General Data Protection Regulation will come to force on the 25th of May 2018. It is intended to protect EU citizens from the misuse of their Personal Data. This new regulation will not be affected by Brexit, UK businesses will need to handle all Personal Data in a manner that is compliant with the GDPR or face the consequences. There are many myths and misunderstandings circulating in the business world relating to elements of the GDPR such as fines, consent and its impact on marketing operations. Cosmetic Digital have partnered with a qualified GDPR Consultant to help you to navigate your journey to GDPR compliance.
What is GDPR?
The objectives of the GDPR are twofold: to protect the rights and freedoms of individuals in relation to the use of their Personal Data; and to create a framework that allows the safe and lawful sharing of data so that businesses can thrive.
You will have a client database of potentially sensitive personal information. This information will need to be handled in ways that are both compliant with the GDPR and in line with the expectations of your clients (who own their Personal Data). Businesses could face investigation and possibly financial penalties for the misuse or mismanagement of Personal Data, not to mention reputational damage. It is important to understand the impact that GDPR will have on your business; the risks associated with that impact; and how these risks can be mitigated without greatly affecting your operation or your profitability.
The foundation of the GDPR is its 6 Principles.
The 6 Principles of GDPR
- Lawfulness, Fairness, & Transparency
There needs to be a Legal Basis to handle Personal Data. This could be the individual’s Consent or in the Performance of a Contractor another Legal Basis. There are six Legal Bases in total but only one can be applied at any one time. Personal Data must be handled in line with the owner’s expectations (as well as in a GDPR compliant manner) and the owner needs to be informed of how, why and even where their Personal Data is being used.
- Purpose Limitation
Personal Data can only be used for the purpose for which it was collected.
- Data Minimisation
Only the Personal Data that is required and relevant to the Purpose should be collected, handled and used. Personal Data should not be collected or kept ‘just in case’.
- Accuracy
Personal Data held must be accurate. Processes need to be put in place that will allow individuals to update their Personal Data or request that changes are made when necessary.
- Storage Limitation
Once collected, Personal Data can only be kept for a specified, limited amount of time before it is deleted or reviewed. The GDPR does not state what these time limits might be, businesses must define and justify their own.
- Integrity & Confidentiality
Personal Data that is collected from individuals must be kept safe. Steps must be taken to protect it from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access from both accidental and deliberate causes. These steps will include technological and organisational measures.
What does this mean for your business?
Businesses need to prepare. All employees should be made aware of what the GDPR is and, more importantly, what it means to them, what it means to your business and what it means to your clients. A senior member of staff within your business should take responsibility for your compliance to the GDPR. Your journey to compliance begins with audits and reviews of current policies and processes. These can be developed into a roadmap. This roadmap highlights the actions required to make each policy and process GDPR compliant and from this a compliance plan can be created, implemented and regularly reviewed. Businesses must bear in mind that in some circumstances GDPR will not operate in isolation – other legal requirements may affect the decisions that are made along the journey to compliance.
The GDPR will be law across all EU Member States very soon. It will affect your business in four main areas where you hold Personal Data for one reason or another:
- Human Resources – you collect, store and use your employees’ Personal Data on a daily basis and share it when necessary. For example, many small businesses outsource their payroll and share data monthly with the provider of that service; others who pay their employees directly share information with HMRC for taxation purposes – all this sharing must be done in a GDPR compliant manner.
- Client Details – you collect, store and use your Clients’ Personal Data, some of which is very sensitive information (what the GDPR calls Special Categories of Personal Data). Your Clients expect you to treat their data with integrity and compliance to the GDPR ensures that this is the case.
- Marketing Database – you may be marketing to people whose Personal Data you already hold. Marketing databases need to be reviewed to ensure that all the data they hold is handled in a manner that is GDPR compliant. This will mean being pro-active and not assuming that individuals wish to receive your marketing material.
- Suppliers – businesses that sell to your business often have a single point of contact or an account manager whom you contact regularly. This is fine but contact details can be Personal Data and, if this is the case, they need to be treated in a compliant manner.
Part of achieving GDPR Compliance is being able to show compliance. Documenting your GDPR compliance journey is strongly advised and records must be kept of what personal data you hold, why you hold it and how you will treat it during its lifecycle.
You will need to be fully transparent. When collecting any Personal Data from individuals the reason why must be provided as well as confirmation that their data will be handled in a GDPR compliant fashion, if it is to be shared with any other organisation, and what their rights are in relation to their Personal Data. You will also need to highlight how a complaint may be raised if they feel that their data is not being handled correctly.
The GDPR mandates that businesses create and document processes that are to be followed in the case of an individual invoking their Data Protection Rights (such as the Right to Request Erasure) as defined by the GDPR or in the case of a Data Breach.
GDPR also brings about a change in how an individual requests access to their Personal Data. As of the 25th of May, businesses will no longer be able to charge individuals who make such a request and a response to the request must be provided within one month. You will have to make sure that you have the processes in place to meet these requests and make sure that these processes are both effective and documented.
In the event of a Data Breach, having the appropriate procedures in place to detect, report, investigate and resolve the breach will stand you in good stead in any subsequent investigation. Businesses attracting the attention of the Information Commissioner’s Office (ICO) that have paid little or no attention to GDPR compliance can expect that the chances of being subject to an administrative fine will be greatly increased. The maximum fine that the ICO can levy against a non-compliant business is 4% of their annual global turnover or €20 million – whichever is greater!
How can I make my website GDPR compliant?
Many businesses use webforms to collect Personal Data such as names, physical addresses and email addresses, often so that a request for information can be fulfilled. When this data is collected the individual must be provided with a Privacy Notice that spells out the how, why and where their data will be handled and used. Providing this notice can take the form of a link to the document, however, this link needs to be easily accessible, prominent, and not difficult to find. The webform may require an opt-in or Consent tick-box to confirm that the individual wants to receive the information requested. There may also be a second opt-in or Consent tick-box where a newsletter or regular updates can be requested.
Under the GDPR, requests for Consent must be granular, clear, unambiguous and require affirmative action from the individual. Using vague language, double negatives, pre-ticked boxes or assuming Consent from silence or inaction are all no longer allowed. Individuals must also understand the ramifications of their withholding Consent and Consent must be as easy to withdraw as it is to give. Consent for Special Categories of Personal Data will require a written statement from the individual, Explicit Consent as the GDPR calls this, and not just a tick in a box.
GDPR compliance does not end when you have collected the Personal Data and informed individuals accordingly. The GDPR governs the communications themselves and the use of tracking software should be declared. Emails and SMS need to have a clear and obvious unsubscribe option. There are strict rules concerning the notification of and Consent for the acceptance of the use Cookies – individuals need to be informed as to their use and be able to withhold Consent for each of them to be placed on their device.
In Summary
The GDPR is a long and complex piece of legislation and a game-changer in the fields of Data Protection and Data Privacy. It will affect different businesses in different ways. Preparation is the key to reducing risk. Changes will be required to your process, policies, people and to much of the technology that supports your business.