The General Data Protection Regulation (GDPR), with its threat of huge fines of up to 4% of annual global turnover or €20m, came in on 25 May. But one survey suggests that 85% of EU and US companies won’t meet compliance, while 26% will remain non-compliant at 2018’s end. Are you compliant with GDPR? Read our essential GDPR checklist to find out.
Changes to the law
If you are not sure there is a goldmine of free information and advice on the Information Commissioner’s Office (ICO) website. First, you need to know how GDPR differs from the old Data Protection Act (DPA):
- Coverage: GDPR applies to all businesses processing EU-based personal data, not just European ones. This includes both controllers and processors, so a call centre collecting data is as liable for inappropriate use or storage as its employer, and clouds aren’t exempt!
- Consent: simple terms must be used to seek consent and it must be clear why data is being sought and how it will be shared. Consent must be active (no pre-ticked boxes) and will only apply in the stated instances. It must be as easy to opt out as in.
- Subject rights: if requested, a subject’s data must be provided within one month for free rather than 40 days, in a format allowing easy transfer. If consent is withdrawn, or the processing purpose changes, they must be forgotten.
- Breaches: these must be reported within 72 hours of discovery, with possible consequences. Data Protection Officers (DPO) must provide their contact details and a summary of actions being taken. Affected subjects can demand compensation.
- Responsibilities: data protection must be an integral part of system design. Companies must use data only when necessary and limit access. It must be kept accurate, secure, and processed responsibly.
- DPOs: processing was regulated according to local law. A DPO with expert knowledge (and no conflict of interests) isn’t essential for all companies, but is a good idea, so that you have one person in charge of dealing with compliance.
Avoiding a fine
Remember, the ICO isn’t out to get you. Elizabeth Denham, head of the ICO, explains, “The first thing we are going to look at is, have they taken steps, have they taken action to undertake the new compliance regime. Do they have a commitment to the regime? We’re not going to be looking at perfection, we’re going to be looking for commitment.”
She stresses that the maximum fines will only apply where there is evidence of “serious, sustained harm to individuals” or refusal to comply. So, if you aren’t ready, don’t panic. There’s no need to spend a fortune getting advice on how to comply, ask the ICO for help. Remember, establishing legal grounds for using data is half the battle.
Document everything as you go along, as this can act as proof that you took GDPR and data protection seriously. Your documentation should include any changes you’ve made to data storage; any changes made to consent forms online, as well as terms and conditions; and any information you have on why you’re allowed to contact customers, and whether you’re relying on consent or not.
Consent is the thing… or is it?
There’s been massive confusion over the importance and practicalities of consent, which hasn’t been lessened by watching the big players. Facebook has asked for special permission to use facial recognition, while Twitter and Yahoo have told customers that continuing to use their products will constitute consent. So who’s right?
Toni Vitale, of law firm Winckworth Sherwood, clarifies, “Businesses are not required to automatically ‘re-paper’ or refresh all existing 1998 Act consents in preparation for the GDPR. The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interests and legitimate interests.”
So, if you need consent and records show you have it, you don’t need to seek it again unless you’re planning to use data in a different way to that originally specified. Facebook’s right to seek consent, since facial recognition is a new technique that customers haven’t given permission for; Yahoo and Twitter are also right not to ask for fresh consent for old purposes. If you never got consent, making contact to ask for it now is illegal.
But, examine the other options that allow you to process data. For example, legitimate interest makes a lot of sense. If it’s in a customer’s legitimate interest that you process their credit card details to make a payment, you don’t need permission. Under certain circumstances, emailing a customer could be considered a legitimate interest. Make sure you evaluate your reasons for communicating with customers or processing data, recording your reasoning in your documentation.
If in doubt, wipe questionable contacts from the database – but there’s a silver lining if your list shrinks.
Carrot and stick
Customers are there to sell to. Contacts who opt out probably weren’t going to buy your products, while those who opt in are serious prospective buyers. Plus, Capgemini’s research indicates that 39% of customers are likely to spend more, and transact more frequently, with companies who protect data.
“Executives now have a great chance to use GDPR to create a customer-first privacy strategy. That business opportunity is significant,” said Willem de Paepe, Capgemini’s Global GDPR leader. “Beyond gaining consumer confidence and increased spending, knowing exactly what data is held allows firms to use analytics more effectively and improve operations.”
So, what now?
Demonstrate your willingness to keep data safe. Appoint a DPO and if you’re not sure what areas of the law the ICO prioritises, ask them, then target these first.
Before you contact customers, be prepared to legally justify the communication. Be sure staff understand their obligations and know exactly what to do if called on to delete data or demonstrate responsible processing.
Meanwhile, if you need subject consent, earn it. Be prepared to actively engage and take your customers with you into the brave new post-GDPR world.
ASUS has a range of servers that can help you meet your GDPR requirements by securely storing personal data locally.