Unless you’re living on Mars, you’d be hard pressed to miss the fact that Personal Data Protection laws change on 25thMay 2018 with the introduction of the General Data Protection Regulations (GDPR). It’s more than likely you’re currently getting lots of emails in both your personal and business accounts asking you to opt-in so companies can continue contacting you. And you may be going through exactly the same process yourself, contacting customers, sales leads, suppliers etc. Marketing seems to have dominated a lot of the debate and articles around GDPR, so much so that many seem to see obtaining explicit consent as the main requirement for getting ready.
But don’t be fooled- marketing consent is just the tip of the GDPR iceberg and if this is your only focus, you could find yourself on the wrong side of the changes to data protection legislation.
Before we get into the SIX areas you need to understand and take action on to demonstrate you’re GDPR ready, let’s start with a reminder of what GDPR is and why it will apply to almost every business and enterprise.
What is GDPR?
GDPR introduces a single set of rules for how organisations handle the personal data of all citizens within the European Union (including the UK) and represents the biggest change to data protection regulations in 20 years. It significantly increases the obligations of businesses and enterprises, demanding a much higher level of transparency and accountability for how personal data is collected and used. And let’s not forget, the individuals’ whose personal data is being processed, will also have increased control and rights.
All this will be policed by national Supervisory Authorities, charged with monitoring compliance and with much greater powers to levy significant fines- up to 4% of an organisation’s turnover or €20 million. This means the cost of not getting things right for GDPR could potentially end up being very high.
Who does GDPR apply to?
If you process the personal data of individuals based in the European Union (including the UK), regardless of your location, size or type of enterprise, then GDPR applies. And if you’re wondering whether you actually process personal data, think about what information in terms of name, contact details, bank numbers, images, health data, IP addresses etc that you might hold or work with in relation to employees, customers, donors, sales leads, patients, pupils, suppliers, supporters and so on.
The likelihood is you do process personal data so it makes complete sense to understand more about GDPR and know what you have to address to get ready for it.
What does the GDPR iceberg look like?
A lot of people mistakenly see GDPR as something to do with marketing and specifically about consent to receiving marketing promotion. They don’t realise that this is just the tip of the iceberg.
To properly understand GDPR you need to first think of data processing as covering every step from collection through to use, sharing it with others and what happens at the end of its life or usefulness. Then you need to get beyond the idea that it’s just about marketing consent and take steps to understand what the following SIX key areas mean for your business or enterprise:-
1. Principles for processing
Article 5 of GDPR lays down the principles that have to be met when processing personal data and these are the cornerstone of the new legislation. The bottom line is if an organisation isn’t working to these principles and can’t actively demonstrate how it does so, it won’t be meeting the requirements of GDPR. The individual principles specify data processing must be:-
I.Lawful, fair and transparent- individuals must be aware of what you’re doing and why and it must be fair to them and not affect them negatively. You must also have a lawful reason for the data processing.
II.Limited for purpose- this means you must be clear why you’re processing personal data and only do so for these reasons that you will have made individuals aware of.
III.Adequate and necessary- this means being open and honest with individuals and no capturing of ‘just in case’ information that you don’t really need for the specific purpose you’ve stated.
IV.Accurate- you must make every effort to keep personal data up to date and free from errors. The more data you process and the longer you keep it for, the more work will be required to keep it accurate and you will need a clear process for ensuring this.
V.Kept minimum amount of time- you must only keep data for as long as is absolutely necessary e.g. to meet legal requirements or industry standards Whatever the length of time is, you must make individuals aware of how long you will retain data for and ensure you destroy or delete it when no longer required.
VI.Confidential and secure- you have a duty of care to ensure the necessary safeguards are in place to protect any personal data you’re processing.
You can find out more about the Principles for Processing in my FREE webinar ‘Getting GDPR ready as a small to medium business/enterprise'. Register here to join it.
2. Lawful basis for processing
GDPR distinguishes between data controllers, who decide what data to process and why, and data processors who are engaged by the data controller to process personal data on their behalf. One of the first things you need to decide is which your business or enterprise is. Whilst they both have obligations under GDPR, the data controller as the one in charge inevitably has more to prove.
As the data controller you need to decide what your lawful basis is for processing personal data, as without this any processing you do will be illegal. This is where consent comes in, as asking individuals explicitly to give you consent to process their personal data, is one lawful basis you can choose. The others include:-
Contract- applicable if you need to process personal data to fulfil your contractual obligations
Legal obligation- may apply if you’re required to process personal data to meet common law or a statutory obligation, for example due diligence as part of fraud measures.
Vital interests- applicable where personal data is processed to protect someone’s life, usually because of a medical emergency.
Public task- applicable if you’re a public authority such as a council, school, doctor, civil service etc and need the personal data to exercise your official duties.
You can find out more about Lawful Basis for Processing in my FREE webinar ‘Getting GDPR ready as a small to medium business/enterprise'. Register here to join it.
3. Data mapping
You can find out more about how to conduct a Data Mapping exercise in my FREE webinar ‘Getting GDPR ready as a small to medium business/enterprise'. Register here to join it.
4. Individual Rights
Under GDPR, individuals have increased control over how their personal data is processed and these are captured under 8 Individual Rights that you must be able to respond to. These include
I. Right to be informed
II. Right of Access
III. Right to Rectification
IV. Right to Erasure
V. Right to Restrict Processing
VI. Right to Data Portability
VII. Right to Object
VIII. Right not to be subjected to Automated Decision Making or Profiling
Most of these rights already existed under the UK Data Protection Act 1998 but with GDPR you can no longer charge individuals to fulfil such requests and have to answer them in a much shorter timescale- generally within 1 month of receipt of them. Without an effective process and procedure, answering such requests could prove time consuming and onerous.
You can find out more about what each Individual Right means in my FREE webinar ‘Getting GDPR ready as a small to medium business/enterprise'. Register here to join it.
5. Accountability and Governance
These are both essentially about having the right culture and ways of doing things in place to meet your data protection obligations. You’ll need to consider:-
Whether you need to formally appoint a data protection officer to oversee your compliance.
Having written contracts with data processors covering their data protection obligations. If you use processors who are based outside the EU and operate under different local laws, you’ll need to look for additional protections like the US Privacy Shield to satisfy the Supervisory Authorities they can comply with GDPR.
Implementing appropriate security measures to protect personal data.
Carrying out data protection impact assessments if you introduce new software or undertake high risk processing such as CCTV monitoring.
Having available the appropriate documentation to actively demonstrate accountability to GDPR, including any data mapping.
On-boarding and training any staff you may have on GDPR and ensuring everyone understands their individual and collective obligations and any ways of working to meet these.
You can find out more about each of the areas you need to prepare for under Accountability and Governance in my FREE webinar ‘Getting GDPR ready as a small to medium business/enterprise'. Register here to join it.
6. Data breach handling
Under increased accountability, GDPR requires the recording of each and every data breach as it occurs and a very quick assessment (within 72 hours) of whether it poses a risk to the individuals affected. If this is the case it will need reporting to the relevant Supervisory Authority within the 72 hour threshold and in more serious cases the individuals themselves. When you realise that as well as loss or theft of personal devices and unauthorised access personal data, breaches include sending emails to the wrong person, accidentally leaving information on a photocopier or unavailability of services, you could end up needing to record and take appropriate action on a regular basis. Everyone needs to understand both what constitutes a data breach and what actions need to be taken if one occurs. This requires clear processes and procedures as well as everyone’s commitment to treating it seriously. Failure to do so could result in the Supervisory Authority taking a hard line and imposing the full scale of their sanctions and fines on your business or enterprise.
You can find out more about Data Breach handling in my FREE webinar ‘Getting GDPR ready as a small to medium business/enterprise'. Register here to join it.
I hope this has helped you recognise there’s a lot more depth to GDPR than the consent tip of the iceberg that you may have heard about and been preparing for. As well as the legal ramifications, ensuring you’re GDPR ready is about maintaining the trust of everyone whose personal data you process, and you owe it to them to take it seriously.
At this stage you need a quick and simple approach to getting GDPR ready. I suggest you start by registering for my FREE webinar ‘Getting GDPR ready as a small to medium business/enterprise'to better understand each of the 6 areas of the iceberg in more depth. Click here to register. Then you can go away and either develop your own plan of action to create all the processes, procedures and templates you need to have in place, or look for something where some of the work has been done for you.
GDPR Preparation kit to enable you to get ready quickly and cost effectively. It tells you simply what you need to know about GDPR and provides lots of useful processes, checklists and templates to speed up your time to readiness. Click here to find out more.
Ceri George has over 15 years marketing experience and is the owner of By George Marketing and creator of the GDPR Preparation kit for SMEs. She helps businesses make the most of their marketing and make it an investment for growth. For more information about working with her and details of the GDPR Preparation kit please visit www.bygeorgemarketing.co.uk