GDPR – What you Need to Know

Billed as the most important change in data privacy regulation in the past 20 years, the General Data Protection Regulation (GDPR) is the latest attempt by the European Union to change the way organisations approach data privacy.

The new regulations came into force on 25 May 2018, and apply to all companies handling the personal data of EU citizens regardless of the company’s size or location. The general thrust is that from now on companies need to…

• Have a lawful basis for the collection and processing of individuals personal data.
• Be more transparent about what data is being collected, how it will be used and how long it will be kept.
• Allow individuals to access a copy or request the removal of their personal data.
• Adopt a ‘privacy by default’ approach to the design of services.
• Document all of this in a readily understandable form.

What counts as personal data?

Personal data is any information that could be used to identify an individual, either directly or indirectly (ie. by cross-referencing that information with other data sources). Names, email addresses and billing details are obvious ones, but even a computer IP address counts, which broadens the net considerably. So whether your website features an online store, contact forms or simply uses any of the common visitor analytics solutions you will be collecting some form of personal data.

Practical steps

To help move your organisation towards compliance there are some relatively straightforward steps you can take.

• Appoint a Data Protection Officer.
• Conduct an audit of your current data handling practices.
• Register with the Information Commissioner’s Office (where relevant).
• Update your public-facing policies and opt-in processes.
• Plan how you will process requests for updating and removal of personal data.
• Put policies in place to adopt the ‘privacy by default’ approach.
• Document all of the above.

Now lets explore each in a bit more detail to understand how you can actually put each of those steps into practice.

Appoint a Data Protection Officer

This should probably be your first step. Identify who in your organisation will be responsible for all things data protection and assign them the role of Data Protection Officer (DPO). They can be an existing employee (as long as it doesn’t cause a conflict of interest) or an external contractor. The important thing is that they must have a good understanding of the role and the necessary authority and resources to carry it out effectively. Your DPO will be a named individual on your all your public-facing documentation and be the first point of contact for both regulatory bodies or individuals with privacy concerns.

Audit your current approach

To respond effectively to GDPR you need to understand what data you capture and how it is handled. Our suggested way to get started is to create a simple spreadsheet with a column for each of the aspects listed below and fill this in for every type of customer data you hold. This should quickly provide an overview of your current position. It’s likely that whoever you appoint as DOP won’t hold the full picture so you may need to involve team members from sales, marketing and technical development to ensure you have everything covered.

• Data type
• Collection point
• Purpose
• Form of consent
• Storage method
• Retention period
• Who has access
• Access methods

Remember to include any third-party services you use such as payment processors, email marketing providers or online backup solutions who might be processing or holding your customers’ private data on your behalf. Seek out their privacy policies and add the relevant links to your spreadsheet.

In the course of this initial audit you will probably find areas where data is being collected needlessly, shared too freely or retained beyond its practical use.

Making changes in these areas now will reduce your liability, minimise the complexity of your future paper trail and of course be a positive outcome for the data subjects affected too. It’s all to easy just to hold onto data, letting it build up in offline archives or in online databases – but as it does the potential impact of any compromise also grows. This doesn’t mean you need simply throw it all away, old data can still have the potential to unlock future insights, but often you don’t need the full detail. Anonymising records or summarising information from old datasets are two alternative options.

Registering with the ICO

Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data need to register with the Information Commissioners Office (ICO) and pay a data protection fee, unless they are exempt. The cost depends on the size and turnover of your business with tiered annual fees ranging up to £2,900. However, most organisations will pay between £40 and £60.

Depending on the types of data you handle and the nature of your business you may be exempt. The easiest way to find out is to use the ICO’s online self-assessment tool, which asks a few simple questions to quickly let you know where you stand.

Update your privacy policy

The GDPR places greater emphasis on transparency with your customers and your ability to demonstrate accountability to regulators. So if you don’t already have some solid privacy and data security policies in place, now is the time to create them.

A good place to start is with your public-facing privacy policy. Every website should have one of these and under GDPR it needs to be transparent, understandable and comprehensive.

Generic catch-all phrases like ‘we may share your data with selected third-parties’ need to be clarified with details about who those third parties are, what data is being shared, for what purpose and how it will be handled.

Luckily your initial audit will furnish you with most of the basic information you need and so the main challenge is presenting it in an accessible way for your users.

We suggest breaking your privacy policy down by the main interactions someone might have with your service and explain for each of these what personal data is captured (and why), how it is used and how long it will be retained. Those interactions could be something like filling in an enquiry form or completing a purchase. Whatever it is try to keep your explanation as clear and jargon-free as possible, think plain-English rather than verbose leagalease. A top tip here is that if you come across anything you’re currently doing that you struggle to explain or justify in your privacy policy, that’s usually a good sign that it might be worth a re-think.

Including some dedicated sections for detailing the third parties you share data with and any tracking cookies that your website might set will help make this crucial information easier to access for your customers. You’ll also want to name your point of contact for data protection queries and explain how an individual can make a request to have their details updated or removed. GDPR states that you will need to respond to any such requests within a month and have taken action on the request within three months. Whatever bar you set yourself it’s a good idea to include an indication of how long someone might expect to receive a response to their request and explain how it will be handled.

Prepare your documentation

The other type of documentation you need to have ready for GDPR are internal records of your data processing activities. This is the information you’ll need should you ever be called upon to demonstrate compliance or defend against a formal data protection complaint. There are three types of document you should consider creating:

• Clear policies for how data should be handled within your organisation.
• A log of processing activities.
• A stated legal basis for the collection of each type of personal data.

These documents will help you do a better job of protecting your users’ privacy by ensuring staff are aware of how to process data responsibly and enabling you to keep track of that data from the point of capture, through your internal systems and out to third parties. Although they might be initially time-consuming to put in place they will certainly pay you back in time saved answering any future queries from data subjects or dealing with the due diligence around any data breach.

One important aspect your policies should encompass is how you are incorporating the concepts of Privacy by Design and Privacy by Default (PbD) into everything you do. In other words what technical and organisational measures are you taking to ensure that, by default, only such personal data which is strictly necessary is being collected and that appropriate safeguards are in place to protect it while you hold and process it. While some broad value statements are undoubtedly useful here to help set the right tone, identifying some specific technological solutions like encryption and pseudonymisation as integral to the design of your service will go a long way to demonstrating that you are serious about PbD. It’s worth stressing here that GDPR recognises that not all companies have equally deep pockets when it comes to funding data protection. What it expects is a reasonable balance of costs against the potential risks.

Identifying your legal basis

The importance of this aspect can’t be overstated. If you have no legal basis for collecting or processing an individual’s personal data then it doesn’t matter how carefully you handle it or responsive you are to removal requests, you won’t be in compliance with GDPR or even previous UK data protection laws. It is probably also worth reiterating at this point that we aren’t qualified data privacy lawyers so you should treat what follows as a starting-point for your own research. If in doubt always seek expert legal advice.

There are a number of different legal bases upon which you can legitimately process an individual’s personal data. These include consent, contractual necessity, compliance with legal obligations and legitimate interests.

If your stated legal basis is consent (where data is processed on the basis that the data subject has consented to such processing) then under GDPR you just need to be extra sure you actually have it. Consent under the previous data protection law has always required a unambiguous, affirmative action to count as consent – so failure to do something (like unticking a pre-ticked box) does not equal consent – and GDPR goes further in clarifying this. The bar is set even higher for sensitive personal data like medical records, where nothing short of provable, explicit consent is sufficient. And in situations where you need to process the data of children under the age of 16 parental consent will also be required.

Sometimes you may have a perfectly reasonable desire to process data in a way you don’t have direct consent for and which isn’t covered by contractual necessity or a need to comply with other legal obligations. In these cases ‘legitimate interests’ could be cited as your legal basis, as long as your use doesn’t compromise the rights and freedoms of the data subjects in question.

For example if you collect address information as part of an online checkout you would obviously need direct consent to sell that data to a third party, but you could have a legitimate interest for aggregating it with other customer data you hold to identify broader patterns in customer demand by location so that you can improve your service.

Or if someone opts out of your direct marketing it would be legitimate to hold on to some of that data subject’s personal data in a suppression list to ensure that no further marketing materials are sent. This doesn’t mean you shouldn’t include this information in your privacy policy, just that you wouldn’t need someone’s direct consent to use their personal data in this way.

Where next?

GDPR is viewed by many as a long over-due rebalancing of the interests of the individual to control their personal data versus those of companies which up to now have seen any data they can harvest and leverage in their own interests as fair game and little obligation to protect it. But naturally, any new regulation brings with it the fear that unnecessary burdens or obstacles are being introduced that will fundamentally change the way we are able to do business.

For most businesses whose activities aren’t centred around processing sensitive personal data achieving compliance should be straightforward. Yes, there will be some up-front work to get your paperwork and practices in order but the main change will be in the way we think about data protection, which ultimately should benefit everyone.