Moving to implementation on data protection
25 May 2018 is ‘D-Day’ for anyone who either controls or processes personal data of any sort.
This is the date of implementation of the General Data Protection Regulation (GDPR) across the EU.
If you are involved in a transactional, customer facing business, however small, this will affect you. This is true of all people and organisations in the UK and the EU. It is worth noting that the UK has fully signed up to GDPR, so implementation goes ahead, unaffected by Brexit.
This blog will provide a brief precis, looking at the remit of the regulation and explain, in the form of a brief annotated checklist, some key elements that those affected need to do.
This piece does not constitute legal advice. It does not pretend to cover every element, the document itself is long and detailed and of course, as is inevitable, some things are open to interpretation.
A very quick reminder of the basics:
If you gather, store and/or hold anyone else’s personal data that can be used to identify individuals for any purpose of your own; for example, running a business using customer and prospect records, club, charity etc. then you are what is known as a data controller. You must make sure you are using that personal information in a compliant manner.
How is personal data defined? You may be surprised to hear that it can be as little as a first name, surname and maybe part of address, it does not need to be complete. Information covered by GDPR can be electronically stored in a database or in paper format, it is all seen as data.
Key steps for a GDPR checklist
Ask: am I using data for a legitimate interest?
This is the simple starting point. Basically, the rules require you to have a firm reason for collecting data from people (subjects) before we even look at how you store or use it.
The basic guiding principle here rests on two questions regarding your activities;
- Can you explain why you are asking for it?
- What is the provider receiving in return?
This is quite fundamental, so I won’t expand too much here except to say that if you have ‘extra data’ on your system that isn’t related to your current activities, then that’s not legitimate and it should be deleted immediately.
Run a data audit
In line with the above, it is vital that you make sure all data is within your control and secure. Any non-essential data, borrowed, rented or that has not been gained under legitimate interest should be deleted and that includes various data, spreadsheets, notepads of customer details, everything!
Check your suppliers are compliant
You may already think that you have good processes, but under GDPR, suppliers who help you use your data via software, like CRM systems or email engines, are now required to be compliant as what is known as a data processor. And by the new regime YOU are responsible for their practices. Most reputable organisations like Mailchimp, Salesforce or Microsoft will have gone through the steps to make sure they are in tune with the new regulations but it is up to you to check, as you are liable. Be aware here of suppliers based outside of the EU, as the new rules require data to be held within a country that has signed up to the new legislations.
Data Privacy Statement: Are you allowing an opt out?
This is perhaps the most important element of the legislation and perhaps the critical change. If you have order forms on paper, or your website has data entry points, you must make sure you clearly explain what you are collecting the data for and provide clear and accessible method for the enquirer/customer to give their consent to use their information for the purpose you state.
What is very specific is that any pre-ticked boxes or action that assumes consent, without pro-actively acquiring it are now not permitted.
There is so much importance placed on this that it really is best to read up on it fully and completely, here is a great guide on this element.
Provide information on your activities with data – including third parties!
You will need to write a comprehensive and transparent Data Privacy Statement on what you do with information for your activities. This should be very easy for people who want to interact with you to find – for example on your website clearly flagged, with a link at the point of data entry.
What GDPR really insists you think about, is where any data you hold is ‘shared’ by third parties AND it then explicitly requires you to tell people on your privacy statement. For example, it might be that you have an arrangement with your publisher and send joint invitations to launches.
You will need to inform people of that arrangement on your privacy statement.
Also, you will need to declare any data systems that you use, like a WordPress website system or servers, as data processors. It is your job to tell the customer where his or her data is being stored specifically.
You can find really good examples here.
Update browsers on your profiling activities
Within your data privacy statement, as well as saying how you store details, you are going to need to be really clear about what you do with data to gain intelligence (profiling) and give people the chance to opt out. So, if you look at people’s job title to send them relevant offers for publications – you will need to explain that you do that.
Let’s assume you don’t engage in any profiling, you will still need a new cookie statement on the front of your website. The new rules ask that people are clearly able to turn cookie tracking off.
Some GDPR friendly examples of cookie text are here.
Look at your existing data
If you have a well-built list of contacts that you have gathered over time, you will need to contact them as part of your GDPR activities. That doesn’t necessarily mean you need to start from scratch.
You do need to demonstrate that data is compliant and the individuals are aware as above of what you do with their information. You also need to give them a chance to opt out. Although this may sound scary it could be a good opportunity to get in touch with customers you haven’t spoken to in a while. And it also shows you take data protection seriously.
Sharpen up your processes
There is a lot that can be said here. With data security such a headline issue in public consciousness, it is vital you have a process in place to detect any data breaches AND in the unfortunate case of any, mechanics to contact anybody who is subject to one (like when you are hacked etc). This MUST be done to all affected within 72 hours of the breach. Here’s the text from the legislation.
Log all your activities
The GDPR regulator varies from country to country. In the UK it is the Information Commissioner’s Office. They are responsible for bringing in the new rules and also enforcement. The new regime does bring with it far heftier fines for non-compliance, in the region of six figures is possible – far more than the current law allows. Be aware of their presence, look at the website, it is packed with information, examples and advice.
Create a log of all the steps you have taken to match your practice with the new rules, that in itself will show that you did what was necessary.
There’s far more to act upon and digest. You can find an expanded checklist here. By taking the new rules seriously and adapting your activities, you can be sure you are fit to work in the new data world with confidence.