By Nick Richards
Business owners will I’m sure be well aware that the EU’s General Data Protection Regulation (the GDPR) came into force on 25 May this year. The purpose of the regulation is to provide consistent data protection rules across all EU countries, and to take into account the impact that advances in technology have had on data protection. Prior to the GDPR each country had its own legislation (in our case the Data Protection Act 1998). Brexit will not substantially affect the need for UK companies to comply, as the new Data Protection Bill, currently going through the UK parliament, when enacted, will largely mirror the GDPR.
There has been much scare-mongering around the introduction of the GDPR, so I thought I would try to dispel some of the fears.
Yes, it’s true that the Information Commissioner’s Office (ICO) has the power to impose fines of up to €20 million or 4% of a company’s global turnover, but such fines would be reserved for major, serious breaches where the “rights and freedoms” of individuals (probably a very large number of individuals) are seriously affected. Having said that, it’s important for all businesses to work towards compliance and it’s worth focusing on the key areas that could leave you most exposed.
The GDPR is all about protecting the personal information of all of us as individuals (data subjects) from being abused or breached, and giving us more control over our own data. The GDPR is very strong on ensuring companies document everything so they can demonstrate compliance, so if as a company you require consent from individuals for example, you must provide documentary evidence that such consent has been given.
As a result, out go pre-ticked boxes on websites which state that unless individuals untick it they are agreeing to receive all kinds of junk mail, or for their details to be sent to other companies. Now, individuals must give consent through a “clear affirmative act”. So, companies are now better advised to have empty tick-boxes that require the individual to tick the box in order to give their consent. Using multiple tick-boxes enables individuals to control what particular services/communications they wish to receive, so it’s important not to “bundle” consent.
However, in the words of Elizabeth Denham, the Information Commissioner, “consent is not the silver bullet”. Like me, you will doubtless have received an irritating number of emails recently from companies, stating that they need your consent, otherwise they will not be able to continue to send you special offers and the like. This has probably enabled you to ignore all of those you don’t want to hear from again, but as a result many companies have now lost touch with hundreds of their existing contacts – often unnecessarily. In reality, if as a company you have a database of existing customers, members, clients, or even prospects who have either traded with you or expressed interest in doing so, then you may well not require further consent.
There are in fact six “lawful bases” for processing data and consent is just one option. For many companies, the most logical lawful basis for continuing to communicate with your customers is “legitimate interest’. If you can demonstrate that you have a legitimate interest (which can include a commercial interest) in staying in touch, then you can probably use this as your lawful basis, so long as your interests do not significantly outweigh those of the data subjects.
What you should do, however, is revise your privacy notice in order to ensure that it is GDPR-compliant, and direct your customers and contacts to it. You should also ensure that whenever you contact people you give them a clear and simple method of unsubscribing should they decide that they no longer wish to hear from you. You should also avoid sending them stuff that they would not reasonably expect you to send them.
Another key area of compliance is data security. This is partly a technical function but it also involves thinking about how you protect data on a practical day-to-day basis. The GDPR states that companies must take appropriate “technical and organisational measures” to protect data. Technical measures might include such initiatives as encryption, firewalls and the like. Ideally companies should consider accreditations such as ISO27001 or Cyber Essentials. Organisational measures might include, for example, a clear-desk policy, locking filing cabinets, office security and ensuring laptops are not left on the back seat of the car.
I’ve just scratched the surface by touching on a couple of key areas of the GDPR in this article. In reality, to be fully compliant there is a lot of work to do. As a business you must ensure that you map all of your data, that your staff are fully aware of the GDPR, that compliant (controller-processor) contracts are in place with all suppliers; you’ll need written procedures to deal with data breaches and data access requests. Additional procedures are required if you’re dealing with “special category data” and some companies are required to appoint a data protection officer.
A final point is that these regulations are, as well as being good for consumers, good for businesses (or at least for those that comply). All the processes and procedures that GDPR requires – knowing whom you can contact and for what purpose, having clear policies and looking after the data you hold – are what any organisation would regard as best practice. Thinking further ahead, if you’re looking to sell your business then demonstrating that these are in place will be an essential part of any due diligence.
The ICO website offers a range of articles, tools and resources than can help. Alternatively you can contact me if you require further help or advice.