If you use the internet, General Data Protection Regulation (GDPR) will affect you! On the 18th May 2018, the new GDPR will come into force. AsOne have written a ‘snapshot’ guide to help you get ready.
First things first, you may be thinking that it won’t affect UK businesses after Brexit, however, the current interpretation covers any company anywhere where the data of an EU citizen is stored. Not only that but the Information Commissioner’s Office (ICO) has indicated that this regulation will be adopted into UK legislation pre-Brexit since it comes into force before the Brexit date.
The regulation text is long, very long. We have listed below the main takeaway points you should consider to help you make progress towards compliance before the deadline. Of course it goes without saying that this does not replace professional legal advice.
A lot of talk centres on the possibility of huge fines. This is being used by so called GDPR experts to scare businesses into buying software or policies to guarantee compliance. Don’t fall for it. Compliance is not solved with a piece of software, policies or some new terms and conditions. Compliance is an ongoing process and since the regulation is still quite vague in certain areas nobody can claim to be an expert. Much like the scaremongering that followed the EU Cookie Law, fines are unlikely unless you are not making progress towards compliance or ignore official warnings and recommendations.
Eight Points to Consider
The GDPR covers personal data or data that could be linked to personally identifiable data. This includes your customers (of course) but don’t forget your suppliers and your staff. They are all covered by the GDPR. Current thinking is that B2B data is treated no differently if it contains personally identifiable data. For example firstname.lastname@example.org is not personally identifiable but email@example.com is personally identifiable.
No longer will it be acceptable to ask users to opt out of sharing data or receiving marketing information. The regulation is clear that all processing of data must have explicit consent. As a rule of thumb if the data you hold has not been given to you with a clear consent to it being processed you shouldn’t process it.
It is assumed that transactional data processing such as sending out receipts for purchases will be exempt, however the advice is to get users to opt-in anyway. Many websites already won’t let you proceed unless you agree to their terms and this may extend to opting into having your data processed too.
ACCESS TO DATA
Anyone whose data you hold will have a right to access it within 30-days of their request. There will no longer be a provision to charge for this data request. Of course if your customers data is available via a public login (e.g. a ‘my account’ section on an eCommerce site) then they already have access with your assistance, however if you hold data elsewhere (e.g. accounts package) and the user does not have access, then you will have to comply with the request within 30 days.
If you hold data on any person they will have the right to be ‘forgotten’. The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing only in specific circumstances typically when there is no compelling reason for its continued processing. If you have legal obligations to store data this should supersede the user’s request to erase their data, but may affect your ability to continue to use or process it.
DATA PROTECTION OFFICER
A Data Protection Officer (DPO) should be appointed if your organisation is large, a public authority, collecting mass data or CCTV monitoring. Unfortunately there is no guidance on what constitutes a “large” organisation. For most SMEs no DPO will be required, however, somebody in your organisation will still need to be responsible for GDPR compliance. If you do need a DPO then that person cannot be conflicted. They can’t, for example, be head of IT or be responsible for any of the data assets.
Do you have third parties processing data for you? You probably do if you have a website, use online software or outsource any of your data processing requirements. You might also be the third party, processing data for other organisations. The GDPR will extend to those persons processing data not just the controllers (owners) of the data. It is vital if you are the controller that you put in place contracts with clauses that detail how a third party can process data on your behalf. It is the controller’s responsibility to put these process in place. Since AsOne host 100’s of websites, we will be contacting all our clients to remind them to ensure they draft contracts to protect themselves.
Are you protected? Is your website and data secure? Is your data encrypted? Has your site got an SSL certificate? When the GDPR comes into force any data breach must be reported to the ICO within 72-hours of you becoming aware. Of all the regulations it will probably be this one that lands you in hot water if you are not compliant. The GDPR is not designed to enforce security measures it’s all about how you deal with data. That being said, if your data is secure then the possibility of a breach is minimised and you are less likely to fall foul of the GDPR.
There is an easy win that will reduce your workload and help with your compliance. Data is not limited to digital media, GDPR covers paper documents and any other forms of data storage.
Quite simply, if you are holding data that you don’t need, are not legally required to keep or don’t intend to use, delete it. If you haven’t got it you don’t have to worry if your process is compliant.
It’s all about demonstrating compliance or progress towards it. So to help you we have created a checklist to get you started. “Get you started” is an important phrase, as mentioned previously GDPR is an ongoing process and it is likely to continue to evolve in the short and long term.
INFORMATION ASSET REGISTER
Make a list of all the locations where you store personal data. That includes the boxes in the store room, your eMail accounts, websites, CRM system and much more. Remember this is for personal data, it doesn’t matter if it is for a customer, supplier or employee. A simple spreadsheet will do, record the following information:
- Name of the Asset
- Owner (who is responsible for it in your organisation)
- Processor (who is processing the data, is it a 3rd party)
- Shared (Is the data shared and who)
- Does it contain Personally Identifiable Information?
- What format is it in (digital, paper, etc.)
- Retention (any legal obligations to retain data, how long will it be kept)
- Risks (what risks to the data can you foresee)
PRIVACY IMPACT ASSESSMENT (PIA)
Once you identify your data assets you can now assess them.
- Describe the information flows. How is data recorded, stored and processed?
- Identify the privacy and related risks. How could data be compromised?
- Identify and evaluate the privacy solutions. How can you protect the data?
- Sign off and record the PIA outcomes
- Integrate the outcomes into the project plan by your organisation’s heads.
- Consult with internal and external stakeholders as needed throughout the process
POLICIES & PROCEDURES
Once you have identified the data, the risks and how you can mitigate them implement policies and procedures to act on that information and further reduce risks. Ensure you have a process in place to cover how your organisation responds to data requests and data breaches. Most importantly you need to schedule regular reviews of your policies and procedures.
None of this makes any difference if your employees and third parties don’t know about it. An important part of your procedure is to ensure your employees and third parties are clear about their roles and responsibilities.
The main takeaway is to ensure you start this process soon. Again, the emphasis is on “start”, it is unlikely that most organisations will ever be “finished”. The most important thing you can do is identify what data you hold and start from there.
As always, if you would like to discuss how GDPR impacts your website or digital marketing you only need to get in touch and we would be happy to help.
ICO’s GDPR Overview:
Privacy Impact Assessment Guidance: