You may not have heard of it or may not really understand it, but its big and its coming. In fact, 25th May 2018 is when the General Data Protection Regulations or GDPR becomes law.
Basically, if you collect, manage, use or store any personal data of EU citizens, you’re processing EU personal data within the meaning set out by the GDPR.
You can’t ignore it as it will affect most businesses. Do you
• have a newsletter sign up on your website?
• keep details on your employees or suppliers?
• use a mailing list for networking or sales?
• make sales calls?
• need to collect personal information to carry out your business?
Then GDPR affects you.
SO, WHAT IS GDPR?
If you hold and process personal information about your clients, employees or suppliers, you are legally obliged to protect that information under current Data Protection Act. Currently this means that you must
• only collect information that you need for a specific purpose;
• keep it secure;
• ensure it is relevant and up to date;
• only hold as much as you need, and only for as long as you need it; and
• allow the subject of the information to see it on request.
GDPR has many of the same principles as the Data Protection Act but strengthens the rights to individuals. These include
The right to be forgotten – An individual may request that an organization deletes all data held on them without undue delay.
The right to object – An individual may forbid the use of certain data.
The right to rectification – Individuals may request that incomplete data be completed or that incorrect data be corrected.
The right of access – Individuals have the right to know what data is being held about them and how and what it is used for.
The right of portability – Individuals may request that personal data held by one organisation be transported to another.
GDPR also has stronger data processing requirements and places greater emphasis on the documentation that data controllers must keep to demonstrate accountability and the contractual relationship between controllers and processors. It also has far stricter and more financially punitive rules on data breaches.
WHO DOES GDPR APPLY TO?
The GDPR applies to what they call ‘controllers’ and ‘processors’.
• A controller controls the purposes and means of processing personal data.
• A processor is responsible for processing personal data on behalf of a controller.
• If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
• If you are a controller, the GDPR requires you to ensure you have appropriate contracts in place with your processors to ensure compliance with the GDPR.
• The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
• The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
GDPR covers a vast range of compliance so it’s impossible to cover everything here. The rest of this paper is an overview from a marketing perspective for small businesses. We’re assuming therefore that the data acquisition requires consent. Some business, e.g. a doctor’s surgery, may not need to gain consent as this could prevent them from carrying out tasks critical to the service they offer. Because remember that under GDPR by giving consent individuals have far greater rights over their data including the right to object or be forgotten.
For more information on this visit https://ico.org.uk/
OK, SO WHAT DO I NEED TO DO?
Firstly, you need to understand the personal data that you hold, how you collected it and what you do with it. Questions to ask yourself are:
• What is the ‘lawful process’ for processing data?
• What data do I actually need for my business?
• How old is my data – how long do I need to keep data for?
• How do I collect my data – do I get specific consent?
• Do I share this data with third parties for example, your marketing agency?
• Where do I store the data?
So, for example, you collect data to send out email newsletters on your business services. You use a mailing list curated from website sign ups and network events from the last 5 years. You use MailChimp and store the data on your hard drive.
There is also data that you might not be aware you collect. If you’ve got Google Analytics on your website then you too are collecting data as GDPR also applies to data which could be traced back to an individual such as their computer IP addresses.
If you have a mailing list you need explicit permission to email individuals i.e. they must have opted in. This is called giving their consent. Silence, pre-ticked boxes or inactivity does not imply consent;
Also GDPR regulations apply to data that was collected in the past. If you’re unsure about whether the data you currently hold will comply with GDPR then you’ll need to get fresh, affirmative consent for all the personal data you possess. You could do this by contacting your mailing list and asking them if they would still like to receive information from you. Remember they will have to explicitly give consent. If you’re emailing them to ask for this then they will have to click a link to give consent. If you’re sending a mailer by post you’ll have to ask them to send back a reply (a pre-paid envelope will help with response). Yes, this does mean your mailing list is going to get a serious culling but on the flip side it means that those people who remain on your list are committed to your business.
From May 2018, all your avenues of data collection will need to have explicit consent and also the ability to unsubscribe from your database be that direct mail or an e-newsletter. So, if you have a newsletter sign up on your website you will need to ask them to specifically subscribe. You may have experienced this yourself. You sign up on a website, receive an email saying, ‘hey just checking you wanted to subscribe to our newsletter, if so please click the subscribe button here’. This is called ‘double opt in’. And any communication with your database must have the option to unsubscribe or opt out. It may lead to fewer subscribers but again these subscribers are actively committed to your business.
You will also need to record when they gave you permission and log what they were shown when they opted in. This could be an email notification when somebody subscribes, provided it shows which boxes they ticked. And you’ll need to store that email securely for reference.
Why? Because, as mentioned, giving consent gives individuals the right to access the data that you hold on them. And if they’ve given consent they have a right to see what data you hold on them and to ask for their data to be deleted. You also need to plan how you would handle such a request.
If you’re collecting data on children then GDPR has additional provision that you’ll need to be aware of. For more information on children’s data visit https://ico.org.uk/
SHARING YOUR DATA
If you use third parties that will be processing your data e.g. marketing agencies, MailChimp etc. then you need to ensure that they are GDPR compliant and that you have appropriate contracts in place to ensure that processing carried out by the third party meets all the requirements of GDPR. Controllers are liable for their compliance with GDPR and must only appoint processors who can provide ‘sufficient guarantee’s that the requirements of GDPR will be met and the rights of data subjects protected. Likewise, processors must only act on the documented instructions of a controller. They also can be held directly responsible for non-compliance with GDPR or the contract terms.
You’ll find that most major processors such as MailChimp and Active Campaign are getting ready for GDPR and will support their customers with compliance.
WHAT HAPPENS IF I SUFFER A DATA BREACH?
If such a breach is likely to have a significant detrimental effect on individuals e.g., result in discrimination, damage to reputation, financial loss, loss of confidentiality or leave them open to identity theft then you need to notify the ICO within 72 hours of finding the breach. They will assess the severity of the breach and act accordingly. Failure to do so can result in a huge fine. Again, if you’re not sure visit the ICO website https://ico.org.uk/
You also may not be aware that the Data Protection Act 1998 requires every data controller from large organization to sole trader who is processing personal information to register with the ICO. There are exemptions but this requirement will carry over into GDPR. You can register at https://ico.org.uk/
This paper is just an overview of GDPR and does not provide legal advice. If you need help, the ICO website is extremely helpful and has numerous resources and checklists including