On 25 May 2018 the GDPR comes into force in Europe – the world's largest, single digital market – and any company handling the data of data subjects who live in any of the 28 EU Member States must be GDPR compliant, or risk facing hefty penalties of 4% of total global turnover or €20 million, whichever is greater.
The GDPR outlines the responsibilities of Data Controllers (organisations that process personal data) and Data Processors (companies that provide data hosting services) as well as the rights and freedoms of Data Subjects who include consumers, clients, employees, prospects or suppliers – indeed any stakeholder – whose personal data you hold.
No matter what size your company you will have to ensure you securely handle, store and use personal data. However, there is an exemption for firms with fewer than 250 employees that only handle data occasionally, although there are several stipulations indicating that you probably still should comply to be sure you avoid the penalties. Companies with more than 250 employees must employ a Data Protection Officer who is responsible for making sure the business collects and secures personal data responsibly.
To shape the odds in your favour in the new GDPR world, first you have to be compliant and avoid the hefty fines that could put you out of business and then you have to know how to turn it to your advantage. This article highlights some of the main key themes to consider and points you in the direction of further information to help to ensure your business is compliant.
It's 20 years since the last data protection laws were introduced and thanks to technology we now handle more data than ever before. It's taken 3 years to compile the GDPR and it contains 99 Articles. Ultimately, the GDPR protects data subjects more than ever before and should create more certainty and trust across Europe.
Instead of regarding the GDPR as a great dirty pain the rectum that's nothing more than a load of new, difficult to understand regulations, if we view it as an opportunity it doesn't look so bad. And let's face it, as consumers we have become increasingly concerned about how our data is used, particularly in light of some catastrophic data breaches, such as telecommunications company TalkTalk, which faced its third data breach in the UK in 2016 resulting in a fine of £400,000 which would have been £70 million under the GDPR.
If we consider the GDPR as being about reputation and reputation ultimately being about trust – then the GDPR becomes an opportunity for an organisation to strengthen its reputation. Compliance safeguards a company's reputation and non-compliance could destroy it, whilst also obliterating share price. The GDPR also presents organisations with an opening to find new ways of using the data held with the aim of meeting its business objectives, whether that's a change in perception or more sales, for example.
If data subjects feel confident that organisations holding their personal data are more accountable and transparent, they're more likely to give their consent to receive tailored, targeted messages and promotions, which will enable a company to offer people more products and services that are well received, in turn, ultimately resulting in a better business.
According to Accenture, 57% of customers will share information if they know it won't be sold or shared and 53% will share information if they know data protection safeguards are in place. Therefore, greater digital trust results in customers being more willing to share their personal data giving companies the chance to understand more about their customers and be more relevant and valuable to them.
The GDPR is a risk-based approach to data protection and privacy, which is a different approach from before. Under previous data protection acts it was actually cheaper to pay the fines than comply – aka TalkTalk – and this didn't instil trust and any breaches in data protection were allowed to go unchecked for long periods of time. TalkTalk was informed by regulators of its vulnerability and did nothing about it. Now we have to look at data through the eyes of the data subjects and put their rights, freedoms and interests at the heart of what we do. Data subject protection has to be weaved into everything an organisation does.
Some key points to consider include ingraining data protection into a business by design and by default after 25 May 2018. Any products or services offered after this date, in or outside the digital market, must be GDPR compliant to be lawful. That means organisations must be clear about what personal data is being processed, the risks this carries to data subjects and what steps are in place to mitigate any such risks.
You must record how you ensure there's no harm or damage being caused as a result of processing personal data, have policies and procedures in place for subject data protection and make sure the people in your organisation who handle subject data are properly trained. Policies and procedures for complying with the GDPR must be very visible and easy to understand in layman's terms and they must not form part of other terms and conditions. And if any breach in data protection is found it must be reported within 72 hours.
The definition of what constitutes personal data has been expanded under the GDPR. Article 4 states: 'Personal Data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Article 9 (1) regarding special data states: ' "Special personal data" is defined as personal data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life, sexual orientation, genetic data or biometric data'.
Under the GDPR data subjects have 7 fundamental rights. They can:
1. Request electronic access or copies of his/her personal data (where the system allows)
2. Request rectification of his/her personal data
3. Request erasure of his/her personal data
4. Request the Data Controller to restrict the processing of his/her personal data
5. Object to the Data Controller processing his/her personal data
6. Request an electronic copy of his/her personal data to be transferred between Data Controller to another Data Controller
7. Where the Data Controller processes personal data and one of the technical measures is automated decision making, the Data Subject has an additional seventh fundamental right to object to this type of processing.
The Gold Standard of data processing is consent or contractual, which implies consent. The GDPR states: 'Where processing is based on consent, the controller shall be able to demonstrate that the Data Subject has consented to the processing of his/her personal data'; and, 'If the Data Subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes and infringement of this Regulation shall not be binding.'
The processing of personal data must be 'legitimate'. Under the GDPR processing personal data for direct marketing purposes is considered legitimate, but the legitimate interests must not override the rights and freedoms of the Data Subject. Basically, if you're going to use personal data for marketing purposes you have to let the data subjects know and they have the right to refuse.
It's likely that personal data for processing for postal or telephone marketing to landlines will be a 'legitimate interest' but email and SMS will be subject to the strict ePrivacy Regulation, which is another regulation published in January 2017 as a proposed text that aims to update the EU's current ePrivacy legal framework, which dates back to 2002 and was revised in 2009 requiring prior consent regarding cookies, electronic communications and the right to confidentiality, data, privacy protection and more.
To sum up, here are five things you can do to make sure your business is GDPR compliant:
1. Understand what the GDPR means. Read up on it, attend talks, workshops and listen to webinars.
2. Get training for all of your staff. Hire a GDPR specialist. Appoint some key people to be able to pass the training on to new employees.
3. Think about the legal basis for processing personal data and whether legitimate interest, contract or consent is best for you.
4. Carry out a data protection audit and identify where you comply now, where you don't and what action you need to take to comply.
5. Make sure you scrutinise your cloud and server suppliers (Data Processors) to ensure the contract complies with the GDPR.