • Third-party cookies are more intrusive. They track you beyond your visit to a particular website and share that information with third parties e.g. advertising and social media networks.

So, if (like the ICO) you are using the first-party Google Analytics cookie for analysing website traffic, then implied consent is an acceptable option; provided that you notify users, inform them of their rights and let them know how they can withdraw their consent e.g. by informing users how to turn cookies off through their website browser settings, or by providing a means of turning cookies off via a cookie management system installed on your website.

The ICO uses the Cookie Control tool (a free version is available) to provide the required notification and information about how users can withdraw their consent.

Further information about the ICO’s relaxed approach to cookie consent can be found towards the bottom of page 29 in their Guidance on the rules on use of cookies and similar technologies.

To keep up to date with the latest announcements and guidance from the ICO visit their What’s New page of their website.

Is explicit consent required to use Facebook pixels and cookies for Google Adwords?

Yes. If you do any form of remarketing (a particular form of online marketing which tracks users across different websites and social media networks) e.g. if you use a Facebook pixel on your website, use Google Analytics for Adwords or Google’s DoubleClick for Search pixel, then under GDPR you require explicit consent to place the required third-party cookies on your website.

However, the ICO has yet to produce guidance on the use of cookies for remarketing purposes. Therefore, we will have to wait and see what approach the ICO will take.

In the meantime, bear in mind the words of Elizabeth Denham (from her first speech as Information Commissioner), “I do not believe data protection law is standing in the way of your success.” She also commented, “It’s not privacy or innovation – it’s privacy and innovation.”

So, whilst in theory the use of third-party cookies requires explicit consent, in practice (and as mentioned in the ‘theory versus practice’ section of the above FAQ) regulatory action may be unlikely provided that you can demonstrate responsible use of third-party cookies*.

This would mean demonstrating that you have notified your website users as to when and how their personal data is being used, what it means for them and how to easily exercise their right to opt-out (e.g. via a cookie management system), whilst also demonstrating, and if necessary, via a Privacy Impact Assessment (PIA), that there is a low level of intrusiveness and risk of harm to individuals.

* PLEASE DO NOT RELY ON THIS – if you are in any doubt as to what you should do, please contact the ICO and/or seek legal advice.

Is explicit consent required to create lookalike audiences?

Marketers use lookalike audiences as a way of identifying and attracting new people who are likely to be interested in their organisation, product or service because they are similar to their existing website visitors, prospects or customers in terms of shared interests. Building lookalike audiences relies on profiling which, under GDPR, requires explicit consent.

There are in fact two types of consent involved when marketing to lookalike audiences: (i) you need to obtain explicit consent from your existing audience to use their data for profiling purposes and (ii) the data controller of the advertising network that you are going to use, needs (in theory) to gain explicit consent from its audience to display your advert.

Whilst, in theory, explicit consent is required, in practice the ICO may take a less stringent approach subject to responsible practices being in place. We will have to wait and see.

To keep up to date with the latest announcements and guidance from the ICO visit their What’s New page of their website.

How long can you keep personal data for?

No specific minimum or maximum periods for retaining personal data have been set out. However, personal data can only be kept for as long as is necessary for the purpose or purposes for which is was collected.

When deciding how long and what constitutes ‘necessary’ you should consider:

  • what the information is used for and whether there are any legal or regulatory requirements or industry codes of practice that require you to keep the information;
  • what value the information has now and may have in the future;
  • the costs, risks and liabilities associated with retaining the information; and
  • the ease or difficulty of making sure it remains accurate and up to date.

For more detailed information check the ICO’s website (retaining personal data).

Lastly, the HR Solutions guide provides details of the authorities that cover the processing of personal data for particular purposes. This will help you to determine and justify your personal data retention periods.

Can you transfer personal data outside the EU or store it in the cloud on non-EU servers?

Yes, under certain circumstances.

The organisation hosting the personal data must provide adequate safeguards – see the above section about data security.

GDPR Help

To achieve and maintain GDPR compliance, you need to adhere to the principles of GDPR and follow best practices. The resources below will help you to do this:

ICO online resources
ICO advisory visits and advice line for small organisations

The ICO helpline can be contacted on 0303 123 1113.

Small and medium sized organisations can also request an advisory visit from the ICO.

Training, consultancy and implementation services

We offer onsite or offsite training for individuals and staff groups, as well as consultancy and implementation services.

Our team, with specialists in compliance, strategy, IT and marketing, are here to help you be GDPR compliant. Contact us or give us a call on 033 0133 0543.

Free initial consultation

If you need help with training, understanding or implementing GDPR, then we offer a free initial consultation. Contact us or give us a call on 033 0133 0543.

Do you need help with GDPR compliance?

Tell us about what help you need

We respect your privacy.

If you found this useful, please share.

Menu