(originally posted October 2017)
Although that is currently 3 months away, these things take time to put in place and test rigorously. If you need to to ask that means the *General Data Protection Regulation, the government has confirmed that the UK’s decision to leave the EU will not affect its implementation. The ICO (Information Commissioners Office) is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of 25th May 2018 and beyond. Here is a link to their 12 Step Compliance Preparation Plan. Worth a read as with a clear and concise format.
Who does the GDPR apply to? If you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you’ll need to comply with the GDPR, which applies to ‘controllers’ and ‘processors’. These definitions are broadly the same as under the DPA (Data Protection Act) ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are subject to the DPA, it’s most likely that you will also be subject to the GDPR.
As a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
As a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. Do take particular note that these are new obligations for processors, a new requirement under the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. And it will apply to the UK now and after Brexit.
What data/information does the GDPR apply to?
Personal data : Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised (taking database identifying fields and replacing them with artificial identifiers, or pseudonyms eg key-coded) can fall within the scope of the GDPR depending on how easy or difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data: The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). These categories are broadly the same as those in the DPA, but there are some minor changes. For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
More specifically the GDPR affects and includes the rights for individuals:
the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability;
the right to object; and
the right not to be subject to automated decision-making including profiling.
Plus the right to data portability is new. It only applies:
to personal data an individual has provided to a controller;
where the processing is based on the individual’s consent or for the performance of a contract; and when processing is carried out by automated means.
Regarding your digital marketing; IP, device ID and location look to be included and the exact definition of ‘personal information’ is still a slightly grey area at this time .
As of 29/1/18 a full 60% of European business leaders admit that they are not prepared for these legally binding regulations.
Why all the fuss, lets start with an obvious question; what are the penalties for non-compliance? For the most serious violations of the GDPR laws has severe consequences. The ICO will have the power to fine companies up to 20 million Euros or 4% of a company’s annual turnover for the preceding year.
It’s not all about Consent, but that is often where it starts. You need to have a legal basis, like consent, to process an EU citizen’s personal data. Under the GDPR, you may use another legal basis for processing personal data, but we expect the majority of companies will rely on consent. This consent must be explicit and verifiable. Verifiable consent requires a written record of when and how someone agreed to let you process their personal data. All contact forms, regardless of opt-in method, collect the email address, IP address, and timestamp associated with everyone who submits the form. Explicit consent requires that each contact takes an action to consent, so the opt-in can’t use a pre-checked opt-in box. In addition, the opt-in message you use has to state all the ways you could possibly use the personal data you collect.
This could mean that a new contact agrees to let you do any or all of the following:
– Transfer their contact information (who to)
– Store their contact information (and how long for)
– Send them marketing emails (and include outgoing e-mail disclaimer)
– Track interactions for email marketing (such as MailChimp e-mail campaigns, new names may be covered by Mailchimp’s updated opt in policy and disclaimer)
One of the main objectives set out in the GDRP is user consent which must be freely given, specific, informed and unambiguous. There must be a positive opt-in. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. If your site says ‘if you do not consent please tick this box’ or assumes consent unless advised otherwise then this will need to be changed.
Posted by Neale Gilhooley (updated 26th Feb 2018), with much of this information coming from these sources:
ICO website for further reading
The Drum marketing magazine: How to achieve GDPR compliance
The DMA (Direct Marketing Association) website has its own GDPR guide with links to some webinars and reading resources.
In the world of dispute and conflict resolution the words Mediation, Negotiation and Conflict Resolution have a special resonance and together they form the meaning behind MNRCS. Run by Paul Kirkwood, a qualified solicitor with significant experience in mediating in commercial business disputes, resolving workplace employment disputes, partnership disputes, personal injury disputes and education law disputes, Paul is the specialist to bring in if you need to break the deadlock in a situation. With a company name chosen it was time to start building the brand and Paul was referred to Evolution Design.
We created a logo for MNCRS with the strapline – Mediation, Negotiation and Conflict Resolution Services – giving an instant explanation of his core areas of practice. Then applied that to his new website which features Paul’s experience and background along with helpful videos where Paul goes a bit deeper behind the rationale for employing a skilled and experienced meditator and how mediation can move a dispute toward settlement and save a great deal of time and legal fees as well as the prevent emotional worry and stress caused by a legal case which can drag on for years. MNCRS cover three main areas of mediation and each has its own page on the website (which we registered as mncrs.co.uk): Commercial, Employment and Personal Injury each has its own service page and video which can be viewed onsite or via their new YouTube channel. You can view the new MNCRS website here.
We also designed stationery and built a blog for Paul Kirkwood Mediator as an experienced figure of authority within the industry where he can go into more depth about his approach to resolving cases and other wider industry issues. Blogs are excellent ways of building an audience and generating relevant website traffic. They are also ideal for someone like Paul to publish articles that have been written by him for publications such as Collaborate, the trade title for the Scottish Mediation Network. Both the website and the Blog have Google Analytics tracking code installed so that we can evaluate the performance of each and other marketing activity.
“I was referred to Evolution Design by a business contact who recommended their services for Web Design and Build. Neale Gilhooley responded to my initial email very quickly, and a meeting was set up within a couple of days. Neale took the time to find out about me and what I was about professionally and to make sure he understood his prospective new client’s needs. He undertook appropriate background research into competitors’ websites, and came up with a proposal for design and build within a few days. He listened to me carefully and came up with the strapline ‘Every conflict can come to an end’ from language I had been using. He also talked me through the design and build of the website involving me for colour scheme and physical set up all the way through. He also kept me encouraged to keep producing content, both for the website and the Blog, which he also set up – the Blog was Neale’s idea – a brainwave. A great way to market your services and let your peers know what you are doing, and that you know what you are talking about, through the social professional media platform, LinkedIn.
He also introduced me to a great film maker, Steve Pool of Illuminate – and together we made a number of short videos for the website. Neale knows where to find the right people to put your project together and coordinate it all for you. He is also very personable and easy to work with.
I thoroughly recommend Neale and Evolution Design to anyone seeking to get their own website up and running” said Paul Kirkwood, Director, MNCRS.
Always nice to hear positive feedback from a satisfied Client. Posted by Neale Gilhooley (Jan 18)
Here is another e-card that we have just completed for Nikon. This year we looked at something very in vogue the pop up book and card, very much a la mode. As well as including the festive greeting in six languages we’ve also made a prominent mention of this being the centenary for Nikon marked by their special 100th anniversary logo.
You can see more examples of e-cards that we have created for Nikon in over 10 years on this blogpost.