You’ve probably been hearing a lot about GDPR lately. It can seem like a
Preparing for GDPR
We’ve been looking at the coming legislation for a long time now. After all, we don’t just store personal data for our own business – we write, configure and support Gold-Vision CRM – so GDPR affects all our customers too.
We’ve been keeping our customer’s needs in mind with every change we make, knowing that Admins have enough to do already and end users don’t really want lots more fields to fill in.
I’ve been part of our internal steering group, literally picking through the “Articles” one by one and considering their implications for a variety of client scenarios. I also hold the EU GDPR Foundation and Practitioner certifications so, to save you the five days of intense study I spent, I’m going to share some of the highlights with you.
Before we get started, there are two things to get out of the way:
1. What’s this blog about and what are the articles mentioned everywhere?
GDPR is the new General Data Protection Regulation which comes in on the 25th May 2018. It’s made up of 99 Articles and some of them get quoted a lot. I’ve mentioned the specific article numbers where useful so you can pop along and have a read yourself. A great resource is https://gdpr-info.eu as it lists them all in a nicely linked format.
2. Who are the ICO? I keep seeing that…
This is the Information Commissioner’s Office and they are responsible for data protection in the UK. They are our ‘statutory regulatory authority’ and their web address is www.ico.org.uk.
Right, let’s get started..!
[QUICK DISCLAIMER: I’m not a lawyer so this is not legal advice, and you may need help from someone that is.]
Does GDPR apply to me?
If you’re a business or other organisation, then probably, yes – unless you have no customers and no staff in the EU (which means no database and no records of names, phone numbers, email addresses etc.).
Based outside the EU? Good for you! However, if your customer contacts, prospect and supplier contacts, staff etc are based in the EU, it still applies to their data.
If you’re unsure, there’s a quick GDPR self-assessment tool that the ICO has made available for you to check.
Data Controller vs Data Processor
There are two key definitions in GDPR – Data Controller and Data Processor (Articles 24-43). In broad terms:
- The Controller is the organisation that defines the what, why, how and who; what data they have, why they have it, how they use it and who they share it with.
- If you process data on behalf of another organisation, then you’re a processor – but you’re likely to be a controller as well (unless you have no staff etc. – see above).
[Quick note: I’ve written this blog for controllers – if you are mostly a processor then your internal team may find this useful.]
If you are sharing data with a processor – maybe an outsourced payroll provider, a pension provider, occupational health or even a CRM or marketing platform – then you need to make sure that your agreements with them comply with the new laws and that they keep the data securely (Article 28).
Why am I reading this?
You may have heard about the fines. The ICO could give you a big fine if you don’t comply. The top rate is €20m or 4% of global turnover (whichever is higher) and you’d probably agree that’s pretty big (Article 83).
Did I mention that data subjects have a right to legal action and compensation too? (Articles 79 & 82)
Hang on – what is covered by this? And what is ‘Processing’?
We’re talking about personal data that can identify someone as an individual (in the EU).
- No, Brexit will not have much effect on this.
- Yes, my business email address does count as personal data.
Processing data doesn’t mean just running it through a process. Storing it, looking at it, filing it and deleting it all count as processing.
Where do I start?
Like most projects, you need to work out where you are now.
Start with a data flow audit – this can be a fancy flow diagram or a bunch of post-it notes to begin with – you want to know:
- What the data is (name, email address etc)
- The format(s) it’s in (paper in filing cabinets, database, spreadsheets)
- How it’s transferred (email, internal on a network)
- The location(s) in which it’s stored (offices, the Cloud etc)
It’s also useful to note who is responsible for each of these data flows.
You know what, now the why…
Take a good look at your audit. Do you actually need all of the data you have? Do too many people have access to it? Is it secured? How? Does it get shared with anyone? Does it get sent or is it accessed outside the EU?
As you go, you’ll be thinking about why you hold it (and looking at the six Lawful Basis for Processing), and also about how long you should keep it (and again, why). Want further reading? Check out Article 6.
Lawful thing for what?
There are six potential Lawful Basis for Processing in Article 6 and you need at least one.
One of the major myths about GDPR centres around ‘Consent’ which is the first of these. It often gets confused with consent to receive marketing and I’ll talk more about later.
Although consent is a perfectly good basis for processing in the right circumstances, it’s not a good idea to start reading the list and stop there.
Now, these are important so here are the actual words [with emphasis from me]…
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
A few brief comments… (and maybe run your choice(s) by your lawyer).
- This needs to be as easy to withdraw as to give
- It needs to be for an explicit purpose
- You can’t use this if you’re going to process the data anyway
- You can’t use this if the relationship between the parties is not equal (like an employer asking consent of an employee)
Performance of a contract
- Pretty handy for employee data
- That should be pretty self-explanatory
- This literally means life or death
Public interest / official authority
- You should already know if this applies to you
- This is ideal for business contacts
- The data subject can disagree and ask you to remove their data
A special word about special data
There are some special categories of data and it’s a no-no to process it unless you really do have a good reason to. You’ll need your Article 6 lawful basis AND an Article 9 exception if you do, so think really carefully about this.
This is data about racial or ethnic origin, political, religious or philosophical beliefs, trade union membership, genetic, biometric or health data, sex life or sexual orientation.
What am I aiming at?
You’ll possibly have heard of the Data Protection Principles by now – if not, there are six of them and they make up Article 5. I won’t repeat them precisely, but in a nutshell, they are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
This means that when you think about your data, remember that personal data is not yours, it’s the data subject’s data, you just happen to be using it. Be fair and transparent, use it only for the purpose it was intended, hold only what you need, keep it up-to-date, see it as having a ‘best before’ date, and keep it secure.
Got a clearer picture? Let’s call it ROPA!
Oh yes, all of the work you’ve done so far will be called your ROPA (Records of Processing Activities). This is described in Article 30 and is the document the ICO would want to take a look at first if there was an issue.
When you’re looking at new processes or technology, go for ‘Data Protection by Design’ – yes, there’s an article about that too – Article 25
To DPO or not DPO
There are a lot of acronyms going around and one of them is DPO (Data Protection Officer). You may think this is just another job title but it isn’t. This is a special role under GDPR and if you are one, you need to make sure you’re not responsible for any operational decisions. You also get board access and employment law protection (you can’t be sacked for doing your job – even if the board doesn’t like what it hears).
But do you even need one?
Well, I’d argue that every company needs someone responsible for data privacy. However, unless you are a public body (defined by whether you get Freedom of Information requests), monitor people systematically and on a large-scale, or process large-scale data on special categories or criminal convictions, you’re probably better off with any other job title you can think of for this person; maybe a Privacy Compliance Manager or a Privacy Officer.
See Articles 37, 38 & 39 if you want to know more.
Data Protection Impact Assessment (DPIA)
We’ve really entered acronym overload now!
A Data Protection Impact Assessment (or DPIA for short), is another term that’s being used liberally but is a specific thing. This is an assessment of the potential risks to the data subjects (rather than your organisation).
There are circumstances when these have to be carried out (Article 35) – and include using new technology (like AI – artificial intelligence), large-scale special category data, combining data (Big Data), large-scale CCTV etc.
If you’re in this boat, you probably have a DPO (data protection officer) – see above – and they’ll advise you that you need one (although they won’t be the person that carries it out).
Now for the (potentially) bad news – if you find there is a potential “high risk” to the ‘rights and freedoms of the data subjects’ you need to get it approved before you do it. This is Article 36 and the ICO has eight weeks to look at it. They can also extend this by a further six weeks.
You can carry out a full or ‘light touch’ DPIA if you don’t legally need one but want to be thorough.
Whatever you do, it’s worth looking at reducing risks where you find them – and using a formal approach doesn’t hurt (whichever terminology you use).
I recently came across Terminate, Treat, Transfer and Tolerate (The 4 Ts) instead of the more familiar Avoid, Reduce, Fallback, Transfer, Accept and Share from Prince2.
Phew. Are we nearly there yet?
Well, we’ve covered the initial work, as the Information Commissioner Elizabeth Denham wrote in a recent newsletter, “25 May is not the end. It is the beginning”. Your data subjects have eight key Rights (although they don’t all apply in every case) so let’s take a look at the most pressing one.
Privacy Notices (Note: This is a really important bit!)
Remember those Data Protection Principles? Well, the first one is about ‘lawfulness, fairness and transparency’ and this underpins the Right to Be Informed. This means that if you have someone’s data, you have to let them know.
This will be in the form of a Privacy Notice and include lots of information you’ve captured already. For instance, the purpose, lawful basis for processing, how long you keep it and if you share it with anyone. You also need to provide information on the subject’s rights – keep reading for more on this.
This sounds like lots of work…
Yes. Possibly. Logically, you can’t send a Privacy Notice until you know what’s in it. And you can’t decide what’s in it until you’ve done your data flow audit and built up your ROPA (Records of Processing Activities).
Do think about data minimisation. If you don’t need some of the data you hold, remove it before the 25th May and you won’t need to send a privacy notice to those people (or an email with a link to one anyway). You may now be thinking about all of the notices you’ve received recently.
Let’s run through the rights
This is the section you’ve probably seen everywhere and have been brought together from Articles 12-23.
Right to be informed – Article 12
Before any of the other Rights can be used, you really need to know someone has your data in the first place. There’s a handy table on the ICO website of the information that needs to go into your Privacy Notice if you’re not sure. If you get the data from the data subject, you need to provide this straight away or within one month if you get it from another source (and say where you got it from).
Right of access – Article 15
The term ‘Subject Access Request’ has been around for a while now but under GDPR you can’t make a charge for it and it needs to be provided in one month (that’s a calendar month) from when it was requested.
Right to rectification – Article 16
Inaccurate or incomplete data can cause people problems. If you get a request to put something right you have a month to respond.
Right to erasure – Article 17
In most circumstances, a data subject can ask for their personal data to be erased. You’ve guessed it, you have one month to comply with this one too.
Right to restrict processing – Article 18
This is a fun one. Someone may not want their data erased but ask you not to process it. Remember that processing also means deleting? You could also offer this to data subjects who want you to erase their data but you can’t because you have a clear reason not to comply.
Right to data portability – Article 20
Unless you work with large-scale customer data like smart meter readings or transactions this won’t apply to you.
Right to object – Article 21
A common thing to object to will be direct marketing. This is not to say that if you don’t object it’s okay to be marketed to.
Rights in relation to automated decision making including profiling – Article 22
A data subject can ask not to be ‘subject to a decision based solely on automated processing, including profiling, which produces legal effects’ unless it’s part of a contract, is in law or based on consent. If you do this, you really should have a DPO and lawyer lined up already.
So, are you grinning or feeling worried?
If you’re still with me – congratulations! If you’re rocking gently under your desk now, remember that this is just a change in the rules. If you complied with the existing Data Protection law anyway, it’s an audit/risk assessment, new privacy notices and a bit of contact communication.
Just don’t park this as an IT or HR project – it involves everyone in your organisation. Roll out some awareness training so all staff know how to recognise things like Subject Access Requests and what to do with them. You’ll need to create a few processes and you may find you have some that need tweaking.
Of course, I know an amazing CRM and integrated marketing platform that can help make this, and the ongoing management of your data, super easy.
One final word: marketing
You may have read all of the above and wondered where the email marketing ‘opt-in’ bit is.
Think of it this way, we currently have the Data Protection Act (DPA) and PECR (Privacy and Electronic Communication Regulations) sitting side by side.
Originally, the ePrivacy Regulation (ePR) was going to go live on the same date as GDPR but it’s been delayed, so for now PECR still applies (and will continue to after the 25th May). PECR has different rules for B2C and B2B marketing, whereas ePrivacy is very likely to remove that difference meaning that you’ll need opt-ins for B2B marketing too.
So now you know why ‘opt-ins’ got all the limelight to begin with and why you’ll very likely still need them. But if you’re B2B, not just yet… but why not start getting them now so you are ready?
If you’re not currently using Gold-Vision CRM but would like to find out more about what Gold-Vision can do for your business, we’d love to arrange a personalised demo for you.