The General Data Protection Regulation (GDPR) what to do now. And what the ePrivacy Directive means to you.
We work closely with Mark Gracey GDPR expert local to Bournemouth and Dorset from FLAVOURFY DIGITAL
GDPR affects everyone. All individuals, all businesses in every sector. This includes B2B. Some in B2B mistakenly believe they are exempt. This is the B2B position:
Because of the Privacy and Electronic Communications Regulations (PECR), B2B marketing does not require GDPR compliant consent, but does require the facility for the data subject to opt-out. However, the personal data itself of the individuals within those businesses is subject to all the other GDPR principles in terms of processing (such as it being lawful, transparent, secure, etc.). The only exception to these rules are sole traders who should not be considered (for data protection purposes) as businesses but private individuals.
Practical GDPR – see our easy guide below
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).
The GDPR General Data Protection Regulation becomes law on May 25th 2018. GPDR deals with the personal data of any living individual. An individual in a business is classified as personal data. Generic business data is not personal data. A sole trader is personal data.
GDPR affects everyone. All individuals, all businesses in every sector and every organisation, so if you have not acted already you need to now. Here is what GDPR is about and what to do.
€20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater for the most egregious of contraventions.
What do you need to do?
- Appoint someone for data compliance
- Carry out an audit of data, systems and policies
- Document your approach to data protection and processing
- Put in place GDPR policies in your organisation
- Provide internal guidance and contact points for your business
- Train your staff
- Maintain compliance
- Keep up to date
Based on guidance from Mark Gracey from FLAVOURFY DIGITAL.
Many good practices carry forward from the Data Protection Act 1998 (DP).
As a Chartered Marketer Peter Eales supports the CIM’s Data Right Campaign and we are organising events with compliance and legal expert on GDPR Mark Gracey from FLAVOURFY DIGIGAL. We do not give specific legal advice but as a Fellow of the CIM and IDM can provide detailed information here on GDPR. We work in the across sectors, finance, charity, B2C and B2B.
Prepare, Know GDPR.
SO, First: What’s New? – The Changes
You need to get team, and especially senior management buy-in.
Data – Key Roles and Responsibilities
Data subject means an individual who is the subject of personal data.
Data controller means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data processor – carries out specific tasks on behalf of the data controller. You are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. NB the hundreds of staff “processing data” for instance in a bank, are not the data processors. Whilst outsource partners and icloud suppliers are data processors.
The scope of GDPR is wider than previous legislation, in particular the Data Protection Directive 1995 and The 1998 Data Protection Act. Giving more rights to living individuals over their data and data processors regarding that data.
The Data Protection Directive 1995 and The 1998 Data Protection Act did not refer to the words “children” and “age” at all. Not once. For GDPR, consent is now 16 years of age. GDPR does not define what a child is. Here is a helpful article on the topic by the LSE.
About your consent:
- It must be clear
- Demonstrate affirmative action
- Granular consent ie consent for specific services
- A tick box for every specific action
- Be clear how to withdraw consent
- Written consent must be archived
- Aural consent is ok, but needs recording: specify exact time and details
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.
The GDPR provides the following rights for individuals: The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.
Processors should report breaches to Data Controllers. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
ICO explain this as:
The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.
How can I demonstrate that I comply?
Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
Maintain relevant documentation on processing activities.
Where appropriate, appoint a data protection officer.
Implement measures that meet the principles of data protection by design and data protection by default.
Measures could include:
Allowing individuals to monitor processing; and
Creating and improving security features on an ongoing basis.
Use data protection impact assessments where appropriate.
By Design – What is ‘privacy by design’?
Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. Unfortunately, these issues are often bolted on as an after-thought or ignored altogether.
Implementing the Process and Templates
For more detail on how to implement the whole GDPR process, there is an excellent guide for charities which is useful for all sectors on GDPR by Tim Turner here.
Getting into the GDPR Detail
Storing an Individual’s Data
In order to keep someone’s data or ask for it, you need to gain “consent” or have “legitimate interest”.
Should you hold an individual person’s data, and what is a reasonable time to hold it? Do you have a “legitimate interest?” You need to evidence why. What are the benefits for the individual? Note, that GDPR is all about the individual taking control. It’s up to the customer to decide this. If as a charity or business believes a given period of months or time makes sense, then this needs communicating and agreeing with the customer. GDPR refers to this as: “The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”. Whatever it is you want to do – wealth screening, marketing, whatever else – must be necessary. The onus is on you as a business to make a case – not prove, necessarily, but make a compelling case that your data processing is necessary.
Above we list key points on consent. Here is the definition.
Under GDPR the definition of consent has been changed to:
“any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data to them being processed” (Articles 4 & 32).
Duration of GDPR Consent
How long does consent last? The ICO’s consent guidance says “There is no set time limit for consent. How long it lasts will depend on the context. There will be a right to be forgotten, and have all data expunged. And a right to reach through to your suppliers who have the individual’s or individuals’ data. Consent, opt-in needs to be provable e.g. their IP address and recorded.
GDPR Consent for Specific Services
Establish Your Purposes
Write your purposes down, for example:
- We want to maintain a list of people who have interested in our services and events, so that we can contact them to ask them to do so again.
- We want to maintain a list of people who have explicitly told us that they don’t want to contact us again.
- We want to use (1) to research the customer and prospects financial background using public sources to work out what kind of approach to make to them.
- We want to use (1) to research the customer and prospects financial background, and we want to pay a company to do the research for us.
- We want to buy data from a third party to make sure that (2) is up to date.
- We want to buy data from a third party to create a list of people who have never subscribed previously with us, so that we can contact them and ask them to opt-in for the first time.
- We want to keep their information up to date.
Visit the Information Commissioner’s website here for a summary of what to do now, ready for The GDPR UK which will apply in the UK from 25 May 2018.
Some Practical Steps to Implement GPDR in your Business
With one charity we work with we are doing the following:
- First ask, should you hold an individual person’s data, and what is a reasonable time to hold it? Do you have a “legitimate interest?” You need to evidence why. What are the benefits for the individual? Note, that GDPR is all about the individual taking control. It’s up to the customer to decide this. If as a charity or business a given period of months or time makes sense, then this needs communicating and agreeing with the customer.
- Consent. How are you going to contact the individuals? Write or email to the person. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Adults must be over 16 years of age. Special categories of data – race, health, genetic require explicit consent.
- Be clear about how their data is stored and used: be transparent, so the customer feels in control. They have a right to be forgotten.
- Don’t pressure people. Intelligent use of social media can complement the email or letter. But not persistent emails and letters.
- You need consent, a positive “yes” I want to remain on your database for a reasonable period of time.
- Mandatory appointment of a Data Protection Officer. Other roles, Data Controller plus Data Processors have responsibilities handling data, though less onerous in companies under 250 people.
- As with the Data Protection Act and policies, GDPR again requires you to be clear where data comes from and is then stored. A data life-cycle understanding is important: be clear what data you really need, when and for how long. And a clear awareness among staff of policy and processes to ensure compliance.
An updated data protection toolkit for SMEs from the ICO website, including a new element focussed on getting ready for GDPR. The checklist can help organisations’ assess their progress in preparing for GDPR.
Data Protection Assurance
Step 1: Data protection policy, responsibility and training
1.1 Policy – Your business has established an appropriate data protection policy.
1.2 Management responsibility Your business has nominated a data protection lead.
1.3 Training and awareness – Your business provides data protection awareness training for all staff.
Step 2: Registration, privacy notices and subject access
2.2 Privacy notices – Your business has made privacy notices readily available to individuals.
2.3 Responding to subject access requests – Your business has established a process to recognise and respond to individuals’ requests to access their personal data.
Step 3: Data quality, accuracy and retention
3.1 Data quality and accuracy – Your business has established processes to ensure personal data is of sufficient quality to make decisions about individuals.
3.2 Retention and disposal – Your business has established a process to routinely dispose of personal data that is no longer required in line with agreed timescales.
Step 4: Security
4.1 Security policy – Your business has established an information security policy supported by appropriate security measures.
Your business ensures an adequate level of protection for any personal data processed by others on your behalf or transferred outside the European Economic Area.
Step 5: Privacy impact assessments
Your business has established a process to ensure new projects or initiatives are privacy-proofed at the planning stage.
Background to the GDPR and what the ePrivacy Directive means for your Business
Here is an excellent introduction from the ICO – Information Commissioner, Elizabeth Denham, who recently, talked about how GDPR is an issue for the boardroom – view it here. So in order to achieve what she and the ICO suggest, how can you cope with GDPR and ePrivacy digital data regulation? Give customers and prospects great value, be lawful and gain consent for specific purposes. You can be commercial and apply common-sense, for a win-win.
The GDPR and e-privacy directive are linked
The General Data Protection Regulation (GDPR) and ePrivacy regulations need to be considered together because they are linked. The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
The ePrivacy Directive
The ePrivacy Directive and the General Data Protection Regulation provide the legal framework to ensure digital privacy for EU citizens. The European Commission has reviewed the Directive to align it with the new data protection rules.
When you access the web, you often entrust vital personal information, such as your name, address, and credit card number, to your Internet Service Provider and to the website you are using. What happens to this data? Could it fall into the wrong hands? What rights do you have with regards to your personal information?
Common EU rules have been established to ensure that personal data enjoy a high standard of protection everywhere in the EU. Currently, the two main pillars of the data protection legal framework in the EU are the ePrivacy Directive (Directive on Privacy and Electronic communications), and the General Data Protection Regulation, adopted in May 2016.
The ePrivacy Directive builds on the EU telecoms and data protection frameworks to ensure that all communications over public networks maintain respect for fundamental rights, in particular a high level of data protection and of privacy, regardless of the technology used.
On 10 January 2017, the European Commission adopted a proposal for a Regulation on Privacy and Electronic Communications to replace the 2009 Directive.
GDPR Six Principles
You can read them on the Information Commissioner website here.
They are found in Article 5 of the GDPR and say that personal data shall be:
(I summarise key points here, see link for full transcript)
(a) lawfully and transparent manner in relation to individuals
(b) collect for specified, explicit and legitimate
(c) adequate, relevant and limited to what is necessary…to the purposes
(d) accurate and, where necessary, kept up to date
(e) kept … data …no longer than is necessary
(f) appropriate security of the personal data… protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage
Article 5(2) requires that
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
NB “data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed
Data collection must be deemed as lawful. To do so it needs to pass one of six tests, you need to ideally prioritise in the following order:
- Consent for specific purposes
- Contractual necessity
- Controller’s legitimate interests
- Controller bound by legal obligation
- Protect vital interests
- Public interest, official duty
Some Issues From ePrivacy and Social Media
One of the reasons GDPR and ePrivacy are interlinked is that online platforms such as social media sites hold email and other personal data. For example, if you think of wi-fi access. You are often asked to tick a box. This box has terms and conditions which in future may be unlawful because ePrivacy says consent must be unbundled. Suppliers of services cannot offer one services bundled with another. In the end it is all about clear consent, as this ICO GDPR Consultation consent guidance articulates.
Key Practical Issues for Businesses
Most businesses are not large. Bigger organisations have legal, compliance and marketing experts. Smaller ones don’t have the resources or time to devote to cope with GDPR and ePrivacy digital data regulation. So what are the key issues to consider? I would suggest:
- B2B marketing remains opt-out IMPORTANT – however a sole trader and some partnerships require opt-in, many of whom are on lists or are marketed to by “B2B” companies. See the ICO guide, page 34 point 127 here.
- B2C marketing remains opt-in
- There is stricter consent and higher fines
- Make sure you know where data comes from, and is stored: keep good files and systems.
- Allocate clear responsibility to data processing
- Consent from people is well described by CIM Course Director @iCompli Duncan Smith as the “Four Pillars of Consent” here:-
- control – they can manage it i.e. the subscriber
- transparent – clearly informed ie for the subscriber
- notification – express my wishes how and when as a subscriber
- verifiable – proof of consent for that subscriber
How can you cope with GDPR and ePrivacy digital data regulation? Give customers and prospects great value, be lawful and gain consent for specific purposes. You can be commercial and apply common-sense, for a win-win. There are good chartered marketers to help and compliance experts, call and we can help if you are worried.
Sources and Helpful Sites
Information Commissioner’s Office – you can subscribe to their newsletter site
EU Privacy Directive – here
GDPR – Wikipedia as ever is very good on this here
Mark Gracey GDPR expert local to Bournemouth and Dorset from FLAVOURFY DIGITAL
CIM Course Director Duncan Smith icompli.co.uk
Our trusted compliance expert is Leon Thompson
Peter Eales BA Hons Chartered Marketer FCIM FIDM
Founder Director Dorset Business Angels
MD o i solutions limited