The General Data Protection Regulation was first proposed in 2012, and what followed was four years of discussions, debates, and amendments, with the regulation finally adopted by the European Parliament in 2016. Countries, companies, and organisations were given two years to comply, with the regulation being enforced from 25 May 2018. What originally seemed like a reasonable amount of time to prepare has passed quickly, and at the time of this writing, enforcement of the GDPR is barely 5-months away.
Much has already been written and discussed in the public domain regarding the GDPR, but still, many business owners are a little unsure of what the GDPR entails, and whether or not they are affected. With this GDPR guide, I hope to add some clarity, explaining what the General Data Protection Regulation is, which businesses it affects – and how – along with answers to some common questions frequently asked about the GDPR, and some steps you can take to move your business towards compliance.
We’ve put together a neat contents table to quickly jump to whatever it is you need to know about GDPR.
Table of Contents
- 1 In Plain English: Everything You Need to Know About the GDPR
- 2 Big Questions About the General Data Protection Regulation
- 2.1 Will the GDPR affect me?
- 2.2 Will the GDPR apply after Brexit?
- 2.3 Will the GDPR replace the DPA?
- 2.4 Will the GDPR affect cold calling?
- 2.5 Will the GDPR be delayed?
- 2.6 Will the GDPR happen?
- 2.7 Will the GDPR affect B2B?
- 2.8 When will the GDPR come into effect?
- 2.9 What does the GDPR mean for marketing?
- 2.10 What does the GDPR mean for companies?
- 2.11 What does the GDPR mean for HR?
- 2.12 Who does the GDPR apply to?
- 2.13 Are GDPR fines insurable?
- 2.14 How will the GDPR affect US companies?
- 2.15 How does the GDPR change the rules for research?
- 2.16 How does the GDPR affect data science?
- 2.17 How will the GDPR affect schools?
- 2.18 How will the GDPR disrupt Google and Facebook?
- 2.19 How will the GDPR affect recruitment?
- 2.20 How will the GDPR affect charities?
- 2.21 Why is the GDPR bad?
- 2.22 Why is the GDPR good for business?
- 3 How to Minimise the Impact of the GDPR on Your Business
- 3.1 Becoming Aware
- 3.2 Becoming Accountable
- 3.3 Communicating with Customers, Staff, and Service Users
- 3.4 Personal Privacy Rights
- 3.5 Will Access Requests Change?
- 3.6 What is Meant by Lawful Bases for Processing?
- 3.7 Using Customer Consent as a Basis to Process Data
- 3.8 Processing Children’s Data
- 3.9 Reporting Data Breaches
- 3.10 Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default
- 3.11 Data Protection Officers
- 3.12 International Organisations and the GDPR
In Plain English: Everything You Need to Know About the GDPR
We’ve seen how technology is disrupting industries both old and new: Uber and Lyft are disrupting transport, Netflix is disrupting how movies and TV shows are produced and consumed, and AI is threatening to disrupt every single industry in ways we never before thought possible. But technology also disrupts the laws and regulations implemented by countries, with the GDPR designed to replace a modern directive that itself was no longer sufficient: Directive 95/46/EC (a data protection directive).
The General Data Protection Regulation is, obviously, centred around data protection, but it doesn’t regulate all data protection. Instead, it is focused on the personal data of individuals, specifically individuals residing in any EU member state. It updates existing – and introduces new – regulations relating to the collection and processing of the personal data of any individual residing in any EU member state. And it doesn’t only apply to businesses and organisations with a physical presence in any EU member state. Businesses and organisations throughout the world will need to be compliant with the GDPR if they collect and process the personal data of any individuals residing in the EU.
Get the date in your calendar!
The purpose of the regulations is not to make it more difficult for businesses to sell, market, or perform any of their normal business functions. Instead, it is designed to give individuals greater control over who collects and processes their personal data, what it is used for, and how it is kept safe.
It does this by first differentiating between personal data and sensitive personal data, with personal data being any information which makes it possible to identify an individual – either directly, or indirectly. It includes data such as names, identification numbers, location data, and online identifiers. Sensitive personal data also makes it possible to identify an individual, but through an expanded scope of specific factors, including elements of their physical appearance, physiology, genetics, mental health, economic, cultural, or social identity. The collection and processing of sensitive personal data is not allowed, except under very specific circumstances, with additional requirements in terms of data safety.
Next, the GDPR refines the principle of consent, requiring:
- The explicit consent of individuals.
- The elimination of blanket consent, consent by default, and consent as a condition of sale, service, or general terms and conditions.
- The ability for individuals to easily withdraw consent.
There are provisions within the GDPR for times when consent is not necessary, but these all relate to very specific lawful bases for collecting and processing personal data.
The GDPR then clarifies the rights of individuals in terms of their personal data, broken down as follows:
- The right to be informed, typically covered by your privacy notice. Detailed information regarding who is collecting and processing the personal data, along with how it will be used, must be freely available, and written in clear, plain language.
- The right of access. Individuals can request confirmation from you that their data is being processed. They can also request a copy of all their information that you hold, along with any supplementary information. It should be provided free of charge, and within one month of the request being made.
- The right to rectification. Individuals can request you to correct any incomplete or inaccurate information that you hold, with you then being responsible for passing the corrected information onto any third-parties you previously shared the data with.
- The right to erase. This is not an absolute right to be forgotten, but rather a provision for individuals to request the deletion of their data by you when there is no longer a legitimate reason for you to continue processing it, or they withdraw their consent.
- The right to restrict processing. Under certain circumstances, individuals can request that the further processing of their data be restricted. This is different to the right to erase in that you are still permitted to store some personal data, just not process it further.
- The right to data portability allows individuals to obtain their data from you, and reuse it for their own purposes across other services. However, this only applies in circumstances where the individual provided a controller with their personal data, typically during the performance of a contract application.
- The right to object. Unless you have compelling legitimate reasons to process an individual’s data, they retain the right to object to processing for a number of reasons.
- Rights in relation to automated decision making and profiling. The GDPR requires that safeguards be put in place for any automated processing and decision making, to minimise the risk of any damaging or adverse decisions being made without the possibility of human intervention, or the ability to seek an explanation.
The GDPR goes into great detail in relation to accountability and governance within businesses and organisations. This addresses matters such as:
- The implementation of measures that ensure and demonstrate compliance. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintaining relevant documentation of all processing activities.
- Identifying whether your organisation is a data processor, a data controller, or both. You need to understand the purpose and requirements of these distinct roles in terms of the GDPR, and where appropriate, you may need to appoint a data protection officer.
- The implementation of measures that satisfy the principles of data protection by design, and data protection by default. This could include:
- data minimisation
- pseudonymisation or anonymisation of data
- the ability for individuals to monitor the processing of their data
- ongoing improvement of security features
Finally, the GDPR introduces new requirements for how personal data is processed to ensure security, along with requirements for how businesses and organisations need to respond to data breaches.
It is important to remember that the GDPR does not affect all businesses and organisations, only those who collect and/or process personal data, either of their clients, or on behalf of another organisation. If you don’t collect or process any personal data of individuals, you have nothing to worry about. And if you do, the primary matter you should be concerned about, is ensuring that you are fully compliant with the requirements of the GDPR. The GDPR should in no way prevent your business from continuing to operate, though it may force you to change some of your processes, making it more difficult to perform some tasks, but never making it impossible to operate.
The heavy fines possible under the GDPR are not meant to harm businesses, but rather to serve as a deterrent against relevant businesses and organisations from ignoring the regulations, and putting the personal data of individuals at risk.
But as with any new regulation, we will have to wait until it is enforced, and new case law established, to ascertain any true material impact on organisations, and individuals, and whether or not this will change over time.
Big Questions About the General Data Protection Regulation
Will the GDPR affect me?
The short answer is, yes. As an individual, the GDPR prescribes when and how organisations and companies can process or control any personally identifiable data relating to you. And if you are part of an organisation or business that processes or controls personal data of any EU individual, the GDPR prescribes when you may do this, and how you should do this. That means that the GDPR doesn’t only apply to businesses and organisations with a physical presence in any EU member state, but also those that offer goods or services to citizens of any EU member state, even if they have no physical presence in the EU.
Will the GDPR apply after Brexit?
The GDPR will still apply after Brexit, because the GDPR is designed to regulate how any business or organisation processes and controls the personal data of any EU citizen, regardless of where the business or organisation is based. Additionally, the UK Data Protection Bill was introduced to the House of Lords on 13 September 2017. The Data Protection Bill replaces the Data Protection Act, and it not only ensures implementation of GDPR standards when it comes to data processing and control, but also governs UK specific requirements. This includes agreed modifications in areas such as academic research, financial services and child protection.
Will the GDPR replace the DPA?
Yes, and no. In the short-term, the General Data Protection Regulation (GDPR) does replace the Data Protection Act of 1998 (DPA). But Britain is also preparing for Brexit, and while the GDPR regulates the protection of data of any EU citizen, after Brexit there will be a need regulating data protection of UK citizens too. The UK Data Protection Bill was introduced in 2017, and comes into effect in May 2018. The bill applies the same standards as GDPR, while clarifying the context of some GDPR definitions within a UK context.
The Data Protection Act 1998 (c 29) is a United Kingdom Act of Parliament designed to protect personal data stored on computers or in an organised paper filing system.
Will the GDPR affect cold calling?
The General Data Protection Regulation (GDPR) will most definitely affect all forms of cold calling, including cold email marketing. The GDPR sets a high standard for consent, placing an emphasis on leaving the individual (the prospect/customer) in control, and building trust and engagement.
Proper consent under the GDPR means the following:
- Consent must be explicit, and via a positive opt-in. This means you can no longer use consent by default, consent as a condition of sale or service, or even pre-ticked consent boxes on forms.
- Consent cannot be vague. The individual must give a specific statement of consent, while knowing what they are consenting to, and who they are giving consent to. If any third-party controllers will also be relying on the individual’s consent, they must be named.
- Consent should be separate from any other terms and conditions.
- Evidence of consent must be recorded and retained. This includes records of who, when, how, and what.
- It must be easy for individuals to withdraw consent, and they must be informed of how they can withdraw consent.
You should regularly review your records of consent, making sure nothing has changed in terms of the relationship, the processing of the data, or the purpose of the consent. Refresh as necessary.
Will the GDPR be delayed?
Any delay in the enforcement of the GDPR is highly unlikely. The GDPR was approved by the EU Parliament in 2016, with member states given two years to prepare for enforcement.
Will the GDPR happen?
The GDPR was approved by the EU Parliament in 2016, with enforcement coming into effect on 25 May 2018. Any delay in the enforcement of the GDPR is highly unlikely, with the prospect of Brexit also not offering any reprieve.
Will the GDPR affect B2B?
The GDPR specifically applies to individuals, so in the context of B2B relationships – existing and new – the impact of GDPR will depend on the contact information you use to communicate with your B2B clients. Whenever your contact information includes personal data, you would need to follow the regulations relating to explicit – and recorded – consent to opt-in. This would extend to also include regulations regarding data protection.
If, however, your records only include generic contact information (a contact number or email address with no name attached) you don’t necessarily have to record explicit consent, but you must make it easy for the company or organisation to opt-out, and keep a record of this.
When will the GDPR come into effect?
The GDPR was approved by the EU Parliament in 2016, with enforcement coming into effect on 25 May 2018. Any organisations found to be non-compliant after this date could face heavy fines.
What does the GDPR mean for marketing?
The GDPR is not a death knell for marketing, it is simply a way of regulating certain aspects of marketing. It doesn’t kill off direct marketing, it merely hands control of direct marketing to individuals. This means that marketers now need to ensure that they have explicit consent from individuals to market to them directly (be it via phone calls, email campaigns, or even direct mailing). It means marketers now need to inform individuals:
- Who will be marketing to them (company or organisation name). If any third-party controllers will also be using the individual’s personal data, they too must be named.
- How their personal information will be used, and what it will be used for.
- That they can opt-out at any time, while also explaining the process for opting out.
Marketers also need to understand that blanket consent is no longer allowed. Under the GDPR, individuals give consent for a specific campaign or purpose, and should that campaign or purpose change, they need to give consent again. If your customer gives consent to receive marketing communications relating to your range of lawn furniture, you cannot suddenly switch to marketing your new range of bathroom products to them.
What does the GDPR mean for companies?
Companies and organisations collecting and processing the personal data of individuals residing in the EU, regardless of the company’s physical location, need to be aware of the following:
- The GDPR clearly defines different roles to controllers and processors. Data processors carry out the actual processing of personal data, while data controllers specify why and how personal data is processed. Data controllers are also responsible for ensuring that data processors adhere to all the requirements of the GDPR.
- Some companies and organisations are required to also appoint a Data Protection Officer(DPO). The Article 29 Working Party has published separate guidelines on DPOs, along with some helpful FAQs.
- Companies and organisations are required to obtain – and record – an individual’s explicit consent for the personal data to be stored and used. They also need to explain to the individual how the personal data will be used.
- Data breaches that are likely to result in a risk to the rights and freedoms of individuals need to be reported to the relevant supervisory authority within 72-hours. When a data breach is likely to result in a high risk to the rights and freedoms of individuals, those affected need to be notified directly.
- Individuals have the right to request a copy of their personal data and supplementary information, as processed by any company or organisation. This allows individuals to be aware of, and to verify the lawfulness of the processing.
- The GDPR provides individuals with a right to erasure, sometimes referred to as a right to be forgotten. The allows individuals to request the deletion or removal of their personal data where there is no valid or compelling reason for it to continue being processed. The right is not absolute, and companies and organisations can refuse to delete data under certain circumstances.
- Data portability gives individuals the right to obtain and reuse their personal data across different services. This allows individuals to move, copy, or transfer their own personal data from one environment to another, for a number of reasons.
- While privacy by design has always been an implicit requirement of data protection, under the GDPR, companies and organisations are now obliged to implement measures to integrate data protection with data processing activities.
What does the GDPR mean for HR?
Articles 6(1)(c) and (e) of the GDPR allows member states to introduce more specific provisions in terms of the lawful bases for processing of personal data. At least one of six conditions must be met, with two specific conditions being that:
- “(c) processing is necessary for compliance with a legal obligation”;
- “(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
This suggests that processing personal data of employees for certain legitimate HR operations do not require explicit consent. However, all other aspects of the GDPR in terms of personal data would still apply, including:
- How and what the data is used for.
- Privacy by design.
- Data portability and right to erasure.
- Use of personal data by third-parties.
Who does the GDPR apply to?
The GDPR applies to all companies and organisations collecting and processing the personal data of individuals residing in the EU, regardless of the company’s physical location. This means the regulations are enforceable on any business, even those with no physical presence in any EU member state.
Are GDPR fines insurable?
There is no definitive answer to this question yet, but the current view of brokers is that fines relating to the GDPR are unlikely to be insurable. And with fines of up 4 percent of a company’s annual global turnover being possible, any non-compliance with the GDPR can end up being very costly to any organisation. Proper guidance will only be possible once the new legislation comes into effect, and new case law has been established. However, specialist cyber insurance policies could cover the costs associated with a data breach, such as compensation claims, legal costs, notification and reputation management, etc.
How will the GDPR affect US companies?
The GDPR applies to all companies and organisations collecting and processing the personal data of individuals residing in the EU, regardless of the company’s physical location. As such, US companies – and companies in other countries around the world – are still expected to comply with the new regulations if any of the personal data they collect and process is that of resident of an EU member state. This remains true even if the company does not have any physical presence in any EU member state. While the GDPR is unlikely to affect a small florist in Rock Springs, Wyoming, any business – US based, or other – collecting and processing personal data of EU residents will need to put measures in place in order to comply with the GDPR. This includes, amongst others, ensuring:
- Explicit, recorded consent to collect and process the personal data of the individual.
- Clear explanation of how and what the data the data will be used for.
- Privacy by design, along with compliance relating to data breaches.
- Support for data portability and right to erasure.
- Compliance with the GDPR requirements for the use of personal data by third-parties.
Many businesses are used to using landing pages and newsletter subscription forms to build out their customer database. Under the GDPR, this will no longer be acceptable when it comes to the personal data of EU residents, because blanket consent is no longer allowed. The GDPR only recognises explicit consent being given for a specific purpose, which must be stated when the individual gives consent. If an EU resident signs up for your weekly email newsletter, they will be giving explicit consent to receive just that: a weekly email newsletter. You cannot later switch to sending them daily deals via email, because they did not consent to that. Whenever the purpose of collecting and processing personal data changes, new consent must be given.
How does the GDPR change the rules for research?
The GDPR makes provision for organisations that collect and process personal data for research purposes, though we will have to wait until the GDPR is enforced to see whether these are sufficient, or whether they have been too loosely interpreted. The GDPR allows for the collecting and processing of personal data without consent, but only for specified lawful purposes. In terms of research, Articles 9 of the GDPR make specific mention of health, social care, scientific research, and historical research. What would still apply in all cases are the requirements in terms of data protection, privacy, and data breaches, which are less stringent when the data has been anonymised to such a degree that data subjects are no longer identifiable.
How does the GDPR affect data science?
The key areas within data science that will be impacted by the GDPR include:
- The ability to collect data. Consent – and being informed of why the data is being collected, and how it will be processed – are important considerations here. The provisions for the lawful bases for processing data do have specific requirements that won’t apply in all circumstances, or to all organisations.
- The ability to use data. Where consent has been granted, it is important to remember that the consent applies to the data being processed as originally communicated to individuals. If the purpose of collecting and processing changes, new consent must be given. At the same time, individuals have the right to block processing, object to processing, and the right to erasure, which can impact, or limit, the results of data science-related processing.
- The ability to transfer data to and from third-parties. The GDPR places restrictions on how and when data is transferred to countries outside the EU, and to international organisations. This will impact data scientists ability to source and share data.
- Automated customer profiling and decision making has built-in safeguards for individuals, allowing them to request – in certain circumstances – a human intervention, and an explanation of the decision.
- Requirements in storing data. Data protection and privacy by design are core principles of the GDPR, and while these are less stringent where the data is so anonymised that individual identification is impossible, the onus is still on the organisation to ensure that their anonymisation measures are sound.
How will the GDPR affect schools?
Schools and school administrators need to be aware of the following:
- Parental consent is required for the processing of personal data for children under the age of 16. The age requirement drops to 13-years under the UK Data Protection Bill.
- The GDPR recognises material differences between personal data and sensitive personal data, stating that:
- Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
- With provisions for specific circumstances where this would still be allowed. Schools should refer to Articles 9 for further details.
- Data that permits identification must be kept for no longer than is necessary for the purposes for which the data was originally collected and processed. Exemptions apply only in terms of archival and statistical purposes.
- Marketing is only permissible when explicit consent has been given and recorded, and only in terms of what was originally consented to. The process to opt-out must be simple, and clearly explained.
- All individual rights as outlined in the GDPR still apply.
How will the GDPR disrupt Google and Facebook?
Both Google and Facebook rely on the extensive collection and processing of the personal data of their users. Some of this data is volunteered when signing up for Google or Facebook services, but some is also collected through tracking, both through the platforms and through connected services. This is then used not only to improve the user-experience, but also to create detailed profiles for personalisation and advertising purposes. And under the GDPR, this is problematic. For one, except when it comes to select lawful purposes, any collection and processing of data can only happen following explicit consent being given. And blanket consent is not allowed, whenever an individual gives consent, it is for a specific purpose or reason.
This means that both Google and Facebook – and any similar services – will need to present users with multiple opt-in dialogues, with each one linked to a specific purpose that is clearly communicated. Opt-in cannot be pre-selected, and it also cannot be conditional to the continued use of the service. At the same time, individuals must be able to opt-out (revoke consent) at any point.
While there is little doubt that any organisation as large as Google and Facebook will be able to comply with as little impact on individuals as possible, this does not mean there won’t be any impact on the business model. Both platforms use the vast amounts of personal data they collect to build detailed profiles, allowing advertisers to accurately target specific demographics, etc., and with individuals now able to opt-out of this, the robustness of Google’s and Facebook’s audience profiles could be affected.
Other aspects of the GDPR that will have an impact on Google and Facebook include data portability, sharing of data with third-parties, the right to erasure, and right of access, among others. Google already makes provision for the right to erasure and the right of access, but these may need to be adjusted to comply with the specific requirements of the GDPR.
Of course, the true impact of the GDPR on businesses like Google and Facebook will only be evident once the regulations have been enforced for several months.
How will the GDPR affect recruitment?
As with marketing, the GDPR does not sound the death knell of recruitment agencies, especially if they are already compliant with the soon to be replaced Data Protection Act. The GDPR has been compiled in such a way that many of the regulations apply almost uniformly to a number of industries, with little room for deviation. What recruiters should specifically be aware of, over and above all the other individual rights include:
- New consent must be given by individuals for each separate processing activity involving their personal data. Blanket or vague consent is not acceptable.
- Whenever any candidate’s details match the requirements for a position they did not specifically apply for, they must first be contacted, given details of the position, and give consent for their details to be put forward.
- There must be safeguards in place for any automated decision-making processes, with these safeguards designed to protect candidates from the risk of any damaging decisions.
How will the GDPR affect charities?
The GDPR sets a high standard for consent, placing an emphasis on leaving the individual (the prospect/customer/donor) in control, and building trust and engagement.
Proper consent under the GDPR means the following:
- Consent must be explicit, and via a positive opt-in. This means you can no longer use consent by default, consent as a condition of sale or service, or even pre-ticked consent boxes on forms.
- Consent cannot be vague. The individual must give a specific statement of consent, while knowing what they are consenting to, and who they are giving consent to. If any third-party controllers will also be relying on the individual’s consent, they must be named.
- Consent should be separate from any other terms and conditions.
- Evidence of consent must be recorded and retained. This includes records of who, when, how, and what.
- It must be easy for individuals to withdraw consent, and they must be informed of how they can withdraw consent.
- You should regularly review your records of consent, making sure nothing has changed in terms of the relationship, the processing of the data, or the purpose of the consent. Refresh as necessary.
Charities and other organisations that have previously relied on implied consent, or consent by default (pre-ticked boxes, etc.), will need to update their donor/customer databases by seeking explicit, recorded consent to continue processing the personal data of individuals who reside in any EU member state. Many charities also rely on volunteers, so they will need to ensure that all volunteers are also knowledgeable with all the relevant portions of the GDPR which affect their operations.
Why is the GDPR bad?
While compliance with the GDPR does bring with it preparations that are – admittedly – taxing on any business or organisation, along with the risk of crippling fines, the regulations are not inherently bad. By giving individuals greater control and protection of their personal data, the GDPR brings with it opportunities for organisations to build greater trust with their customers. The GDPR can also be seen as clarifying, simplifying, and streamlining regulations that previously existed, leaving currently compliant organisations to only have to make some adjustments to remain compliant with the new regulations. We will, unfortunately, have to wait until the regulations are enforced, and new case law established, to ascertain any true material impact on organisations, and individuals, and whether or not this will change over time.
Why is the GDPR good for business?
The GDPR brings with it opportunities for organisations to build greater trust with their customers, and this is always positive. For many organisations, it also brings with it an opportunity to clean up their marketing and sales databases, not only updating personal data, but also ensuring that it is now filled with individuals who are still active, and still interested in your products or services. It also brings with it the opportunity for organisations to look at how they collect and process data with fresh eyes, identifying new avenues for marketing and sales growth that never existed before, or were simply overlooked. But as with any new regulation, we will have to wait until it is enforced, and new case law established, to ascertain any true material impact on organisations, and individuals, and whether or not this will change over time.
How to Minimise the Impact of the GDPR on Your Business
There is an African proverb that is particularly apt to the GDPR and your business:
The best way to eat the elephant standing in your path is to cut it up into little pieces.
And the best way to minimise the impact of the General Data Protection Regulation on your business is to break the compliance requirements into smaller tasks.
The Information Commissioner’s Office (ICO) in the UK has put together a comprehensive GDPR guide, which includes an online checklist for both data controllers and data processors. The ICO also offers up 12 steps businesses and organisations can take now, to prepare for the GDPR.
Becoming Aware
The first step is fairly obvious, and involves ensuring that all relevant employees and contractors are aware of the GDPR, and what is required of them and the organisation in order to be compliant.
Becoming Accountable
Accountability starts with a full data audit, and depending on the size of your organisation, and the amount of personal data you hold, a data audit will be one of the biggest tasks you need to accomplish ahead of GDPR enforcement. It is also one of the most important tasks.
Your data audit should see you compiling a full inventory of all personal data you hold, and answering the following questions in relation to each record:
- How did you collect the personal data? Was it given to you by the individual, and if so, how? Or was it collected by other means?
- Why did you originally collect the personal data? What was the original purpose? Was it through a newsletter signup, a request for more information on a specific product/service, through the individual creating an online account (either to shop online, or for some other purpose)?
- Why are you still processing the data, and for how much longer will you continue processing it? If you no longer have a legitimate reason for processing, you shouldn’t be holding onto the data.
- Is the data secure? This applies to both encryption, and to it only being accessible to people who understand the GDPR requirements for data processing.
- Has the data ever been shared with any third-parties. If so, do you have evidence on record that they are compliant with the GDPR, and does the individual know that their data has been shared, with who, and for what purposes?
The GDPR doesn’t only require organisations to be able to demonstrate the ways in which they comply with data processing requirements, in many instances it requires documentation to support this. Again, the ICO website has a brief checklist helping organisations identify shortcomings in the way they ask for, record, and manage consent.
Communicating with Customers, Staff, and Service Users
Compliance with the GDPR will also depend on your organisation updating all privacy notices, or adding privacy notices if they aren’t already in place. When considering or updating privacy notices, it is important to do a proper assessment of how you collect data, acknowledging that – in addition to traditional forms of data collection – this could now also be any one, or a combination, of the following:
- observed, by tracking people online or by smart devices;
- derived from combining other data sets; or
- inferred by using algorithms to analyse a variety of data, such as social media, location data and records of purchases in order to profile people for example in terms of their credit risk, state of health or suitability for a job.
Privacy notices need to be concise, written in plain language, and easily accessible. The GDPR also expects organisations to include specific information in privacy notices, with slight variations depending on whether data is collected directly from individuals or not. The image below summarises this.
Personal Privacy Rights
Re-assess all your procedures relating to the collection and processing of personal data to ensure they make provision for all the individual rights entrenched by the GDPR. Consider the following:
- Who in your organisation will make decisions relating to requests for erasure? The right to erasure is not absolute, and under very specific circumstances, organisations can refuse to comply.
- How long will it take your organisation to respond to individuals requests for copies of their personal information, corrections, and/or deletion?
- How will you ensure that corrections and/or deletions are updated across all locations, and with third-parties where applicable?
- Will you be able to comply with the provisions relating to access and data portability requests? Specifically the ability to provide data electronically, and in commonly used formats?
Will Access Requests Change?
The GDPR requires access requests to be processed and responded to without delay, and at least within one month of the request being made. Requests won’t only be made for copies of the personal data being held, but also for additional information, such as confirmation that their data is being processed, along with supplementary information similar to what should be covered by your privacy policies: how is data being collected, for what purposes, is it being shared with anyone, etc. Further to this, you will also be dealing with deletion requests, and requests to correct personal information. Review your current processes for all of this to see if they are sufficient in terms of internal processes, and in terms of complying with the GDPR.
What is Meant by Lawful Bases for Processing?
While the GDPR places a heavy emphasis on individual consent, it does allow for data processing without consent, under special circumstances. Review all the ways in which you collect and process personal information to establish what the lawful bases is. This is necessary for both your privacy policies, and for confirming whether or not consent is required.
Using Customer Consent as a Basis to Process Data
The GDPR expects consent to be ‘freely given, specific, informed and unambiguous’. Individuals must be aware that they are giving consent, exactly what they are consenting to, and it cannot be forced as a condition of sale or service. Review all the ways in which you collect and process data, and that require consent. Address the following:
- Keep any requests for consent separate from your terms and conditions. Update your terms and conditions to remove any mention of consent as a condition of sale or service.
- If consent is given by means of individuals checking a box – either on a printed form, or online form – ensure that they are all unchecked by default.
- Ensure that your CRMs and databases are equipped to include a record of consent. This should specifically record who consented, when they consented (data and time), how they consented, and what they were told.
- If you collect data via online forms, consider using services such as MailChimp, which allow for double opt-in confirmation, and record the date and time of each submission.
- Ensure that your systems also make it easy for individuals to withdraw their consent.
At the same time, it is necessary to review all existing consent ahead of GDPR enforcement to ensure it meets the required standard.
Processing Children’s Data
If you collect and process the data of children under the age of 16-years, you may need to revise your current systems in order to introduce measures for verifying the age of individuals, and for obtaining parental or guardian consent for the processing.
Reporting Data Breaches
Check and/or implement proper procedures to detect, investigate, and report data breaches. Under the GDPR, organisations are required to report certain types of data breaches to the relevant supervisory authority within 72-hours. Further to this, some breaches also call for affected individuals to be notified. Failure to comply can result in severe fines being imposed on organisations.
Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default
While these have always been good practice in terms of data processing, the GDPR now makes data protection by design and default a requirement, with DPIAs being mandatory for any organisation involved in high-risk data processing. Over and above your privacy policies, you should also look at the following:
- The use of data encryption, pseudonymisation and/or anonymisation.
- The sharing of data. Look at what is being shared, what the purpose of the sharing is, and who it is being shared with. Is the data being shared securely, and is the organisation it is being shared with also fully compliant with GDPR requirements?
Data Protection Officers
Not all organisations will be required to appoint data protection officers, but you should familiarise yourself with these requirements, and respond as appropriate.
International Organisations and the GDPR
The GDPR applies to all companies and organisations that collect and process the personal data of individuals residing in any EU member state, even if the company or organisation has no physical presence throughout the EU. Each EU member state has their own Data Protection Authority, but international organisations can work with a single Lead Supervisory Authority (LSA) when it comes to data protection, and other elements of the GDPR.
17 thoughts on “The Ultimate GDPR Guide for Marketers and Businesses”