If you were not aware, Europe is set for its biggest data protection shake-up in 20 years. From May this year, the General Data Protection Regulation (GDPR) devised two years ago will be enforced. It replaces the EU-wide 1995 Data Protection Directive and the UK’s own 1998 Data Protection Act (which is heavily based on the former).
Why is this happening? GDPR has been established to protect people. As the economy has become more and more digitised, the level of personal information available online has increased. This has made, and continues to make, customers vulnerable to hackers and thieves, who can use and abuse this information for their own profit. Furthermore companies have become accustomed to collecting large amounts of unnecessary data for their own benefit - simply because they can. With these factors in mind, the core principle of GDPR is to specify how personal data should be used and protected.
The Information Commissioner’s Office, the UK body responsible for enforcing these changes, has assured that these changes are “evolution, not revolution” and that businesses should not be scared of them. However, they certainly should be aware of them. Failure to comply can result in fines of €20m or 4% of annual turnover, whichever is greater. Restaurant chain Wetherspoons went as far as deleting hundreds of thousands of customer emails to avoid any risk of penalisation. It decided that the marketing value the emails possessed did not match the cost of effective compliance in the face of GDPR.
This blog therefore aims to offer guidance, outlining the essential requirements of GDPR, the effects they might have, and providing a 12-step guide that all businesses can follow.
Personal information/data - Any information the can be used to identify an individual. This could be name, date of birth or even an IP address. This may refer to customers, employees, clients and more.
Controller - An entity that decides how and why personal data is used or will be used.
Processor - The designated entity that processes the data on behalf of the controller. The term processing equates to obtaining, recording, adapting or holding any personal data.
The essential requirements of GDPR can be split into 7 main areas:
- Consent: Companies must obtain consent in order to process personal data, unless they have legal or legitimate reasons to do so. This consent cannot be hidden in undecipherable legalese within the Terms and Conditions, and withdrawing consent must be as easy as giving it.
- Breach Notification: If a company suffers a security breach, they must inform their controllers, their customers and the ICO within 72 hours or face penalisation. FCA/EEA regulated firms should also consider their obligations under PSD2 relating to incident reporting.
- Right to Access: Previously, data controllers could charge £10 to supply customers with a copy of all information held on them. Now, all companies must provide a free electronic copy of said information within a month of it being requested.
- Right to be Forgotten: Customers have the right to request their data be deleted without undue delay if they no longer want it to be processed - barring firms that are required to retain records for legal purposes.
- Data Portability: Customers have the right to take the information companies have collected on them and transfer it to other IT environments. For example, banking customers have the right to take their banking data and transfer it to a third party price comparison website.
- Privacy by Design: Under GDPR, businesses have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities. This prevents firms from attempting to bolt on these measures after building their product or service and encountering difficulty.
- Data Protection Officers: Companies that process personal information and have more than 250 employees must employ specific Data Protection Officers (DPOs). Existing employees may be able to take this role, though for some companies additional staff may be required. Smaller firms are also required to have DPOs if they process data on a large scale.
For large businesses, GDPR may appear worrying, with the potential requirements of new staff, change in business protocols and possibilities of crippling fines. But GDPR will also bring benefits to companies. Stronger data regulation will make it harder for security to be breached, which can cause huge amounts of negative publicity (as seen with Uber and Equifax in recent years, among many others). Speaking more generally, the restrictions on unnecessarily collecting data changes the way firms do business, making them more transparent and thus also improving their image.
As for the fines, the ICO have stated that "We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways. But we've always preferred the carrot to the stick."
However, what is a far greater cause for concern, is the effect this may have on small businesses. It is important to stress that GDPR is not just for big corporates. If you’re a small shop that has a list of customer emails for example, these regulations still affect you.
For these reasons Paybase argues that it is vital for all businesses that hold personal data, large or small, to not fear or avoid GDPR but embrace it. Following these steps, provided by the ICO, can help your business be ready for GDPR without unnecessary additional costs.
- Awareness. You should make sure that decision makers and key people in your organisation are aware that GDPR is becoming law. They need to appreciate the impact this is likely to have.
- Paybase tip! Present the information to the Board, but also provide a training session to the whole company to make sure everyone is aware of their responsibilities.
- Information you hold. You should document what personal data you hold, where it came from and who you share it with.
- Communicating your privacy information. You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Paybase tip! Given the extent of the changes of GDPR, it’s likely that most firms will need to alter their privacy notices. Your policy may be dependant on your suppliers, which may also be updating their policy, so revising this should be one of the first things you do!
- Individual’s rights. You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access rejects. You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- Paybase tip! Create a diagram for your customers explaining how their data is used and make it public. This will deter unnecessary data requests.
- Lawful basis for processing personal data. You should identify the lawful basis for your processing activity under GDPR, document it and explain it in your privacy notice update.
- Consent. You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- Children. You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
- Data breaches. You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments. You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
- Paybase tip! Share helpful articles (such as this one!) with all employees to educate them. For more specifically relevant training, involve the inhouse/external expert.
- Data Protection Officers. You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
- International. If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
- Paybase tip! Don’t just think about where your organisation operates, but where your third party partners operate as well. Take an inventory of all personal data flows to third parties to determine if any of your data leaves the EEA. If it does, you may need need to introduce additional controls and standards, which should be established with the third party.
Following these steps should enable you to cover GDPR and go about your business as usual, but if you are still unclear, there is a wealth of information on the topic available online. Paybase believes that GDPR will ultimately be beneficial for both consumers and businesses, offering greater protection, transparency and security for all!