GDPR 3 Years On – What You Need To Know About Data Protection and Working With Third-Parties
On May 25th 2018, the GDPR came into effect and changed how our data is stored, processed, managed and used. It created new individual rights over personal data, required businesses to implement more strenuous protections, clearly defined responsibilities and liabilities for data protection, and made the documentation of breaches mandatory.
GDPR Update 2021
Three years on, the UK has left the EU however, the UK GDPR is now law with many of the same requirements still in place.
And it’s serious business. The UK GDPR, and the EU GDPR before it, aren’t just guidelines or best practice, they are the law. And, as such, non-compliance comes with some hefty penalties. The maximum fine for infringements set by the UK GDPR and DPA 2018 is a whopping £17.5 million or 4% of annual turnover — whichever is greater. Ouch.
It is being enforced and some household names have already fallen foul by not going far enough to adhere to the rules.
Issues include human error, lax processes and procedures, insufficient security and storage of data, lack of transparency, speed of reporting breaches and failing to comply with data subject access requests (DSAR).
As well as ‘the public’ and customer information, the GDPR applies to any individuals, including staff, as H&M discovered.
- H&M – €35 million
What’s changed with the introduction of the UK GDPR?
Well, on the surface not much has changed yet. The core principles of the GDPR remain in the UK version. However, things do change so it’s always best to check for the latest updates from the Information Commissioner’s Office (ICO).
In the case of GDPR, ignorance is not bliss.
The UK GDPR also applies to companies based outside of the UK if they are processing details related to individuals in the UK. Much in the same way that the EU GDPR applies when concerning the data related to individuals in the EU.
Working with third-party suppliers
Your responsibilities as the data controller
The UK GDPR defines a controller as:
“The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
Data controllers are ultimately responsible for UK GDPR compliance and are also required to be able to demonstrate such compliance. This does not remove responsibilities placed on others using the data, but it means that whenever data you have collected is processed by a third party on your behalf, you’re on the hook if they cut corners.
If the data you share with a third-party provider is subject to the GDPR, you not only need to make sure nothing goes wrong, but it’s also your responsibility to actively investigate that all of your partners are compliant in the handling of that data and be able to demonstrate that to the regulator. Therefore, you need to understand the data protection policies of anyone with data access.
International data transfers
There is a requirement for certain provisions to be included in a written contract when engaging a data processor. This helps to ensure reasonable measures are in place to safeguard data. Whether you’re working with the UK or the EU version of the GDPR, you should be aware of the standard contractual clauses (SCCs). The European Commission can decide that standard contractual clauses offer sufficient safeguards on data protection for the data to be transferred internationally.
There is a requirement for you to ensure that if data is going to another country or territory, that the jurisdiction there must offer equivalent data protection. If it doesn’t, supplementary measures may be necessary. It’s important to know where your data will be going when working with suppliers. Does it remain in the UK, is it being sent to the EU or further afield?
Some countries that you might presume would be ‘safe’ may not have passed the test when it comes to the GDPR. For example, the US has not been deemed a country with equivalent protection and therefore additional action is required. You need to do your due diligence even if you feel you’re working with a well-known and established supplier.
Up until the end of June 2021, the UK has a data protection ‘bridge’ with the EU. This means that data can flow in the same way as when we operated under the EU GDPR. However, the UK is currently being accessed to determine if this flow can continue once the bridge period has ended. With the adequacy decision pending, companies reliant on receiving data from the EU should take steps to ensure this data flow can continue lawfully in the event of a no adequacy decision. You don’t want to inadvertently break the law!
This may be an area where we see some divergence between the EU and UK versions of the GDPR.
Ensuring data security & compliance when working with transcription companies
As transcription service specialists, our focus regarding the GDPR has been its impact on this industry — and the relationship between suppliers and providers.
To safely engage with transcription services, you need to understand the nature of your data, the policies of your partners and their ability to enforce data protection at every point in the process.
A good starting point is to make sure that any transcription service partner uses TLS/SSL encrypted log-in portals, encrypted storage protocols, is willing to sign an NDA (non-disclosure agreement), and has ISO 27001 and ISO 9001 certifications. All these elements are an indication that the supplier is taking the security of your data seriously.
Data protection basics need to be standard expectations
The GDPR is about protecting the rights and freedoms of data subjects in the context of processing their personal data. In addition to following the many unique GDPR reporting and assessment criteria, a central goal is to prevent the loss of data.
Depending on the type of breach there may be a requirement to report it. To prevent reputation damage and regulatory fines, you need to minimise the risk of a breach as much as possible.
Something to think about with human transcription services is who is transcribing your data. The production of transcripts is often offshored to reduce costs. These distributed and high-turnover networks make it hard for some transcription services to guarantee that the rules are being adhered to. After all, we know that just aiming for some ‘best practices’ is not good enough. Distances and different jurisdictions also make it hard to pursue violations if they occur.
How transcription services can help you comply with other reporting aspects of GDPR
Although the processing of any personal data has become more complicated since the GDPR, transcription services themselves can help you remain compliant. As a controller, the GDPR imposes a level of accountability. Not only must you have in place an appropriate governance framework, but you must also be able to demonstrate compliance. You need to be ready for an audit by the regulator and be prepared in case something does happen.
Transcription services can deliver exact, searchable and direct records of events. Transcripts of relevant meetings can provide internal records about your data protection policies, and demonstrate your efforts to ensure compliance by your partners. Just one tool in your reporting arsenal, transcription services can help make all of your data processing partnerships more transparent and GDPR compliant.
You may also be required to deal with subject access requests. If your data consists of recorded media files (audio or video), finding and extracting the relevant data will be challenging. The GDPR includes a ‘disproportionate effort’ exception however, you may not be able to rely on that as you need to be able to prove that the effort involved outweighs the impact on individuals. If the files are transcribed you can easily search for the relevant details.
A transcript also provides you with a record of the file, allowing you to delete the original media once it is no longer required. This process helps with compliance and the principles of ‘storage limitation’ and ‘data minimisation’. Transcripts are also easier to anonymise than audio and visual files, at which point they fall out of the scope of GDPR entirely.
Take Note provides an Anonymisation Service which will redact personal data from your transcripts, great for GDPR compliance, especially when you are storing and sharing transcripts.
Our Market Researcher’s friendly guide to data security & compliance provides you with more guidance on working with personal data and third-party suppliers that process data on your behalf.
Disclaimer – This blog aims to provide you with some basic information regarding security when using transcription services. It is not legal, security or technical advice and should not be relied on as such. Please seek professional advice where required.