The new regulation
The General Data Protection Regulation (GDPR) has been coming up a lot in conversations with business leaders recently. Although most people know it is very important, there are still many who don’t have a clear picture of what it is and what it means to their business. This short feature provides an executive-level overview and what you need to do about it. Hopefully it provides enough information for leaders and marketing managers to ensure action is taken to comply and avoid the risk of expensive penalties for breaches.
GDPR will apply in the UK from 25th May 2018. It is an enhanced regulation which replaces and extends the scope of the existing UK Data Protection Act 1998 (DPA). Organisations fully complying with the existing DPA will still have to take some action. If you don’t already comply with the DPA – and many don’t – you may have a lot more work to do.
The Information Commissioner’s Office (ICO) has some very detailed guidance on their web site which is extremely useful, but probably too much detail as a starting point. Here is a summary of the key areas to consider.
What it covers
GDPR covers the storage and use of data about identifiable individuals. This is also referred to as Personally Identifiable Information (PII). This would cover any information that is linked to a person’s name, or some other way of identifying them including email addresses, National Insurance numbers and IP addresses. Summarised or completely anonymised data would not be covered because that would not identify a person.
This data covered by GDPR now covers information held electronically or as referenceable paper and film records. This has implications for millions of records currently held in archives.
Who is affected
There most significant change brought by GDPR is accountability. It refers to two categories of organisation who are responsible for data:
- Controllers – who say how and why data is processed
- Processors – who processes the data on the Controller’s behalf
Processing includes any form of electronic data management. Storing, accessing, reporting, analysing and printing are all “Processing”.
Many organisations act as both Controller and Processor. However if you are a Controller and outsource all of your data storage and management to a Processor, you are now accountable as a Controller and you are obliged to ensure your Processor complies with GDPR. There are penalties on you the Controller if your Processor is in breach.
The other new area of accountability is that you have to be able to demonstrate how you will comply or are complying – it is not enough simply to comply. This means that you must have documented procedures and keep meticulous records of what processing you have done. This has implications for the data itself, as you will see later.
There are some general conditions for processing data – some obvious, but some which can catch you out. Article 5 of the GDPR requires that personal data shall be:
- Lawfully, fairly and transparently processed.
- Used for the purpose it was collected for, and no more. You cannot collect data for one purpose and use it for another. For example, your insurance company cannot sell your personal data relating to your house insurance to a double glazing company.
- Must be necessary for the purpose it was collected for. This prohibits collecting data for another purpose. For example, if you sell insurance, you cannot collect data about income when selling motor insurance so you can return later and sell life insurance. Income is not relevant for the sale of motor insurance.
- Accurate and kept up to date. This relates to storage of inaccurate information. Data can go out of date, for example a person’s income which affects credit limits may change. For fair treatment, credit approval needs to take account of current information income not income several years ago.
- Kept for no longer than necessary. Data no longer used must be destroyed. There are often files kept on disks which have not been accessed for years – these could contain out of date PII data which is effectively a breach of GDPR.
- Processed in a secure manner. If data is lost, stolen, seen by unauthorised persons or hacked, it is a breach. It is the Processors responsibility to ensure none of this happens (and the Controller if they are not the same organisation), so data must be very carefully protected from hacking, loss or unauthorised access in any form.
Rights of the Individual
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.
The most significant rule for marketing teams is that consent must be sought from the individual before processing their data. This consent must be freely given and specific. This means there must be an opt-in process and you cannot have pre-checked boxes or written assumptions. You must also be able to prove this consent had been given, so you must keep a record of the opt-in activity. You must also provide individuals with the ability to remove their permission at a later date.
The GDPR provides the following rights for individuals. Much of this is already covered in many data and privacy policies but it must also be supported by internal processes so you can demonstrate compliance.
- The right to be informed so they know what data is held and for what purpose.
- The right of access, so they can see what data is held.
- The right to rectification. Individuals are entitled to have personal data corrected if it is inaccurate or incomplete.
- The right to erasure, so they can ask for data to be deleted.
- The right to restrict processing, in other words allow data to be used only for agreed purposes.
- The right to data portability, which allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way.
- The right to object.
- Rights in relation to automated decision making and profiling – a significant factor in modern marketing. The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
Knowing and complying with GDPR is not sufficient. The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility. You will need to have specific processes in place and maintain more detailed compliance records. For example you will need to keep a record of the individual’s opt-in permission process and date to prove that you comply with the rights above.
The ICO has championed best-practice tools such as privacy impact assessments and privacy by design for a long time. These are now legally required in certain circumstances.
Transfer of data
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR. Transfers may be made where the Commission has decided that a third country or territory ensures an adequate level of protection.
Under the new rules there will be much higher fines than previously. Different bands of fines will be applied in relation to three different sets of categories of infringements. The highest level of fine is either a maximum of €20 million or 4% of the global annual turnover of a business, whichever is the greater.
Penalties are against the organisation and directors, not the individual staff members who may have caused the breach. This is why it is essential that everyone coming in contact with personal data is fully aware of and complies with the requirements, and the processes in place to ensure they are met.
What to do now
Here are 10 crucial steps for business leaders and marketing executives to take now:
- Set up an “impact assessment process”. This is a term which compliance officers like. It means review and what you do with data that falls within the definition of PII, and identify areas of risk in your data and processing activities.
- Prepare resources internally to review and update everything including new detailed documentation and records ready for production for inspection. It is unlikely the ICO will swoop, but it is highly likely that you will at least be questioned on it by corporate customers.
- Review all key data processes for electronic and manual records.
- Review all existing data held anywhere in the business, especially old marketing campaign data and manual records that will probably be non-compliant.
- Ensure that new aspects such as explicit consent, the right to be forgotten, and, the right to not be subject to profiling are all included in policies and procedures. If you don’t have policies and procedures you can buy templates or obtain them from various trade membership organisations such as IoD and FSB.
- Review your suppliers and supplier contracts. You will need to ensure that you have the contractual rights to insist on compliance from your Processors if you use them.
- Put in place a data breach notification procedure, including detection and response capabilities (see point 5). You may need to consider purchasing special insurance.
- If applicable, appoint a data protection officer. If not applicable, you must nominate an individual to take responsibility for GDPR compliance activity.
- Train staff on all aspects of the regulations, data storage, processing, disposal, liaison with individuals themselves, areas of risk (from data transfer to malicious attack), and procedures to deal with data breach
- Check your processes regularly in order to identify and rectify issues.
This is not a complete guide. It is intended only as an introduction and overview. For more detailed information please visit the Information Commissioner’s Office web site which also has useful guidance notes.