GDPR – the General Data Protection Regulation – comes into force next month, on the 25th of May.
Because it’s citizen-first legislation, it covers what we in the UK do with the personal data of people in the EU, so will remain important even after Brexit. Failure to comply with the new consent-driven laws carries a hefty potential penalty. While few businesses are likely to be hit with the maximum fine (€20 million or 4% of global turnover, whichever is higher), even fewer are ready to deal with the legislation.
Our recent survey of Vistage members revealed that only 9% of their businesses are fully compliant. 75% were at least working on it, but only 5% understood that their supply chain partners would also have to provide proof of compliance.
Too many of us haven’t understood the full impact of GDPR, and aren’t on the right track to compliance. Are you?
The following guidance is based on the Data Protection Network’s 10-point compliance model. It does not constitute legal advice. If you are uncertain about your legal responsibilities regarding GDPR, Vistage recommends contacting a specialist consultant.
If your organisation creates data profiles of consumers for analysis, segmentation or predictive modelling, you need to inform your consumers that these activities are taking place. In particular, they have the right of objection to profiling for direct marketing purposes, so you need to offer them a clear way to opt out.
Individual data subjects have fundamental rights to access and erase their data, to rectify any data breaches that occur, and to ask for their data to be handled elsewhere. They also have a right to be informed about what you do with their data, which GDPR insists must be done in a concise, transparent, intelligible and accessible manner.
Small print or an obscure privacy notice on a single page of your website are not going to do the job. It’s worth building notices on what you’re asking for and what you’re going to do with it into all of your communications, both online and off. Get into the habit of explaining your activities and requesting consent.
GDPR specifically highlights the requirement for organisations to demonstrate that they take data governance seriously. You need someone who can ensure that staff training is delivered, that compliance is built into daily operations, and that individuals’ enhanced rights are handled competently. In other words: if you don’t have a Data Protection Officer, you need one.
Privacy policies are an integral part of GDPR. They can’t afford to be a dense wall of tiny legalese that you rely on no consumer bothering to read. They’re consumer-facing documents which inform customers what data you’re collecting, how you’re using it, and how they can opt out. The Direct Marketing Association offers a case study and a series of plain English guidelines targeted at low reading age, to show how this should be done.
A DPIA helps identify and minimise the data protection risks involved in a project. It’s required for any processing that’s likely to result in risk for individuals’ data privacy. In addition to offering a screening checklist to help decide if your project fits the bill, the ICO also recommends conducting a DPIA for any major project that involves processing personal data.
A data controller is anyone who determines what data is going to be processed, and for what purpose; a data processor is anyone who does the work. If you outsource any part of your data processing, you need to ensure your processing firm is GDPR-compliant, and revise your contracts accordingly.
GDPR imposes a breach regime on all data processors, requiring data to be adequately protected against loss, theft and unauthorised access. In particular, the regime demands that all breaches are reported to the supervisory authority (in the UK, that’s the Information Commissioner’s Office) within 72 hours, and that individuals are notified of any data breach that risks their privacy. Your staff will need briefing on how to identify, prevent and disclose data breaches.
Thanks to GDPR, your contact database will need to be extended. It will now need to record the most recent status of consent for each subject’s first and third-party personal data. Have they agreed to let you hold their data, or their business’, or both? It will also need to track and manage opt-outs or unsubscribes for each channel of activity – telephone, mail, email, and so on – so that records of consent are visible in one place.
While GDPR mostly emphasises data protection practice, security does play a role. Controllers and processors are required to implement ‘appropriate technical and organisational measures, taking into account the state of the art and the costs of implementation’. In practical terms, this means your Data Protection Officer needs to keep up with current cyber security practice and make improvements to firewalls, encryption and access if your current systems are past their best.
Once the infrastructure is in place and your consumers understand what’s changing and why they’re being asked these questions, it’s time to secure their consent for your operations to continue. This does apply to B2B companies, although the legal basis for B2B marketing is different (focusing on business operation and legitimate interest rather than personal consent). The ICO has provided in-depth guidance on what does and doesn’t require consent: the smart money is on securing consent as a way to demonstrate best practice.
If we had to sum up GDPR in one (tired) phrase, it’d be ‘better safe than sorry’. By introducing a formal Data Protection Officer role with clear responsibilities based on the above activities, you’ll be able to identify where you’re currently falling short, and where your current practice will do fine with some small changes.
GDPR doesn’t have to be the end of the world, but it does demand that you reconsider everything your business does in a new, citizen-facing light.