Businesses are gearing up to meet the requirements of the General Data Protection Regulation (GDPR). The deadline for compliance with this new law is 25 May 2018. So what is GDPR and what should you do?
GDPR builds upon our existing UK Data Protection Act. It sets out new rules for the collection, secure storage and usage of personal information. That’s information which enables you to identify an individual person, such as name and address data. GDPR unifies the rules across the EU. Despite the UK’s plan to leave the EU, the Government has confirmed UK legislation will continue to reflect the EU GDPR post-Brexit.
The new law is intended to give individuals greater control over their own data, including the ‘right to be forgotten’, as well as a means to get things put right when there is a problem. It also requires protection of children, with systems to verify individuals’ ages and to obtain parental or guardian consent. In the light of recent hacking scandals, GDPR sets out a sensible requirement for reporting any breaches of data security within 72 hours as well as new responsibilities for documenting processes. Any new system where there is a data protection impact must be introduced following a Privacy Impact Assessment.
Penalty for failure
Failure to meet these new rules will result in fines (as well as possible damage to reputation). At present the UK Information Commissioner’s Office can impose fines of up to £500,000 for breaches. Under GDPR fines of up to €20 million or 4% of annual turnover can apply.
Must all businesses comply?
GDPR applies to all companies. Companies with over 250 employees must appoint a Data Protection Officer who is responsible for ensuring personal data is collected, processed and stored correctly in line with requirements.
The new law recognises that small and medium sized businesses have different responsibilities. It sets out a limited exemption for organisations with less than 250 employees, who only need to document processing activities that:
- are not occasional – or
- could result in a risk to the rights and freedoms of individuals – or
- involve the processing of special categories of sensitive data or criminal conviction and offence data.
So small businesses which regularly process personal data, or handle data with big risks to the individual or process sensitive data are still within the scope of GDPR. Otherwise they are exempt.
Of course, many small businesses supply big businesses. It is possible that their big customers may want them to comply as a condition of being their supplier.
What should you do?
Take a look at the guidance from the UK Information Commissioner’s Office.
In broad terms:
If your business has less than 250,000 employees check whether you are exempt due to the size of your business and the low-level of personal information you deal with. Or if your business has over 250,000 employees appoint a Data Protection Officer.
Complete an audit of the information your company holds, noting what personal data you collect, store and use, including people’s names, addresses, phone numbers, email addresses and other personal information.
Make sure you have a lawful basis for processing personal data. If your organisation asks for consent as its lawful basis, then look at how you ask for, record and manage data. Update existing consents now if they don’t meet the GDPR standard. This requires clear explicit consent, which must be separate from your Terms and Conditions.
Check how data is recorded and processed. Make sure your systems can accurately track consent status. Where data is processed by third parties ensure your contract makes their responsibilities clear.
Legitimate interest or explicit consent?
Getting consent is not the only way to have a lawful reason for processing someone’s data. There are other lawful reasons. This includes the situation where you are legally allowed to handle this data if you have a ‘legitimate interest’. This is most likely to apply where you use people’s data in ways they would reasonably expect and ways that also have minimal impact on their privacy, or where there is a compelling justification. You can keep a record of your legitimate interest assessment to prove compliance.
Legitimate interest can include direct marketing where GDPR states, ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’ The organisation will need to show a balance between its own interest and those of the individual and provide an easy way to opt out. Legitimate interest can include a direct appropriate relationship. The most common example of this is where the individual is a client.
This is a snapshot of GDPR requirements, but remember we’re professional marketers not lawyers so do check out your own circumstances with a legal professional. Follow these links to discover more about other more specialist requirements including profiling and data portability.