1. What is GDPR all about?
We live in a world of data and people are cottoning on to the fact that this is used for profit. What’s more, there have been a number of high level breaches in recent years where people’s personal and financial credentials have been stolen. To this end, the government is upgrading the original Data Protection Directive (est. October 1995) to protect the way individuals’ data is structured, recorded, analysed, monitored, profiled stored and used.
The new regulation will apply to all who reside in the EU and to all who market to people in the European Union, including the UK despite the governments’ plans to leave the EU.
2. Why is it happening now?
According to recent reports, the UK currently ranks second for data breaches in the world with a total of 28m compromised data records in the first half of 2017 alone (a staggering 130% increase from last year), so it is no wonder that people no longer trust companies with their personal data.
Most recently, Yahoo’s data breach would have likely affected all of its 3 billion email users and one of the world’s biggest accountancy firms, Deloitte, suffered a cyber-attack which enabled hackers to access personal data from its blue-chip clients. Other companies whose customers have been include Bupa, Wonga, Equifax, Three, Mumsnet, Tesco, Sports Direct and the government (most notably HMRC in 2007).
GDPR provides a fantastic opportunity for companies to work on rebuilding trust amongst existing and new customers as according to the European Commission, over 90% of Europeans want the same data protection rights across the EU, regardless of where their data is used and stored.
3. What does GDPR stand for?
Basically, the ball is being put firmly in the individuals’ court as they will truly decide on who can do what with their data and when. GDPR represents the following consumer rights:
- The right to be informed – consent wording has to be in clear and plain language and easily accessible
- The right of access – there will no longer be a £10 subject access fee
- The right to erasure – also known as ‘the right to be forgotten’ – requests to be deleted or removed from data lists and files must be done immediately
- The right to object – if a person rejects consent, then this must be honoured
- Rights in relation to automated decision making and profiling – this includes involve human intervention
- The right to accuracy – if an individual requests changes to their records these must be implemented
- The right to restrict processing – for instance, should a person wish to have their data used for email marketing only and not for direct mail or telemarketing, then this must be respected
- The right to data portability – allowing individuals to copy, transfer or move their personal data securely
4. What data is affected?
Any data that can identify an individual will need to have a consent form attached. In addition to traditional personal data (name, address, phone number, place of work, job title, financial transaction information, interests, etc.), any online identifiers such as IP addresses, and online community forum and social media profiles will require consent.
In addition, explicit consent must be acquired for processing any sensitive personal data such as demographic details, health, genetic and biometric data, sexual orientation, views and opinions on politics, religious or philosophical beliefs and Trade Union memberships.
5. How will it affect marketing?
Businesses must ensure that individuals are given the option to receive content and that the resulting decisions are respected. This means that in the run up to and once GDPR comes into effect from 25th May 2018, all personal data must have consent data and method recorded.
Basically, customers will decide whether or not they wish to receive e-newsletters, direct mail, etc. so businesses must be able to prove that assumptive consent has been given. The result of this is no more pre-ticked boxes and hidden terms and conditions.
GDPR affects manual and automated data use, and it is imperative that automated decisions do not concern a child or be based on processing of special categories data (see above sensitive personal data). Also, all data subjects must be informed upon consent that their data may be used for profiling.
Although being able to persuade customers to share their data may pose a challenge, ultimately the data that businesses will collect moving forward would be of greater value and quality as the consent would have been better informed.
A true choice must be given to the customer. By delivering a service, selling a product or offering customers the chance to win a prize does not equal valid consent.
Consent to process, use and store data must be clear and distinguishable from other matters and be provided in an intelligible and easily accessible form, using clear and plain language. The right to be forgotten or unsubscribe must be also be as easy to request and confirm.
Here is an example of what a valid consent form would look like…
6. What must be done?
- You must update all data policies to cover websites, social media, email marketing, apps, digital platforms and any other online resources that are used with which to capture, process and store personal data.
- Enable consent recording functionality to be added to your data management processes – this includes being able to record when, what and how consent has been given, e.g. third-party marketing by email only.
- Ensure that all consent forms are kept on file, whether they are online, from telephone calls or by email
- Minimise risk of breaches and infringements by using double opt-in signup forms, imposing confidentiality processes and training all staff.
- Consider assigning a data control officer to oversee all necessary steps are taken and actioned to ensure compliancy and support the process by obtaining approval from any relevant data protection authorities as required.
- For existing data records, give customers the chance to decide whether or not they would like to update their details and contact preferences in order to remain on data lists. Return or destroy data where required.
- For new business enquiries, offer the option to opt-in by including a consent form upon initial contact or at the point of sale.
- Ensure that any external data processors have responsibly updated their own records and are GDPR compliant.
7. What if I don’t comply?
After the 25th May, 2018 any organisation that infringes GDPR can be fined up to €20 Million or 4% of annual global turnover (whichever is greater). As well as fines, there are also penalties such as temporary or permanent bans, audits and warnings. Business owners must also consider that any regulatory action would be publicised, which would further affect brand reputation.
8. Is there anything else that can be done?
In addition to updating your businesses’ own data protection policies and obtaining consent, it is imperative to safeguard your company’s servers on an ongoing basis by providing IT departments with the resources required to mitigate cyber-attacks. For instance, the well documented data hack in October 2015 at TalkTalk is a prime example of the financial and reputational impacts that data security can have on a business.
9. What’s next for data protection in the UK?
The GDPR legislation is still in development, with any additional changes being made until the final date of 25th May 2018 – so make sure you keep up-to-date with our blog and sign up to the ICO for announcements too.
As part of the government’s overall data protection framework there are plans to replace the current Act with a Data Protection Bill in 2018, which will cover any data processing areas not within GDPR and will implement the Law Enforcement Directive, in order to ensure that there will be no loopholes in the UK’s data protection regime.