The GDPR has been a bit of a black cloud looming over many businesses for a number of months, with much confusion around what exactly it means and what impact it will have. As it comes into force in just over three months on 25 May, there are now daily news articles and emails on the regulation, giving information about what it will apparently do and telling you about what businesses are doing themselves.
The affect the GDPR has on a business will vary depending on the nature of the work they do. For example, an organisation that does a lot of direct marketing will have to review all of its processes and policies around data processing and play very close attention to consent. For others, the focus will be more on internal data regarding employees and how this information is retained and disposed of. It is difficult to think of an example of an organisation that won’t be affected, hence the growing sense of panic!
We hope to set out here our thoughts around the key areas of the GDPR. This post will not cover everything, but it will be fairly comprehensive and will also provide key actions that you should immediately take if you haven’t already. Every member of our team has received training on the GDPR, and we are already in the process of ensuring that our own website and systems are in place, as well as those of our clients. Should you have any questions about what you need to do after you have read this, simply get in touch and we can discuss your situation.
To better understand the GDPR, it is important to first look at the principles behind it, which are laid out in Article 5, which requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Furthermore, it requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
An organisation must do all they can to meet these requirements by taking steps to address every one of these principles. However, it is difficult to be 100% compliant as there is no guarantee against human error and sophisticated hackers may work to find the tiniest hole that could lead to a breach. The ICO understands this and is taking a reasonable approach.
Turning to how the principles work in practice, below we take a look at these to provide some more detail on what they mean and how they should be applied, as well as the consequences if they are ignored.
Data protection by design
Going back to the start, for many organisations, they will be looking at how they can make their website compliant with the GDPR, when ideally data protection should be looked at right at the beginning of building a website. By employing a data protection or privacy by design approach, you don’t need to worry about changing features as the website will have been built to ensure that it is already meeting the GDPR requirements.
Privacy by design is something the ICO has said has always been an implicit requirement, but more guidance will be published to reflect the provisions of the GDPR. We often work as website designers or developers on websites that we haven’t created and we can see where this approach hasn’t been employed, but it doesn’t mean that you need to start over. What we would recommend is a full scale review of the site, and a subsequent report that will assess the best approach to take from there.
ACTION: Undertake a review of your site to assess what areas need amending as they do not proactively consider privacy
ACTION: For any changes you make or new sites or projects you commission, ensure that they include a privacy by design approach
Importantly, you should have processes and policies in place as an organisation, setting out the data you collect, how you process it, why you process it and also how you intend to use it in the future. This should be held in a central data protection policy, that is regularly reviewed to ensure it is up to date and employees should be trained on it.
You can’t hold data indefinitely, but only while you have a legitimate reason to do so and this should be clearly documented. By drawing up a comprehensive list of the data you hold and how it is used, you will ensure that you are not breaching the GDPR by retaining data that you should no longer have.
One recommendation from the ICO is to carry out a data protection or privacy impact assessment (PIA) - this will help to review how you are meeting conditions for processing and therefore complying with the GDPR and minimise any risks. The following list is helpful when looking at what you should be recording and all of this should be held in a format that is easy to review:
- Organisation details
- Purpose for processing
- Categories and descriptions of personal data
- Recipients of personal data
- Details of locations where data is transferred to and safeguards for these transfers
- Retention schedule
- Identify the privacy and related risks
- Identify and evaluate the privacy solutions - provide details of organisational security measures
A PIA can be done on an organisational level, but also for new projects. It should be a part of what you do and you can tailor it based on the context in which it is required. By making it standard practice, you are further mitigating any risks around data protection and privacy, and demonstrating you are doing what you can to be compliant with the GDPR.
The list above mentions a retention schedule, which is crucial in ensuring that you are holding data for only as long as you have a legitimate use for it, and as a way to keep track of what you hold. Should you have an audit of your data and overall data protection processes, this will help to demonstrate that you are adhering to the GDPR. The ICO has its own retention schedule - this could be useful when deciding what yours should include!
We have provided information below about asking for consent and setting out how data is used in a privacy notice. The ICO points out that providing this privacy notice does not necessarily mean your processing is fair and you can happily proceed from there. It is still vital to consider how your data processing will affect the individuals involved. Fairness is summarised by the ICO as:
- using information in a way that people would reasonably expect. This may involve undertaking research to understand people’s expectations about how their data will be used;
- thinking about the impact of your processing. Will it have unjustified adverse effects on them?;
- being transparent and ensuring that people know how their information will be used. This means providing privacy notices or making them available, using the most appropriate - mechanisms. In a digital context this can include all the online platforms used to deliver services.
Pseudonymisation is something you may wish to consider within data you process. This is where data protection can be enhanced, by replacing fields that contain identifiable data with artificial identifiers or pseudonyms. As the GDPR puts it, pseudonymisation is “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” In order to ensure that data is pseudonymised, additional information is held separately and is still subject to other security measures to ensure the data subject cannot be identified. This could be considered within your data processing methods, for example if it is particularly sensitive. It is important to note this is not the same as anonymisation - in those cases data cannot be linked to an individual, but with pseudonymisation it is still possible by using identifiers held elsewhere.
ACTION: Carry out a PIA of your organisation as a whole
ACTION: Update your data protection policy and appoint a Data Protection Officer
ACTION: Create a retention schedule so you know what data you hold or process, how long you hold it for and ensure you always have a legitimate basis for holding it
This is probably one of the biggest areas of discussion around the GDPR, but Information Commissioner Elizabeth Denham has tried to provide clarity by saying that “consent is not the ‘silver bullet’ for GDPR compliance”. While some people have speculated that consent is essential in order to process personal data, the question of consent is actually more nuanced. It is true that the GDPR is raising the bar to ensure a higher standard for consent, but this doesn’t mean consent is imperative for data to be processed. As long as there is a lawful and legitimate reason, then data can be processed. An example Denham gives is the sharing of data by banks for fraud protection purposes. No consent is required for this. It also isn’t needed by local authorities to process council tax information. Consent needs to be seen as a requirement when it comes to features like tick boxes - they can’t be pre-ticked opt-in. As Denham summarises it, “the rules around consent only apply if you are relying on consent as your basis to process personal data.”
One area that is new to the GDPR and particularly sensitive, is the personal data of children. If you offer services that directly include children, then the privacy information needs to be communicated in a way they can understand. Furthermore, you will need systems in place to verify the age of the children and to ensure you obtain parental or guardian consent.
The language around consent has to be clear and plain - so that it can be understood by all, and not just those with legal qualifications. It also has to be clear how a person can withdraw consent and the process for doing so has to be easy and efficient. To add to this, the GDPR applies to consent you have received in the past - effectively it means it is backdated so the GDPR still applies: you can’t assume any consent you may have received before May 25 is acceptable. In summary, any consent an organisation has - past, present and future - needs to meet the standards of the GDPR.
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
Based on the above, the following information should be included, which will cover the questions above (this is taken directly from the ICO’s Guide to the GDPR):
|Data obtained directly from data subject||Data not obtained directly from data subject|
|Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer||⨯||⨯|
|Purpose of the processing and the legal basis for the processing||⨯||⨯|
|The legitimate interests of the controller or third party, where applicable||⨯||⨯|
|Categories of personal data||⨯|
|Any recipient or categories of recipients of the personal data||⨯||⨯|
|Details of transfers to third country and safeguards||⨯||⨯|
|Retention period or criteria used to determine the retention period||⨯||⨯|
|The existence of each of data subject’s rights||⨯||⨯|
|The right to withdraw consent at any time, where relevant||⨯||⨯|
|The right to lodge a complaint with a supervisory authority||⨯||⨯|
|The source the personal data originates from and whether it came from publicly accessible sources||⨯|
|Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data||⨯|
|The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.||⨯||⨯|
It is important to consider how the information is presented as well as what is presented. This comes back to the important point on being clear and transparent. Don’t forget to review all existing privacy notices and text linking to these - depending on the structure of your organisation and the nature of what you do, you may have more than one notice.
Another important feature around consent is the right to erasure. This means that individuals can remove their consent at any time, and also ask for their personal data to be erased. This can be requested to prevent processing in specific circumstances that the ICO has laid out:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
Where data may still be required for records e.g. for accounting purposes, steps should be taken to remove the personal aspects and anonymise or pseudonymise it as outlined earlier in this post.
ACTION: Review your privacy notice and ensure it meets the requirements set out above
ACTION: Make sure you are clearly asking for consent and at no way is it implied
ACTION: Review the consent you currently have for data you hold and take action where appropriate should any not meet the new requirements
ACTION: Establish a clear process to follow in response to a user’s request for erasure, to be certain this is carried out
Data processors and controllers
You will probably already know the difference between a data processor and controller but the ICO has once again published a document on this topic. It states that a controller determines the purposes for which and the manner in which any personal data is to be processed. The data processor is the person who processes the data on behalf of the data controller. In our case at We Create Digital, that would make us the data processor and our clients would be the data controller.
Another way to view it is to look at whether you handle personal data. If you do, then you probably are a data controller and will need to register with the Information Commissioner’s Office. Registration is actually a statutory requirement and failure to do this is a criminal offence. It only takes a few minutes so make this a priority for your to do list.
While previously the responsibilities for data protection fell more on data controllers, data processors also now need to demonstrate how they are ensuring they are compliant with the regulations. There should be a contract between a data controller and data processor, which sets out the clear responsibilities and liabilities, and the ICO also states that processors must only act on the documented instructions of a controller. The processor also has a responsibility for meeting the requirements of the GDPR and must still ensure that the personal data and rights of individuals are protected.
Once again, the ICO has helpfully provided detail on what exactly should go into a contract between a data controller and processor:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subject;
- the obligations and rights of the controller.
- only act on the written instructions of the controller;
- ensure that people processing the data are subject to a duty of confidence;
- take appropriate measures to ensure the security of processing;
- only engage sub-processors with the prior consent of the controller and under a written contract;
- assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- delete or return all personal data to the controller as requested at the end of the contract; and
- submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller
- immediately if it is asked to do something infringing the the GDPR or other data protection law of the EU or a member state.
If there is no contract or if a data controller does not work with a processor who can provide sufficient guarantees that the requirements of the GDPR will be met and the rights of data subjects are protected, then it may be deemed as not complying with the GDPR.
A simple piece of advice we give is to appoint a Data Protection Officer whether you are the data controller or processor. This is a requirement for companies that do a significant amount of processing of personal data, but the ICO also recommends it for smaller organisations. As there is so much information to digest and understand, by having a designated individual to do this it will help to ensure that nothing is missed, is a more efficient approach, and will help you in the circumstance that you may have a subject access request, breach or investigation.
ACTION: Check you are registered with the ICO as a data controller
ACTION: Ensure you are meeting the responsibilities as a data controller
ACTION: Review your contract with your data processor and ensure they can provide sufficient guarantees that they can meet the requirements of the GDPR
ACTION: Appoint a data protection officer
Subject access requests and portability
Looking specifically at data you have been given consent to process, it can be requested by an individual at any time as a Subject Access Request (SAR) and you will need to provide a copy of this in an easy to read format, and without a charge. Prior to the GDPR, you could charge a small fee for this and had 40 days to comply, but this is now reduced to a month and has to be completely free.
However, if a request is excessive, then a reasonable fee can be charged or the request can even be refused but this needs to be done at the earliest opportunity and explain the individual has the right to complain to the ICO about this. You need to make sure that it would be difficult to provide the data: “the burden of proof is on you as data controller to show that you have taken all reasonable steps to comply with the request, and that it would be disproportionate in all the circumstances of the case for you to take further steps.”
Data portability is another feature of the GDPR that has been introduced to allow subjects to move their data between providers without losing any of it, and to avoid a difficult transition where they may have to re-enter data or manage the process more themselves. This may prove tricky for some businesses, as it could require them to share the data in a format that they don’t necessarily store it in themselves. However, the GDPR does state the data should be provided in a “structured, commonly used and machine-readable format” and that “in exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.” These last few words provide some flexibility, but this can’t be relied upon so it is important to do whatever possible to meet the portability requirements.
ACTION: As part of your data protection policy, make sure you have a clear process or system in place should you receive a SAR
ACTION: Consider data portability in how you hold customer records
In a blog post titled ‘setting the record straight on data breach reporting’, Information Commissioner Elizabeth Denham did some myth-busting around the GDPR. This included providing some reassurance around what needs to be reported - if a breach “is likely to result in a risk to people’s rights and freedoms” then this does need to be reported. For example, if a person has asked to be taken off a marketing list and this didn’t happen, there is a chance it isn’t risking their rights and freedoms so may not need to be flagged with the ICO. Regardless of that, steps should be taken to ensure this doesn’t happen again as repeated failure to remove a person from a list and systematically ignoring the GDPR guidelines around this subject could escalate the issue.
While the limit for fines is going up to £17m or 4% of annual global turnover, the ICO has said that fines will be “proportionate”. So an SME turning over £75k a year probably doesn’t need to panic too much about getting a seven figure fine! Denham has said that it is scaremongering to suggest that the maximum fine would become the norm. The limit has increased to provide the power to impose large fines, but this doesn’t mean there is an intention to use that power. It is there should it be needed: in 2016 the ICO analysed 17,300 cases and only 16 of them saw fines being imposed. Organisations shouldn’t be complacent, but instead they need to demonstrate they took steps to avoid the situation happening and once it did happen, show further preventative action was taken at the same time as being open and honest, reporting the breach “without undue delay”.
You should train all of your staff to understand what a breach is and what immediate steps need to be taken if one occurs. There should be an open environment for this and employees should feel they are able to report it should it happen, rather than fear the consequences and delay or even try to hide it. This could have a far worse outcome as it could reflect poorly on the organisation in multiple ways - that an employee either didn’t fully understand the situation, was not trained fully on the requirements or the organisation failed to support them in following the correct procedures.
ACTION: As part of your data protection policy, make sure you have a clear process or system in place for reporting a breach
ACTION: Train your employees on understanding what a breach is and what they need to do should one occur
What you should do now
Hopefully this post has given you plenty to think about, outlined a few urgent actions you should be taking and also highlighted some areas you may need to review. The most important piece of advice is to follow everything required for the GDPR and don’t assume you have some time after it comes into force to sort things out - that is the period we are in now and it has been lengthy, so there is no excuse.
Furthermore, while you may wish to avoid spending money on an area that doesn’t bring an obvious return or growth in sales, it is a good use of company funds compared to the fine that you may receive if you ignore an aspect of the GDPR that seems onerous or annoying to you. This will clearly have an impact on company profits as well as your reputation. The ICO will not pity companies that failed to comply because of costs involved - the value placed on personal data is much higher. Ultimately, consider whether if you were brought before the ICO to answer a complaint made against you, would you feel confident in making a case for why you shouldn’t be fined? If you can’t answer yes to that, then you need to do what you can to get to the point where there can be no doubt and you are able to show exactly how you have complied.
To gain a more thorough understanding of the GDPR, you should read the resources the ICO has specifically developed on the GDPR. These are:
- a guide to the GDPR;
- a getting ready for the GDPR self help checklist;
- a GDPR FAQs document; and
- a ‘12 steps to take now’ graphic.
There is also an Article 29 Working Party that will continue to publish updates on the GDPR as they are made available, so that is worthwhile keeping an eye on.
If you want to take further steps immediately but are unsure about specific points, then there is a dedicated GDPR preparation helpline you can call that is for small organisations. Simply call 0303 123 1113, select option 4 and you will be able to speak to a helpful advisor. The hold times can be a while, but persevere!