GDPR

This document is intended as an overview of the General Data Protection Regulations only.  Please refer to the main ICO guidance for in depth coverage:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Productions will be extremely likely to be managing the personal data of individuals, therefore the GDPR will apply to the production.

If an organisation does not comply the consequences are serious (e.g. fine of up to EUR 20 million).  It is therefore crucial that reasonable data protection measures are implemented to protect the personal data being processed against loss or misuse.  Companies should set up data protection policies and data breach processes.

Personal data is anything that can directly or indirectly be used to identify an individual and includes:

• Name
• ID number
• Location data
• An online identifier
• Sensitive personal data

Sensitive personal data is referred to as “special categories of personal data” in the GDPR and includes genetic and biometric data.  It no longer includes personal data relating to criminal convictions as this is now covered in its own section (Article 10).

Special categories of Personal Data include:

• race
• ethnic origin
• politics
• religion
• trade union membership
• genetics
• biometrics (where used for ID purposes)
• health
• sex life
• sexual orientation

Trade Union membership is particularly relevant in our industry since we often collect this for Pension purposes on contracts.  Therefore it is important to understand the additional steps required for processing this data.

Per Article 5 of the GDPR all personal data must be:

a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

To process personal data you must have a valid lawful basis of which there are six available as per Article 6 of the GDPR:

• (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
• (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
• (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
• (d) Vital interests: the processing is necessary to protect someone’s life.
• (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
• (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
• The production’s relationships will determine the most appropriate basis and may differ dependent on the data being processed. Which basis you apply should be determined and documented prior to processing.
• All processing must be “necessary” to be lawful.
• You should have a privacy notice to document not only how data will be treated but which lawful basis applies. This is the case whether you are collecting personal data directly or from another source (e.g an Agent)
• Without a lawful basis the processing will be in breach of the GDPR.

To process special category personal data you must have an additional condition on top of the lawful basis since it is more sensitive and requires additional protection.  There are ten conditions currently in the GDPR itself but there will be additional conditions and safeguards in the Data Protection Bill. You must determine which condition applies before processing data.

Organisations should put in place measures to ensure they meet their responsibilities under GDPR.  The measures should be designed to minimise the risk of a data breach and ensure data is processed lawfully.  GDPR applies to both electronic and manual record keeping.  Many companies have overriding Data Protection policies which should be reviewed to ensure they comply with GDPR.

Showing you have considered and implemented appropriate Data Protection processes is a key principle of GDPR.

It is crucial that new staff understand their responsibilities regarding GDPR and therefore training should be provided.  Documenting policies and processes to ensure best practice is maintained across the organisation is key.

Information security – both manual and technical – is paramount in ensuring data is not at risk.  Any breach can be very harmful.

Under GDPR individuals have the following rights:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling

Transparency is a key principle of the GDPR.  Individuals should be told why, how, who and how long their data will be processed – known as privacy information.  This should be included in your privacy notice when collecting data.  The privacy notice must be clear and easy to understand.

In our industry the right to erasure is particular relevant since the same data may exist in several places.  It is very important that data is only kept in one place and deleted from all others to ensure erasure is complete and thorough when requested.  This should be part of any company’s GDPR implementation process.

Minimisation is key when considering obligations under GDPR.  Only collecting data that is absolutely necessary, storing it securely only in one place and ensuring everyone understands their obligations will make implementation and ongoing adherence much simpler.

If a breach occurs it must be reported within 72 hours of becoming aware of it.  Affected individuals also need to be informed if the breach could adversely impact them.

A breach detection procedure to ensure decisions and assessments of the severity of a breach are made quickly is key.

Data breaches need to be logged even if notification was deemed unnecessary.

As children may be less aware of the risks of sharing personal data they have particular protection. Data protection processes should consider this for instance your privacy notice should be clear enough for children to understand and rewritten if in doubt.  A child’s data is governed by the same rights as an adult.  The right to erase could be particularly relevant if a child gives consent and then wishes to exercise that right as an adult.