Getting to grips with the GDPR
“Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it’s digital cameras or satellites or just what you click on, we need to have more explicit rules – not just for governments but for private companies.”
That call to action from Bill Gates (the co-founder of Microsoft) is going to be answered – for European citizens anyway – when the General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. As a European regulation, the GDPR applies to all EU member states (and will continue to apply in the UK even after we’ve left the EU), without the need for each state to draft its own local legislation. Despite that, however, there are likely to be differences in how the GDPR is interpreted and enforced in different member states. In the UK, the Information Commissioner’s Office (ICO) is providing guidance around the regulation and will be responsible for ensuring compliance with it.
So what’s the GDPR all about and how will it affect businesses and individuals?
The GDPR is essentially a set of rules that lays out how businesses (anywhere in the world) will, from 25 May 2018, have to collect, process and store the personal data of EU citizens. The regulation is a measure imposed by the EU to increase the privacy of the individual by forcing businesses to comply with a higher level of data protection (as set out in Article 8 of the EU Charter of Fundamental Rights) and to harmonise data protection laws across the EU, making compliance less complex for international businesses.
In the UK, the GDPR is replacing and building on the existing Data Protection Act (DPA), so any business that has been complying fully with the DPA is in a good starting position for the GDPR. But time is getting short and there will be no period of grace, so if you haven’t started to think about GDPR compliance yet, you need to get cracking. Whereas the maximum fine for serious breaches of the DPA is £500,000, under the GDPR that maximum increases to €20 million or 4% of a company’s turnover, whichever is greater. At the same time though, while such penalties are punitive actions, but not with the intention of putting companies out of business, it’s likely that such fines will be reserved only for the most serious data breaches, such as that recently disclosed by Uber, which admitted that 2.7 million British customers and drivers had been affected.
What does the GDPR mean for marketing activity?
With regards to the use of personal data (which is “any information relating to an identified or identifiable natural person” and could include names, email or IP addresses, phone numbers, passwords, ID numbers), the GDPR applies to two accountable groups: “data controllers” (those who determine the purpose and means of processing the data) and “data processors” (those who process personal data on behalf of a data controller, e.g. an agency working for a client).
A key area of change under the GDPR concerns consent. At the moment companies are able to rely on a soft opt-in or a failure to opt out. Under the GDPR, consent must be given by a clear affirmative act, such as by a written (including email) or oral statement, and the consent must be “a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her…” Consent to receiving marketing collateral cannot therefore be made a condition of a sale, consent must be obtained for each element of any marketing activity, individuals must be informed why a company wants their data and what the company will do with it, and pre-ticked boxes, silence or inactivity will not count as consent – companies will have to keep records to be able to prove that consent has been given. It must also be easy for individuals to withdraw their consent and they must be told how to do so. Finally, it’s also worth noting that the GDPR does not state how long any consent lasts, but that the ICO advises: “Keep consents under review and refresh them if anything changes.”
As the positive opt-in will be crucial for any organisation that intends to rely on consent as the lawful basis (of the possible six) for processing personal data, some organisations are using a “double opt-in” process to ensure clarity. For example, when an individual submits a positive opt-in online, the person then receives an email requesting him or her to confirm who s/he is and that s/he consents to the specific marketing activity in question.
As any consent must be an “informed” indication, the request for consent must include “fair processing information”, typically through a privacy notice (so if you haven’t done so already, the first thing to do is to sort out your privacy policy). The GDPR sets out the information that must be included, which involves the following in summary:
- The identity and contact details of the data controller (and of the data protection officer, where applicable)
- The purpose of the processing and the lawful basis for doing so (if for “legitimate interests”, what those are)
- Recipients or categories of recipients with whom the data will be shared
- How long the data will be kept
- The data subject’s rights, including the rights to withdraw consent and to complain to the regulator
- Any contractual or statutory requirement to provide the data and the consequences of failing to provide it
- The existence of any automated decision-making and if so, the logic, significance and consequences
Regarding the data subject’s rights as mentioned above, the GDPR provides the following rights for individuals:
- The right to be informed – by being provided with the information above about how the personal data will be collected and used. This information has to be provided at the time that the data is obtained from the subject.
- The right of access – individuals may request information on how their personal data is being processed, including where and for what purpose. That information must be provided to the data subject free of charge and in a machine-readable, electronic format within a month of the request.
- The right to rectification – if personal data is incorrect, individuals are entitled to have it corrected within a month.
- The right to erasure – also known as the “right to be forgotten”, individuals can request that their personal data is deleted when:
- it is no longer necessary for the purpose for which it was originally obtained
- the individual withdraws their consent
- the personal data was processed unlawfully
- a legal obligation requires the data to be erased.
- The right to restrict processing – under certain circumstances.
- The right to data portability – enables individuals to obtain their personal data and reuse it for their own purposes across different services.
- The right to object – to processing based on, inter alia, the legitimate interest of direct marketing (including profiling). The right to object must also be clear in the company’s privacy notice.
- Rights in relation to automated decision making and profiling.
While the GDPR may sound burdensome for businesses, it should mean that consumers only receive marketing information from companies to which they’ve given their consent, so that engagement rates are likely to be higher. It will, of course, also mean that individuals can be more confident about providing their data to businesses as the data will be more accurate, of better quality and up to date, as well as being stored more securely. Increased data protection “by design” is a further principle of the GDPR, requiring businesses to ensure that their IT systems are up to the appropriate standard in advance of the May 2018 start date and referencing encryption and pseudonymization – separating personally-identifiable information from other data to avoid data loss – as a means of achieving the design objectives.
As a final point, it’s worth noting that, while the GDPR will apply to all businesses, in certain aspects, such as the appointment of a data protection officer and the requirement to maintain internal records of processing activities, the level of compliance is less for smaller organisations, i.e. those of up to 250 employees.
If any of the above is news to you and you’re unsure of how to start your compliance planning, I’d urge you to click on the following links to useful information on the ICO website:
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/
And don’t forget the date – the 25 May 2018 is a fixed deadline.