What is it and why do we need it?
We send emails, we share documents, we pay bills and we purchase goods and services by entering our personal details online and without a second thought.
As businesses we already tell website visitors we’re collecting their data to send them our newsletter. Isn’t that enough? Sorry no. You need to make sure you have actively sought (and not assumed) permission from your prospects and customers, confirming they want to be contacted.
In the UK, the current Data Protection Act 1998 sets out how your personal information can be used by companies, government and other organisations. The world has moved on since 1998 or rather the likes of Facebook, Google and a host of other internet business have moved on in the last 20 years and the old Data Protection Act is no longer fit for purpose. The new General Data Protection Regulation (GDPR) puts the consumer in the driver’s seat and the task of complying with this regulation falls upon businesses and organizations.
The GDPR will become effective on 25 May 2018. The GDPR will bring considerable changes to data protection law in the UK and will include significantly greater fines of up to €20 million or 4% of total worldwide annual group turnover for breaches.
Many people might think that the GDPR is just an IT issue, but that is the furthest from the truth. It has broad-sweeping implications for the whole company, including the way companies handle marketing and sales activities. Compliance unfortunately is not a choice.
This note summarises the need for business to consider an implementation programme.
Introduction to the GDPR
Personal data is defined generally as data relating to any living individual who can be identified from that data. Personal data includes such basics as:
- Addresses and email addresses;
- Social security numbers;
- Telephone numbers;
- Banking information, online transaction history or simply a record of what goods or services have been provided by you.
Failing to comply
As there are significant advantages to holding personal data most business will find themselves required to comply with the GDPR. Therefore it is important to be mindful that there are many potential ramifications if you fail to comply with the GDPR, including:
- Prosecution of your business, resulting in substantial penalties of up to 4% of turnover or 20 million euros;
- Adverse publicity, potentially leading to reputational damage and lost customer trust;
- Increased scrutiny from data protection authorities whose powers are increasing substantially under the GDPR;
- Civil liability damages for employment-related breaches;
- Criminal liability for directors and senior managers.
We strongly advise all businesses to comply and to inform employees, customers, vendors, business partners, regulators of the business’s commitment to data protection.
Duty to oversee compliance
Under the GDPR the senior management of a business has a duty to know about the content and operation of that business’s data compliance policies and controls and to oversee its implementation and effectiveness. The GDPR requires data controllers to be able to demonstrate compliance with the GDPR by showing the supervisory authority (the Information Commissioner’s Office) and individuals how the data controller implements those policies and controls both internal and external.
The following represents a short summary of what a compliance regime should include under the GDPR and how this will probably affect your business.
Data protection officer (DPO)
The GDPR stipulates that any business which is involved in the processing of personal data which includes regular and systematic monitoring of data subjects, or the processing of sensitive personal data on a large scale, needs to have a DPO in place.
All businesses caught by the GDPR must encourage compliance and must provide staff with clear guidance. In order to minimise the risk of breaching the GDPR, and incurring the potentially significant consequences of doing so, we recommend an effective compliance training programmes for personnel at all levels, including directors, heads of departments and potentially your key service providers.
To further assist with demonstrating compliance, any serious misconduct should be addressed with appropriate disciplinary action, regardless of seniority.
Standards and procedures
In particular, you should carefully review all procedures for obtaining individual’s consent as a legal basis for processing their personal data. For example, you will need to ensure that any consent obtained indicates affirmative agreement from the individual (opt in) by way of ticking a blank box for example. Merely failing to un-tick a pre-ticked box does not constitute valid consent under the GDPR. Furthermore, you must ensure that, once this explicit consent has been obtained, the individual can easily withdraw their consent at any time. Under GPDR consent must be informed, unambiguous, freely given and specific.
You must also be in a position at all times to respond quickly to any data subject’s request (such as for a copy of all of the personal data held or to erase all such personal data). Other changes may be needed in certain circumstances, for example, the staff handbook regarding personal data collected from employee monitoring.
A written and comprehensive information security programme is needed to protect the security, confidentiality and integrity of personal data held. It should set out action plans for security breach, disaster recovery and data restoration.
The GDPR also requires businesses to notify the supervisory authority of all data breaches without undue delay and where feasible within 72 hours. You should therefore carefully review your data breach response plans and procedures.
In practice business will need to establish policies and procedures for how you will handle each of these situations.
How can individuals give consent in a legal manner?
This is a key part of the GDPR that will affect all businesses. This is the requirement to obtain and keep a record of consents. The burden of proof that sufficient consent has been given lies with the company. That means if you are a business owner you will need to prove and show reasonable evidence that you have complied with the GDPR if you are challenged. So, going forward, if you send out email newsletters, you may have to change how you collect and store subscriber’s data. BUT more importantly, GDPR applies to all existing data.
That’s why you are likely to see many brands and organisations running re-permissioning campaigns before the GDPR comes into effect at the end of May.
- What is the process if an individual wants his data to be deleted?
- How will you ensure that it is done across all platforms and that it really is deleted?
- If an individual wants his data to be transferred, how will you do it?
- How will you confirm that the person who requested to have his data transferred is the person he says he is?
- What is the communication plan in case of a data breach?
- Regular reviews
From time to time, your compliance regime should be reviewed and updated in the light of new laws and business activities.
As you can see, once implemented the GDPR will significantly increase the compliance requirements and consequences of breaching those requirements.
Brexit? The UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR. There are some small changes but our own law will be largely the same.
Somewhere deep in the internal workings of your business, you probably have all the information you need to create a GDPR-compliant policy. For example, the data you collect on your customers is likely lying around in your database and your email marketing system. Your office manager may know how long you keep each type of data, why you collect it, who you’re sharing it with, and how it’s being secured.
Your task now is to unearth all that information and collect it in one place and deal with the key issue of consent.