(originally posted October 2017)
Although that is currently 3 months away, these things take time to put in place and test rigorously. If you need to to ask that means the *General Data Protection Regulation, the government has confirmed that the UK’s decision to leave the EU will not affect its implementation. The ICO (Information Commissioners Office) is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of 25th May 2018 and beyond. Here is a link to their 12 Step Compliance Preparation Plan. Worth a read as with a clear and concise format.
Who does the GDPR apply to? If you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you’ll need to comply with the GDPR, which applies to ‘controllers’ and ‘processors’. These definitions are broadly the same as under the DPA (Data Protection Act) ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are subject to the DPA, it’s most likely that you will also be subject to the GDPR.
As a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
As a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. Do take particular note that these are new obligations for processors, a new requirement under the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. And it will apply to the UK now and after Brexit.
What data/information does the GDPR apply to?
Personal data : Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised (taking database identifying fields and replacing them with artificial identifiers, or pseudonyms eg key-coded) can fall within the scope of the GDPR depending on how easy or difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data: The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). These categories are broadly the same as those in the DPA, but there are some minor changes. For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
More specifically the GDPR affects and includes the rights for individuals:
the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability;
the right to object; and
the right not to be subject to automated decision-making including profiling.
Plus the right to data portability is new. It only applies:
to personal data an individual has provided to a controller;
where the processing is based on the individual’s consent or for the performance of a contract; and when processing is carried out by automated means.
Regarding your digital marketing; IP, device ID and location look to be included and the exact definition of ‘personal information’ is still a slightly grey area at this time .
As of 29/1/18 a full 60% of European business leaders admit that they are not prepared for these legally binding regulations.
Why all the fuss, lets start with an obvious question; what are the penalties for non-compliance? For the most serious violations of the GDPR laws has severe consequences. The ICO will have the power to fine companies up to 20 million Euros or 4% of a company’s annual turnover for the preceding year.
It’s not all about Consent, but that is often where it starts. You need to have a legal basis, like consent, to process an EU citizen’s personal data. Under the GDPR, you may use another legal basis for processing personal data, but we expect the majority of companies will rely on consent. This consent must be explicit and verifiable. Verifiable consent requires a written record of when and how someone agreed to let you process their personal data. All contact forms, regardless of opt-in method, collect the email address, IP address, and timestamp associated with everyone who submits the form. Explicit consent requires that each contact takes an action to consent, so the opt-in can’t use a pre-checked opt-in box. In addition, the opt-in message you use has to state all the ways you could possibly use the personal data you collect.
This could mean that a new contact agrees to let you do any or all of the following:
– Transfer their contact information (who to)
– Store their contact information (and how long for)
– Send them marketing emails (and include outgoing e-mail disclaimer)
– Track interactions for email marketing (such as MailChimp e-mail campaigns, new names may be covered by Mailchimp’s updated opt in policy and disclaimer)
One of the main objectives set out in the GDRP is user consent which must be freely given, specific, informed and unambiguous. There must be a positive opt-in. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. If your site says ‘if you do not consent please tick this box’ or assumes consent unless advised otherwise then this will need to be changed.
Posted by Neale Gilhooley (updated 26th Feb 2018), with much of this information coming from these sources:
ICO website for further reading
The Drum marketing magazine: How to achieve GDPR compliance
The DMA (Direct Marketing Association) website has its own GDPR guide with links to some webinars and reading resources.