This ‘yet-another-blog-post-about-GDPR’ blog post attempts to rule out the myth from the fact and highlight the key points to consider for getting on the road to compliance.
So, first, let’s recap on the What and the Why, the When and Where. Then we’ll try and tackle the How.
What: GDPR (General Data Protection Regulation) replaces The Data Protection Act of 1998. Its purpose is for the protection and privacy of personal data, and the individual rights of EU citizens.
Why: We live in a data-rich world, and the 1998 Act is out of date with today’s new ways of processing and using data. It will force businesses to be more careful with, and accountable for, people’s personal information.
When: The regulation comes into force on 25th May 2018. But now is the time to start putting things in place to become compliant.
Where (and Who): GDPR will affect every business who owns, processes and/or uses personal data of any individual within the EU. This includes businesses outside of the EU if they own, process and/or use personal data of people within the EU.
And now for the big question – How?
Ok, let’s try and get this into 6 bitesize chunks. (I tried 5, just for the aesthetics of the thing, but it definitely needs 6. At least it’s an even number which satisfies my Libran mind.)
1. Explicit Consent
The key word here is ‘explicit’. It is not enough to have a simple ‘opt-in’ check box on contact forms any more, you need to tell people what you’ll be contacting them about, how often and in what format.
An example: Company A offers four key services. The CRM system identifies if a customer is associated with service 1, 2, 3 or 4, yet offers and promotions are happily sent out to the full mailing list for all services. Under GDPR, individual opt-in consent – and individual opt-out – would need to be obtained.
You should also not assume that because a contact on your mailing list has not yet opted out, they therefore give their consent to be contacted by you. But under the eyes of GDPR, not opting out is not Explicit Consent.
If you don’t think you have explicit consent from the contacts on your database, all is not lost. You can still send an invitation out before 25th May to request consent – don’t forget to be explicit (have I mentioned that word enough?)
Double opt-in is not mandatory by the way. I’ve seen this crop up in a few documents and blogs, but it’s a myth!
2. The right to be forgotten
Individuals have the right to request complete erasure of their personal information. There are two considerations here; first, businesses have to make it easy for individuals to request sight of what data you hold about them, how you use it and if you share it with anybody else (internally or externally).
Second, if they request their details are removed, you have to remove it completely. Out of any and every database – CRM, email distribution software, the fulfilment house you use for managing your mailshots, the Chairman’s laptop because he likes to keep a copy of everything…
You may well be investigated if you accidentally send communication to an unsubscribed recipient. So think about how you will manage this process; keeping data in one single place, without any copies in existence is one way to maintain control.
3. Relevance and Accuracy
This is actually a good excuse for a good old data cleanse. Rather like clearing out the loft, it’s not exactly a job to look forward to, but just think how satisfied you’ll feel afterwards!
Relevance – only collect and store data you actually need. If you don’t need to know a person’s date of birth, religious beliefs or sexual orientation, don’t ask for it. Yes it might help you build a picture of your typical customer demographic, but if you can’t prove this information is a legitimate business need, you may well be in breach of GDPR. And with a maximum fine of €20m (or 4% of global turnover), it might not be worth the risk.
Accuracy – email addresses, telephone numbers, job titles change all the time. Spend the time between now and 25th May to get your existing data up to date and then have a policy in place which states how often you will check its accuracy.
4. Data sharing
Keep sharing to a minimum. Best practice would be to have one central location, password protected and only accessible by people who actually need access.
An example: you receive an enquiry from your website contact form. Your website requests the individual’s name, email address, phone number and a message. It arrives into the business through a generic email address monitored by two members of staff; one of whom assesses the message and forwards it to the relevant department for processing/responding to. The manager of that department passes it to a member of his/her team to handle.
The person who submitted the contact form, in all innocence, now has their personal contact information on at least four machines, and quite possibly several mobile devices which are synched to email accounts.
This process would not conform to the ‘Privacy by Design’ stipulation under GDPR. A better approach would be to store the data in the website database itself which can be accessed via the password-protected CMS.
5. Data Storage
This point relates to the length of time we can keep data rather than how and where we actually store it.
The answer is there is no maximum time period. GDPR only states that an organisation must decide, based on its own legitimate business needs, as to how long is too long.
So as part of your new Data Policy, you must state how long you will retain an individual’s data for, and you must have a process in place that deals with this once that time period is reached. It doesn’t necessarily need to be for a number of years; for example, your policy might be that you remove a data subject after 12 months of no-engagement.
6. Data Protection Officer
Appointment of a DPO is mandatory if you are a public authority or an organisation dealing with data on a ‘large scale’. (I have yet to find the definition of ‘large scale’ so we’ll have to use our imagination for the time-being).
It’s best practice to appoint a DPO if you do not fall into one of these categories though. Especially if you distribute regular marketing campaigns and/or monitor online behaviour through Google Analytics (or similar; other analytic platforms are available).
The DPO can be an existing member of staff, a new recruit or an external resource. A word of advice is not to underestimate this role and tag it on to a junior member of staff’s job description. It should be considered as a senior position, because this person is responsible for an organisation’s compliance with GDPR.
I hope you are now thoroughly clued up on GDPR and will rush forth and comply.
Or perhaps you are just thoroughly exhausted.
Unfortunately GDPR is not black and white. There’s a considerable amount of grey in the middle. But I hope, at least, you have something to start with. And if you’re still confused, give me a call, and we can weep together.