The Big GDPR Guide
Updated 26th March 2018 – 10 Minute Read
Unless you have been living in a cave for the past 12 months, you will be fully aware of the upcoming changes regarding data protection. With a new name, the General Data Protection Regulation, or GDPR to everyone else, was coming into effect in May 2018. The 25th May 2018, to be more specific.
This post has been designed to signpost readers to relevant information and opinions regarding the upcoming GDPR. We are by no means GDPR consultants, experts or even superheroes. After reading a couple of blog articles, we also don’t claim to sell this as one of our’ new core services’. Hopefully, this post will provide some valuable links and spark a discussion on how the upcoming GDPR rules could affect your organisation in 6 months.
Quick Recap – What is GDPR?
The General Data Protection Regulation has been brought in to increase the protection of everyone’s data. This means that any organisation that holds personal information about you will have to meet a series of minimum standards here in the UK. Who needs to comply? Well, It is for those who have day-to-day responsibility for data protection.
The Information Commissioner’s Office has a comprehensive ‘living’ website that outlines most of what is contained under the new GDPR act. ICO website.
“latest research from the DMA finds 15% of businesses still don’t have a plan in place.”
That 15% figure is quite alarming considering there are only six months to go until the 25th May deadline. However, it’s not quite the time to push the panic button, but it is undoubtedly the time to begin the discussions regarding everything related to data within your organisation.
The new act has been put forward to help to increase the security and protection of all of our data. The current data protection act was conceived in 1998. Years before, Facebook, Twitter, iPhones, Snapchat, and online shopping as we know it was the fabric of everyday life in 2017. So understandably, the 1998 act wasn’t entirely cutting it.
As of the 25th May, your business must:
- Have a chief data protection officer appointed
- Report data breaches within defined timeframes
- Outline the purpose of the data being collected
- Secure all data securely
- Display freely-given consent when collecting user data
- Create clear and transparent policies and procedures
Consumers/Customers will be able to:
- Request that their data be permanently erased upon request
- Request that certain data can be transferred upon their request
Questions your organisation needs to be considering right now:
- What data do you currently hold on your customers/clients?
- Where is the data held?
- How is this data managed?
- Who has access to the data?
And for those that fall foul of the GDPR laws, there will be a fine of up to 4% of your global annual revenue.
What Constitutes a Personal Data Breach?
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
One of the main issues with the GDPR rules and regulations are the many grey areas that seem to exist. The ICO has put together an overview (link below) of the GDPR, what certain definitions mean to your business and the data you collect & hold on your customers.
The ICO website directly quotes Article 5 of the GDPR which requires that:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
These 5 points seem okay at first glance, but when you look at point C, that entire sentence is surely down to interpretation? Could an organisation argue that it needs all of it the data it holds on an individual as it helps them provide the highest level of customer service for example? (probably not, but you can see many questions arising from this point).
Businesses and GDPR: What do they need to do to be compliant?
“THEY NEED TO UNDERSTAND THERE IS NO GENERAL APPROACH APPLICABLE TO ALL COMPANIES.”
This opening quote from the recent interview carried out by We Live Security is perfect. There are no one-size-fits-all when it comes to GDPR.
Viewing GDPR as an Opportunity
Marketing Week has recently published an article that features an interview and commentary with Steve Forde, director of online product & marketing at ITV. This is one of the few articles that we have read that is looking at the GDPR changes as a positive for their organisation. ITV is a colossal beast with many various departments and segments making up the entire organisation. They collect huge amounts of data from a variety of sources so they have been working hard on becoming GDPR compliant for the past 12 months.
“It’s always better to have someone opt in and say ‘hands in the air, I’ve seen it and I’d like to receive something from you’. They are then much more likely to be an active viewer and someone who opens your communications regularly.”
At the heart of this huge operation is simplicity. Viewers & customers don’t want to feel insecure when they hand over their data to a business so ITV is making sure that everything they communicate to their customers is written in plain English.
“All communication needs to be easy to understand. We’ll explain how we’ll be using data and how consumers can control it.”
Avoiding negative reviews/commentary can easily be achieved through clear messaging and leaving the consumer in control of their data. Simple opt-in/out options and not tricking users into being part of something they aren’t aware of are two quick and easy ways to maintain customer trust and loyalty.
Sky Bet has recently sent out an email to their customer base informing them of their current marketing preferences and that each user needs to log in and update their marketing preferences. This email was sent towards the end of March 2018 so the gambling firm is looking to get things sorted nice and early.
Halifax bank has contacted its customers with a link to a handy article that they have created which gives users more info on GDPR and how Halifax will be using their data. This is a nice approach as it will encourage users to understand GDPR in more detail and update their contact preferences in one go.
Articles Worth Reading
‘Platforms must deliver value instead of stealing our data’ – Via Digiday
‘Why the Facebook/Cambridge Analytica scandal is the perfect consumer storm ahead of GDPR’ – Via The Drum
‘Half of schools aren’t ready for GDPR data protection officer requirement’ – Via Schoolsweek
‘GDPR and The B2B Marketer: Ready or Not, Here I Come’ Via Forbes
‘People-Based Marketing & GDPR’ via Exchange Wire
Cutting Out The Crap
We really like this article over on the Econsultancy website as it is attempting to cut through the myriad of crap found online and it does a very good job in breaking down some key definitions.
“What GDPR relates to, is being able to process data for the purposes of direct marketing, which includes storage, segmentation, profiling, matching, sending direct mail, making marketing phone calls and electronic marketing in the B2B sector.”
Understanding what exactly the GDPR is relating to in terms of data and how we can use it is very important. Before we all analyse the data we can collect, we need to understand what data is currently being collected and how that data is being used moving forward.
There is also a requirement to get your existing customers to opt-in moving forward. This will require a trail of communications so that you can prove what information was given to the consumer and a double opt-in process should be used as the standard. For the full article, visit the link below.
Six Lawful Grounds For Data Processing
Processing shall be lawful only if and to the extent that at least one of the following applies:
1) The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3) Processing is necessary for compliance with a legal obligation to which the controller is subject;
4) Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
GDPR Could Affect Up to 80% of Firms in the US
ComputerWeekly.com has recently posted an article that says that almost 80% of US firms could fall foul of the new GDPR legislation and could receive large fines. The article focuses on a poll of 323 attendees at the recent VMWorld 2017 by HyTrust. A worrying, 51% of respondents said that their organisation is either not concerned about GDPR or is unaware of its relevance to the business. GDPR still applies to organisations that hold the personal data of residents in the EU even if the company is located elsewhere in the World, such as the US.
The number one element that can ensure a smooth(er) ride when preparing for GDPR is communication. Understanding what data you currently have, how you collect it and what you do with it should form the basis of your analysis. Speaking to every department and key stakeholder to understand what they use data for will help to uncover potential problems and ways in which they can be resolved. Now is the time to start planning and outlining how data will be obtained, stored and utilised within your organisation.
If you are looking for the full 88-page long GDPR regulation document – you can find it here (good luck).