Let’s start with the basics – what is the GDPR?
The General Data Protection Regulation (GDPR) replaces the Data Protection Act (DPA) on 25 May 2018. It provides a new data protection framework to cover the collection, processing and protection of personal data of people in the EU. The definition of ‘personal data’ is anything that can be used to directly or indirectly identify a person; this includes name, email address, an identification number, location data, online identifier & more. It will have an impact on all businesses as personal data includes business contacts as well as details of clients and staff. GPDR presents opportunities to review legacy processes and systems and improve customer relationships by being more transparent on how personal data is used. Not meeting the GDPR requirements could result in a fine of up to €20m or 4% of global turnover, whichever is the higher.
How will it affect businesses in terms of the customer data they already have, and how they go about collecting data in the future?
A business needs to have a legal basis for holding and using personal data. It can be one of the following; consent, contractual necessity, compliance with legal obligations, vital interests, public interest or legitimate interest. If you rely on consent for processing data – for email marketing for example – you need to have a record of when consent was given. As the use of ‘opt out’ boxes is no longer acceptable, you may find that the consent you currently have is not going to be applicable.
To collect data in the future, more details have to be given about what you plan to do with it. If you have a contact form on a website this will need to include details such as what processing will be done with the data, the legal basis for doing it, how long it will be retained and who it will be passed on to, if that is applicable. It is no longer valid to say something like ‘our carefully selected partners’, it must be more specific.
What about online advertisers – how will they be affected?
The use of profiling to deliver targeted advertising and track users needs to be reviewed. It is still valid to do this, but consent needs to be obtained and users need a way to easily remove this.
What should business do right now to start preparing?
A question that frequently comes up is ‘Does Brexit mean I don’t need to do anything?’. The answer is No. The Queen’s Speech on 21 June 2017 said the government would implement the GDPR, so you do need to take action.
The first step is to identify all the personal data you have, the legal basis for holding it, where it is stored (it should be within the EU) and how it is protected. Companies also need to understand the GDPR Principles and the rights of individuals, and map these against their business processes. Once that is done create a plan to address any gaps.
They may find they need a better Incident Management plan to meet the 72-hour deadline of informing the ICO if there is data breach. The definition of a data breach is the ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. This means an incident could include deleting a file with personal data that cannot be restored, an unauthorised person reading personal information on paper left on a printer or having the wrong access level defined for their computer login resulting in them having access to personal data they are not entitled to view.
Companies should also review how they would deal with a Subject Access Request. One of the rights of an individual is to ask for all the personal data you hold on them and why you have it. The DPA currently allows this, but under the GDPR you generally cannot charge the individual a fee and you only have a month to reply rather than 40 days under the DPA. Could your business cope if multiple people made requests within a short period of time?
What will the GDPR mean for website design & user experience?
Thought needs to be given to areas of a page where content is determined through the use of profiling. If a user has not consented to this being done will the page be shown, and if it is then what is going to take up the space used for ads? Contact and sign up forms will need to be reworked to show the additional information needed at the point of collection. And don’t forget Apps, the same rules concerning collecting and processing personal data apply to them.
Ian Grey is founder of WADIFF Consulting – experts in information & cyber security with over 25 years experience. If you’d like to learn more about what they do, visit their site here.