Why can’t the Commissioner just tell businesses / charities / voluntary sector exactly what to do?
There are thousands of such entities in the Island, in many different sectors, collecting different types of personal data from a wide variety of customers, staff and other individuals for many different reasons in many different ways. So there is not a one-size-fits-all approach that can be taken.
You know your organisation/business better than anyone else: by using that knowledge and the resources available on the website, including the guide for small businesses, you should be able to work out how to comply with the new law.
If your sector has a professional association or trade body you should look at any guidance they are producing about the new law.
There is also an infographic available on the website that summarises the basics needed for compliance. This must be considered together with the full guidance available on the website.
Is there a summary of the main compliance requirements?
Can you help me decide what to include in my privacy notice?
The Applied GDPR sets out the information that you should supply in a privacy notice and when individuals should be informed about what processing of their personal data your business does.
The information you supply about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
Individuals have a right to be given this information usually in a privacy notice or data protection notice, and this forms part of the principle of lawfulness, fairness and transparency.
Is registration needed?
All controllers and processors using automated equipment to process personal data will need to register unless an exemption applies. Fees usually apply for registration.
Failure to register, if needed, is an offence.
What is different about the new registration process?
Only limited information is needed from organisations to be included in the register. Organisations do not need to give the Commissioner detailed information about the purposes, categories, data subjects etc. for the processing being undertaken.
Instead it is the organisation which should keep some form of record of the processing and in some cases it is mandatory for it to do so. The information in such a record will be helpful amongst other things for demonstrating compliance with the principles, creating privacy notices (for transparency) and ensuring the security measures in place are appropriate.
Do we need a designated representative?
Only if the business is NOT established in the Isle of Man or in Europe - i.e. if the company, partnership, charity etc is not registered in the Isle of Man or Europe in some way.
Do we have to comply with subject access requests and other rights?
Yes - all rights must be complied with and it does not matter what size the organisation is or whether it has to be registered.
Can you tell me how long we have to keep personal data for?
No - The data protection law applies to all types of controllers and does not prescribe any time periods for retention. The Commissioner cannot tell you how long you need to keep personal data as this will be different for each organisation depending on the reasons it processes personal data and the different types of personal data.
Controllers will know their business best and should understand (and document in some way)what personal data they hold and use. This knowledge can be used to identify and justify the appropriate retention period for the different types of personal data that are being processed. Retention periods may be set out in laws, statutory obligations or codes of practice or accepted industry standards that apply to the controller.
Controllers should also create retention and destruction policies and adhere to them to demonstrate and be accountable for their compliance with this principle.
I don’t do any of the processing - am I still a controller?
The controller makes the decision about what personal data is needed to provide its services, pay staff etc., and how that processing is undertaken - it doesn’t matter whether it does the physical processing itself or not.
For example: a repair company will need the names and addresses of its customers in order to send invoices, but may engage an accountant (a processor) to do that activity on its behalf. The repair company is still the controller as it has decided what personal data is needed and how it is to be processed.
Where other laws mandate that certain personal data must be processed, this automatically makes the organisation which is subject to that law a controller, even if it outsources its compliance with that obligation to a third party.
For example, employment law requires an employer to give employees a written itemised pay statement. Although this function may be outsourced to a payroll administration company (a processor), the employer is still the controller.
Are we a controller or processor?
The Commissioner cannot tell you whether you are a controller or processor or both - you should understand what processing of personal data you undertake and whether you decide how it is is processed.
Why bother complying?
The level of trust and confidence in your organisation depends on the integrity you show in handling your clients’ personal information. Your own expectations of privacy should inform your practices in creating a culture of respect for your clients’ personal information and a holistic approach to handling it in a way that is open, transparent, secure and fit for the digital era.
It is also the law – failure to comply with the law, and be accountable for compliance, may result in a loss of business or clientele, enforcement action or penalties imposed by the Commissioner, court imposed fines and awards of compensation. There are also criminal offences, some of which include terms of imprisonment.
What if it goes wrong?
You must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk the processing poses to an individual, particularly the risk caused by accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data that you process.
If you get a personal data breach, you must:
- take steps to investigate
- record the incident, including the facts, the effects and any remedial action taken
- inform the Commissioner within 72 hours of becoming aware, unless the personal data breach is unlikely to result in any risk to the rights and freedoms of individuals
- inform the individuals if it is likely that the breach will result in a high risk to their rights and freedoms
Can individuals complain?
Yes – individuals are entitled to complain to the Commissioner about how you have handled their personal data and if you have not complied with their rights.
The Commissioner must investigate complaints and can take enforcement action or, if necessary, impose a financial penalty. You are required to co-operate with the Commissioner.
Individuals can also take action against the controller in court and seek compensation.
Do I always need consent for processing?
No – consent is only one of the 6 different lawful grounds for processing. Any one of the others may be more appropriate depending on the circumstances.
Can I send direct marketing?
It is a legitimate interest of controllers to advertise and market their own goods and services. However, as most direct marketing is now by electronic means, e.g. SMS or email, you must comply with the Unsolicited Communications Regulations.
Do we need a Data Protection Officer?
A nominated Data Protection Officer will be needed in specific circumstances and the name of that person must be communicated to the Commissioner.