Disclaimer: The advice provided here are our own interpretations and opinions. We have tried to simplify the main points of GDPR to create this guide but for more in-depth information please read the official ICO guidance.
The way we communicate, socialise and do business has changed vastly over the last few years. With the introduction and evolution of technology, the digital world is at the forefront of how we engage with the rest of the world.
Whether it’s sending emails, engaging in social media, sharing documents, paying bills or online banking, we have become reliant on technology to manage many of our day to day tasks.
But what happens with all of our personal data and information? Where does it go? Whose hands does it end up in?
Whilst some data is not that important, for example, your Facebook status, what about your highly sensitive details such as online banking logins, address details, passport numbers and national insurance number?
Many companies state that they collect this data in order to understand their customers better and provide a better service to them based on their likes, interests, shopping patterns and habits online.
But is that what the data is really used for?
The EU was recently urged to investigate this further and have come to the conclusion that, come May 2018, a new European privacy regulation called GDPR will be introduced to permanently change the way businesses can collect, store and use customer data.
This comes as a surprise to many companies with 80% of IT and business professionals knowing very little, if anything at all, about GDPR. Worst yet, 97% don’t have a plan in place to deal with the changes that will come into place in just a few months’ time.
What is GDPR?
The General Data Protection Regulation (GDPR) comes into effect 25th May 2018.
The new European privacy regulation will apply to all companies selling to and storing customer or citizen personal data in Europe and other continents. The regulation will also be implemented within all local privacy laws throughout the EU and EEA region.
The purpose of the new regulation is to provide people within the EU and EEA with increased control over their personal data and reassurance that the information is stored correctly and safely across Europe.
The GDPR is the EU’s way of giving individuals more power over their data, and less power to the companies and organisations that collect, and use, personal data for monetary gain.
Personal Data is considered as any of the following information related to a person:
- Name, age, address
- Identification photo
- Email address
- Bank details
- Social media logins and updates
- Location details and IP address
- Medical information
- National insurance number
- Passport details
The new GDPR means:
1. The right to access: Individuals have the right to request access to their personal data and to ask how their data is used by a company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
2. The right to be forgotten: Consumers who are no longer customers can withdraw their consent from a company to use their personal data, and have the right to have their data deleted.
3. The right to data portability: Individuals have a right to transfer their data from one service provider to another. It must happen in a commonly used, accessible, readable format.
4. The right to be informed: When gathering data, companies and individuals must inform the customer/citizen before data is gathered. Consumers have to opt-in for their data to be gathered and consent must be freely given rather than automatically presumed.
5. The right to have information corrected: This allows individuals to have their data updated if it is out of date, incomplete or incorrect.
6. The right to restrict processing: Individuals can request that their data is not used for processing. Their records can remain in place, but not be used.
7. The right to object: This allows individuals the right to stop the processing of their data for direct marketing without any exemptions. Any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
8. The right to be notified: If a data breach has occurred which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of the company first becoming aware of the breach.
How could GDPR affect your business?
It’s very clear that the new GDPR rules put the consumer in the driver seat and forces the business responsible for handling customer data to comply with the regulations.
Whilst regulation itself is needed to ensure businesses operate fairly, some regulation can hinder business and make daily operations bigger tasks than they once were.
Regardless of whether the data processing takes place within the EU or not, the new regulations apply to all businesses established within the EU and even non-EU established businesses will have to comply with the GDPR. Any business that offers goods or services to customers within the EU, will be legally required to follow the new regulations.
Businesses that fail to follow the new rules will face tough and potentially damaging penalties of up to 4% of the company’s annual global revenue or a fine of 20 million Euros – whichever is greater.
Whilst the management of data will become an IT issue, it should also be a major area of concern across the whole company, in particular, the sales and marketing department.
Implications for businesses
The new GDPR rules allow individuals the right to withdraw consent at any time and there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities.
This means you have to be able to prove that the individual agreed to a certain action, for example, to receive a newsletter. Companies cannot simply add a disclaimer, or ‘small print’, and providing an opt-out option is not enough.
This means that companies will have to seriously consider their methods of marketing and sales, and how they legally obtain data.
Companies will need to review business processes – applications and forms must be compliant with opt-in rules, and new email marketing rules should be implemented.
If a customer wishes to subscribe to a company’s marketing communications, they will have to fill out a form or tick a box and this can then be followed by confirming their actions in a further email (known as double opt-in). Double opt-in helps companies record proof of consent which is necessary for GDPR compliance.
Any data held must have a clear audit trail that is time stamped with details of how the customer opted in and when.
Even if the company uses third-party marketing lists where the vendor confirms the data is fit for purpose, the company is still responsible for obtaining the correct customer consent.
How to prepare your business for GDPR?
Any company that works with personal data should consider appointing a data protection officer within their compliance team whose sole purpose will be to ensure the business operates legally when sourcing, storing and managing customer data.
There are many things companies will have to focus on in order to be compliant with GDPR. Here are just a few first steps for your business to consider:
1. Track your company’s data
Map out where all of the personal data in your entire business comes from and document what you do with the data. Note where the data is stored and who has access to it.
2. Determine which data you need to keep and which you do not
Only keep information that is necessary and remove any data that isn’t used or expired. GDPR will encourage a more disciplined treatment of personal data and companies that hold onto data, regardless of whether it is being used or not, may be fined.
Things to consider when cleaning up your data:
- Can this data be erased instead of archived?
- What is the purpose of saving all this data?
- What is the purpose of collecting all these categories of personal information?
- Is it more financially viable to delete this information rather than encrypting it?
3. Take relevant safety measures
Should a security breach arise, have the correct infrastructure in place to deal with issues in a compliant fashion. Put security measures in place to prevent any data breaches, and take quick action to notify individuals and authorities in the event a breach does occur.
As previously mentioned, outsourcing data from third parties doesn’t prevent you from being liable. Make sure your data providers have also followed the correct security methods.
4. Regularly review your documentation
Pre-checked boxes and implied consent will not be acceptable under new GDPR and consumers need to explicitly consent to a company using their data. Businesses will need to regularly review all privacy statements and disclosures and adjust them where needed.
5. Create compliant procedures for handling personal data
As part of the new regulations, individuals have six basic rights which will need to be considered by companies when planning how to obtain data.
Things to consider:
- How can individuals give consent in a legal manner?
- What is the correct process if an individual requests their data to be deleted?
- How will the business ensure that the request is met and data is deleted across all platforms?
- How will the business transfer data should the consumer request it?
- How will the business confirm that the data genuinely belongs to the person requesting it?
- What is the plan in the event of a data breach?
Whilst new regulations can bring challenges to businesses and unplanned costs, it’s important to see the bigger picture and possibilities for companies in the future.
Safeguarding consumer data will help create more companies of quality and improve the relationship between the customer and company.
Companies that comply and choose to be transparent with consumers can, in turn, nurture a longer more valuable relationship with consumers.