Seven steps to GDPR
Strict new data-processing regulations come into force next year. Nik Rawlinson details seven measures that will help you prepare
Strict new data-processing regulations come into force next year. Here’s how to get ready.
The EU’s new General Data Protection Regulation (GDPR) comes into force in May 2018, creating new rights and responsibilities over the handling and processing of personal data. All British businesses will be affected, as the UK will still be a member of the Union – and even after the UK leaves, you’ll need to follow the rules if you want to offer any type of service to the EU market. Indeed, there’s a good chance that the GDPR will be adopted into UK law. So it makes a lot of sense to act sooner rather than later and get your business ready.
GDPR replaces the 1995 Data Protection Directive, strengthening individuals’ data-protection rights and synchronising those rights throughout the European Union. Almost all businesses will have to update their processes to be compliant, but overall it should become easier for companies outside the EU to do business with the bloc, as there will only be one set of rules to follow.
The impact is so widespread, partly because the GDPR covers everything and anything that can be considered personal data. That doesn’t just mean photos, spreadsheets and documents, but things as basic as names and social networking posts. If you keep an
“The penalties for serial non-compliance are stiff, topping out at €20m or 4% of your company’s annual worldwide turnover”
electronic list of customers, you need to comply; likewise, if your website logs visitors’ IP addresses, you send out newsletters, you use a European cloud service (or store EUrelevant data on a non-EU cloud service, such as emails to and from EU citizens on a webmail service), and so on. There are exceptions, but these largely apply to employment and national security issues, or to individuals processing data at home for personal use.
The penalties for serial noncompliance are stiff, topping out at €20m or 4% of your company’s annual worldwide turnover – whichever is greater. These seven steps should help you avoid falling foul of the law, but the political situation is still developing with regard to post-Brexit rules: see the Information Commissioner’s Office’s overview at pcpro. link/277gdpr for the most up-todate information.
1 Focus on Privacy by Design
Make privacy inherent in everything that you design, be it a process, a product or a website. That way, no further dataprotection measures should be required. Don’t assume that offloading your data to a third party is a way around this requirement, either: it’s your responsibility to make sure they’re compliant.
endthe Requirementsability encryption,for users transparency,includeto identify end-to- and themselves – when required – without passing non-essential sensitive data. That means that, for example, if you need someone to prove that they’re over 18, they should be able to do so by some means other than entering credit card details. Any identifying data you collect should be anonymised, such as by “hashing” names at the point of capture, so they’re represented by long but unique strings of meaningless data.
If you think the EU is being unfairly strict here, it isn’t: it’s playing catch-up. The US Federal Trade Commission recommended Privacy by Design in 2012, two years after it was unanimously recognised as an essential component of privacy protection at the annual conference of International Data Protection and Privacy Commissioners in Jerusalem.
2 Ensure you remain accountable
Adopting privacy-centric business processes is crucial, but it’s not enough: you must also be able to prove that you’ve done so, if asked. That means documenting the discussions and
processes that contributed to your final implementation. This is as much a protection for yourself as it is a way of reassuring your customers, since it enables you to show that the available protection measures were considered and incorporated in your business.
On top of this, any staff who might handle personal data must be adequately trained; you’ll need to devise and implement a robust internal data-protection policy that complies with every aspect of GDPR.
If you have more than 250 staff members then some additional requirements apply: you will need to retain written internal records of all data-processing activities, descriptions of technical and organisational security measures, and documentation of any safeguards applicable to datatransfer mechanisms, among other details. These may be requested by a Supervisory Authority to check your compliance, so the more detailed and extensive your records, the better.
Performing a Data Protection Impact Assessment (DPIA) will help you assemble this documentation, and spot any potential weaknesses in your data-protection measures. The Information Commissioner’s Office recommends conducting a DPIA whenever new technologies are used to process information in a way that could place individuals’ privacy rights at risk, such as rolling out large-scale CCTV deployments.
The DPIA should include assessments of the risks to individuals, the necessity of data processing and retention, any measures you have employed to minimise the risks, and a description of your processing operations and their purposes.
3 Ask for active consent
It’s no longer safe to make any assumption where consent is concerned. If you’re designing an opt-in form, web-store checkout or data-collection mechanism, be sure to explain clearly what a user is opting into and how the data will be used – and make sure that the action of opting in is active, rather than passive, as GDPR doesn’t allow you to rely on pre-ticked boxes, or assume that a failure to opt out implies consent. Moreover, any conditions must be detailed separately from regular terms and conditions, so that they are more obvious.
This applies internally, too: employers must obtain active consent from their employees when adding their details to internal databases. This means you may have to update your induction processes.
This doesn’t necessarily mean starting again from scratch. The Information Commissioner’s Office
“Under GDPR, citizens and customers will have a right to contest your use of their data, or to revoke their consent to it”
has requiredor Act] GDPR.”rely refresh declaredon consents previouslyHowever,to existing automaticallythatin preparation“you if granted[Datayou are continue Protection ‘repaper’not consentfor the to forto mustbe an processed,“make individual’ssure youit data will meeton being the specific,GDPR standard granular, clear, prominent, opt-in, properly documented and easily withdrawn.” If you have any doubts, it’s safest to contact every subject currently on your database to request GDPRcompliant consent for you to continue processing their data.
4 Keep your users informed
Under GDPR, citizens and customers will have a right to contest your use of their data, or to revoke their consent to it. If you haven’t already, you will need to nominate (or hire) a data controller and data-protection officer to handle these interactions, and make their contact details public.
These details must also be available to the Supervisory Authority of each member state. This is an independent body that investigates complaints on behalf of European citizens, which will liaise with Supervisory Authorities in
other member states, which together are overseen by the European Data Protection Board.
Alongside your contact information, you’ll need to provide a plain-language explanation of how customer data is used, including the purpose of data collection, any interests that the controller, collector or third party processor might have, who will receive the data, whether it’s being transferred to an external agent and so on. The full list of notifications can be found on the ICO website ( pcpro.link/277ico).
Some additional obligations apply if you didn’t obtain the data directly from the subject – for example, if you have purchased a mailing list. In these instances, you must also notify subjects of the categories of personal data you are collecting and how you came by their information.
5 Be prepared to delete your data
The GDPR embodies a “right to erasure” in place of the “right to be forgotten” that already applies within the European Union. In specific situations, subjects can request that their details be removed from your database entirely.
This might happen if a customer withdraws their consent to further processing of their data. It includes cases where the data was obtained or processed unlawfully, or where the use for which it was originally gathered no longer applies.
There are a limited set of valid grounds for refusing such a request. These include public health or archival purposes, both of which must be in the public interest (which is distinct from being merely “interesting to the public”). You can also keep personal data in defence of legal claims, in order to comply with a legal retention obligation or to perform tasks required of an official authority.
Clearly, however, in most cases you will have to comply with erasure requests, so make sure that your systems allow you to easily identify and remove individuals’ data. If you have made the data available to a third party, the onus is on you to make sure that they also comply with the erasure request – unless they can claim one of the valid defences.
6 Be careful when using algorithms
A lot of decisions – particularly online – are now automated. The GDPR requires that a decision which produces a legal effect or similar must not be based on automated processing, unless that processing is absolutely necessary and is authorised by law. The customer must also have given their explicit consent.
This obviously has implications for businesses selling products online, but those aren’t the only ones who need to take heed. All sorts of profiling activity falls under the realm of the GDPR if it’s used to analyse movements (which might apply to a mapping service or social network), performance at work (which would apply to any employer), health (which could include sports clubs), personal preferences and so on.
In short, whenever you intend to use an algorithm to analyse data relating to an individual, be aware that you can’t use that data to make decisions with legal implications – unless the individual has specifically given you permission to do so. 7
Audit your data With less than a year to go before implementation, now is the time to audit your data-collection and processing activities, and update them if required. In particular, check whether any of the third-party providers you rely on are situated outside the European Union, as GDPR restricts the transfer of information beyond the bloc’s borders.
And remember that once the UK completes its exit from the EU, it will itself be an external nation. It’s hoped that the European Commission will agree that Britain ensures an adequate level of protection to permit EU member states to transfer personal data to British companies. If it doesn’t, however, then that’s bad news for any business that currently serves the EU mainland: the only option then may be to find a way to set up shop within the EU itself. Keeping a close eye on the legal situation between now and then is absolutely essential; again, the ICO’s dedicated GDPR pages ( pcpro.link/277gdpr) are an essential bookmark.
“You can’t use data to make decisions with legal implications – unless the individual has specifically given you permission”