Online exposure has reached a point where a person’s right to privacy is now under threat. The concept of privacy is not in question, but the way in which it is achieved is much more complicated than it sounds. The shiny new GDPR* intends to clamp down on how personal data is collected, stored, processed and transferred, and will come into effect on 25th May 2017.
GDPR = General Data Protection Regulation
Have you ever entered your name into a search engine? If not, I suggest you do, as you may find some surprising (and entertaining) results. I, for example, found that blog that I ran during my studies at university.
And it’s still live, despite not being updated since (ahem) 2007.
Now, if I wanted to take the blog down, that’s my prerogative. I’m in control of it still, although it might require a password reset and a bit of admin. I decided to publish online, so it’s my responsibility to manage.
But if I shop online, or give my information freely in return for a specific benefit, if I’m completely honest, I’m not really sure how my information is stored anywhere. As consumers we are not in control, and a great deal of trust is required in order to complete our online transactions – monetary or otherwise.
Privacy is a basic human right.
To quote the United Nations:
This is where the GDPR comes in.
What is the ‘GDPR’?
GDPR is a set of tools that will enable the EU to regulate data protection in the 21st century, ensuring that any individual, business or organisation who handles personal data understands the right to anonymity, and the importance of keeping personal data safe.
This will of course replace the existing Data Protection Act 1998.
To put it into context… data protection regulations haven’t been updated since computers looked like this:
Mobile phones were just for making calls, and looked like this
(programmable ringtones were still pretty cool too)…
And you could get a whole loaf of bread for 51p.
So what does GDPR have to do with the price of bread?
To say that the existing Data Protection Act of 1998 is a little out of date is an understatement, given the advances in technology and connectivity.
But the essence of how businesses operate is unchanged – in simple terms, it’s an exchange of goods/services in return for remuneration. And in past years it’s been accepted (and in some cases ignored) that so many organisations hold personal data, and that there is little guidance on how that is regulated.
What happens if you don’t comply with GDPR?
The ICO are clamping down on businesses and organisations that misuse personal data. For example Hamilton Digital Solutions Ltd were fined £45k in December 2017 for sending over 136,000 spam text messages.
Quite a blow for any budget.
What does GDPR mean for me?
When it comes to your business or department, what do you need to be aware of ahead of 2018, to make sure you are complying with GDPR?
The ICO have created a 12 step checklist to help you make sure you’re organised, which we’ve summarised below. However it’s worth specifying that it’s important to refer back to EUGDPR.org to ensure you fully understand how your business or organisation needs comply.
It’s coming into effect in May 2018.
Make sure you’re ready…
GDPR Actionable Checklist
- Make sure leaders and decision makers all understand the changes and implications for your organisation. They need to understand the impact. Privacy by Design is now a legal requirement – calling for inclusion of data protection as an intrinsic part of data systems, not as an afterthought.
- Even if you’re not based in the EU, but collect data from EU citizens, you’ll need to comply with GDPR regulations. And you’ll need a representative in the EU. If you operate in more than one EU member you must select which will be your lead data authority, via the Article 29 Working Party guidance.
- Understand how you collect and store personal data:
- Do you ask people’s permission to be contacted with marketing information?
- Avoid pre-ticked boxes for opt ins. Instead, ask your customers to tick either ‘yes’ or ‘no’
- You need to record WHEN someone agreed to be contacted with marketing information. This could require a new procedure for data collection.
- Do you allow people to opt-out? Email unsubscribe, reply with ‘unsubscribe’
- You may need to review procedures for collecting a person’s age, to comply with regulations around managing children’s data and their guardian’s consent.
- Understand how you use personal data:
- The processing of personal data must be secure against loss or damage, and unlawful processing.
- You don’t need explicit consent to send a mailer, letter, brochure or catalogue provided you make it clear how people can opt out of future mailings.
- PECR says you don’t need consent for telephone marketing. HOWEVER those on the TPS list should be excluded. As well as the CPTS for businesses.
- This (ahem) 39 page compendium sets out the rules around consent. Consent involves offering genuine choice and control.
- Does your website have an SSL certificate? If not, get one installed.
- Understand the rights of people whose data you hold:
- The Right to access clause allows anyone to be able to request access to the data that a company holds on them, and know how it is processed and used. They are also granted the right to request a copy of the personal data, free of charge in electronic format.
- Data portability is new. It sets out the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and their right to transmit that data to another controller.
- Do you need a Data Protection Officer? The following cases apply:
- Public authority (outside courts acting in their judicial capacity)
- Large scale systematic monitoring of individuals (Eg online behaviour tracking)
Large scale processing of special categories of data, eg those relating to criminal convictions/offences.
- Understand how GDPR applies in relation to existing regulations:
- If other regulations conflict with the newly formed GDPR, they overrule it. Simple as that.
- PECR allows a ‘soft opt-in’ which allows you to market to them with similar offerings. However, this will soon be replaced with stricter ePrivacy regulations, so keep this in mind.
- Understand Data breaches and procedure
- Ensure you have procedures in place to detect, report and investigate a data breach.
- If your data breach affects the rights and freedoms of individuals (IE resulting in any kind of discrimination, financial impact etc) then you MUST report it to the ICO
Once you’ve picked yourself up off the floor and dusted yourself down, it’s worth noting that this list is not exhaustive, and there are many other aspects that you may need to consider.
The good news is that (if you’re reading this around the publishing date) you have around 5 months until the changes come into effect to get your house in order. This may involve hiring a Data Protection Officer, and creating some new procedures for your business or organisation to follow in order to comply, as well as educating all relevant staff on, and implementing the new requirements.
If you need any help ensuring your website complies with GDPR Miromedia may be able to help.