PAU L OCKENDEN
Paul tries to untangle some of the misinformation surrounding GDPR and the changes that will soon be with us
With the deadline fast approaching, Paul tries to untangle some of the misinformation surrounding GDPR and the changes that will soon be with us.
Do you know what GDPR is? I’m pretty sure that many readers of this column will have a good idea. But I’m also sure that if I asked a hundred of you exactly what GDPR – or General Data Protection Regulation – entails, I’d end up with a hundred different responses.
Examples would include: “firms will have to ensure data is held securely”, “firms can’t automatically opt you in to receiving marketing emails, or use pre-ticked boxes on contact forms”, “there will be bigger fines for companies when data breaches happen”. All are true, but there’s more to GDPR than these headlines.
There’s plenty of scaremongering surrounding GDPR, especially by firms trying to sell you their expensive compliance “solutions”. I recently saw a claim that after GDPR all email attachments would, by law, need to be encrypted so that they couldn’t be read by someone doing a man-in-themiddle interception. Naturally, this was said by someone representing a firm selling email encryption software. It’s nonsense, of course. If I email you a photo of my cat, why on earth should I have to encrypt it?
GDPR comes from the EU and, despite Brexit, we’ll need to start abiding by the rules on 25 May 2018. The regulation is being formally adopted into UK law via the Data Protection Bill, which is much bigger than just GDPR. It will result in a new Data Protection Act, replacing the existing 1998 act, which is seen as no longer being fit for purpose.
However, the backbone of the new bill will be GDPR, so let’s look at what it is and what it isn’t. The best way to tackle this is by considering in turn each one of the six key principles that it enshrines into law.
Lawfulness, fairness and transparency The first principle is actually split into three parts: lawfulness, fairness and transparency. Lawfulness is one of those terms that often isn’t properly defined, but in this instance it’s relatively nailed down. It means that any processing of personal data can happen only for one of six reasons: consent, contract, legal obligation, vital interest, public task or legitimate interest.
The first three don’t require explanation. Vital interest means that data processing is needed to protect someone’s life – perhaps the transfer of their medical records to a hospital following an emergency admission. Public tasks are those where the data processing is necessary for judicial purposes, or for exercising statutory, governmental or other public functions. It’s the “Powers that be” opt-out, and one that many people believe hands the authorities too many sweeping powers.
Finally, there’s legitimate interest, and this is potentially the most woolly of the six lawful basis tests. For example, it is the one that will be used by most direct marketers, because GDPR states, “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
Essentially, to pass the legitimate interest test you have to think about what that interest is (your own interest, or the interest of the person whose data it is), show that your data processing is needed to achieve this interest, and, most importantly, balance all of this against the person’s interests, rights and freedoms.
Best practice when using the legitimate interest test is to include full details in any privacy notices, and also to record details of any legitimate interest assessments so you can show them if called on to demonstrate compliance. But consent will always be a better option, as we’ll see when we look at the third principle.
Fairness is again something of a woolly word, but in terms of GDPR it essentially means that you can only process someone’s data in the way you’ve told them you’ll be doing it. You can’t, for example, collect personal data for one task and then use it for something different.
That leads us on to the last part of the first principle: transparency. Lawfulness and fairness were both part of the existing Data Protection Act, but transparency is a new one. It means that you have to clearly tell the person how their data will be processed, and – crucially – why. On a website this would normally be via a privacy notice, but GDPR insists that this is done in clear and concise language – and definitely without the use of any lawyer-speak!
Purpose limitation
There’s common ground between this principle and the lawfulness and fairness test described above. In a nutshell, the purpose limitation principle specifies that personal data collected for one purpose shouldn’t be used for any new, incompatible, purpose.
There’s a caveat to that, though, since GDPR also allows for three future forms of processing of personal data. These are for archiving purposes in the public interest; for scientific and historical research purposes; or for statistical purposes. This is subject to safeguards implemented on a country by country basis, and is only allowed when there isn’t a risk of breaching anybody’s privacy.
However, what many people seem to miss (because it’s buried deep in the text) is that this allows countries to restrict someone’s right to access, correct, restrict and – most importantly – object when it comes to the processing of their personal data for these scientific, historical or statistical purposes. People tend to think that GDPR is always on the side of the little guy, but in this particular area, the lack of a legal opt-out flies in the face of conventional wisdom.
The best way to ensure that you’re using someone’s data properly is for them to give you their consent. This usually means having them read and agree to your policies (remember, simple and concise; no legal jargon) before they provide you with their data. You can then store the fact that the person gave their consent to have their data stored and processed. I always advise that you store in the way they consented (for example, online or paper form) and also the date and time that it was given. As with many business regulations, being able to demonstrate that you’re doing the right thing is just as important as actually doing it.
Data minimisation
I’m sure we’ve all filled in forms where we’re asked far too many questions, many of which aren’t appropriate to our enquiry. Even before GDPR this wasn’t supposed to happen, as the existing Data Protection Act limited the data collected (and stored) by saying that it shouldn’t be excessive in relation to the purpose for which it’s being processed. GDPR tightens this up even further, by saying that you can only process data that’s necessary.
Given this, it’s important that you minimise the amount of data you collect and store – and reduce the number of compulsory fields on forms to a bare minimum. There are huge advantages to this “less is more” approach: it actually improves overall data quality! Smaller forms significantly reduce the drop-off rate, particularly for online surveys, for example. Also, data usually needs to be saved somewhere, so if you halve the number of questions you ask, you’ll also halve your storage costs!
Do bear in mind that data minimisation applies to processing, not just acquisition and storage. You shouldn’t, for example, run a report that compares the ethnic backgrounds of your customers unless there’s some genuine purpose for doing so.
There continues to be a degree of argument on whether “data fishing” exercises – running various semirandom stats analysis until a potential correlation is spotted – are a valid purpose, however. On the one hand, it goes against much of what’s at the core of this principle. But on the other, it’s often a valuable business tool.
I once had a client that was a major football sponsor in the UK. When we ran some of these data fishing stats (using Target Group Index, or TGI), we discovered that its customers were more likely to be anglers than footie supporters, so their budget wasn’t being used efficiently. And yes, the irony of a fishing expedition discovering fishing wasn’t lost on anyone!
“You have to clearly tell the person how their data will be processed, and why”
Accuracy Data accuracy is always good sense, so this principle shouldn’t be seen as particularly onerous. GDPR states that personal data needs to be accurate and, where necessary, kept up to date. Also, that every reasonable step is taken to ensure that any inaccurate personal data is either erased or rectified without delay.
What’s important here is that you need to be able to demonstrate that you have procedures or systems in place to amend or delete any outdated personal data. Of course, unless you’re notified, you probably won’t know whether the data you hold is accurate or not. That’s why a data retention period is important, and it’s something that we’ll cover in the fifth principle.
Although the regulation states that you should erase or rectify any inaccurate data, there is a third option: to anonymise any data that you believe to be suspect, or which is past its use-by date. That way, you can still perform top-level statistical analysis on the data (how many people drive a particular make of car), but you won’t be able to tie it down to individuals.
Do be careful, though: “make of car” or even “model of car” probably isn’t enough to identify a person; but start to include items such as mileage, year or colour, then with lesserselling cars we might end up with a unique set of data, which could be attributed to an individual. Try to keep the anonymisation as broadbrush as possible.
Storage limitation There’s a fair bit to think about here, and it’s ongoing rather than a one-off task. You need to consider the length of time for which you’ll need to retain personal data (and because of the fourth principle’s concern for accuracy, the time period can’t be forever). You’ll need to review all data you hold on a regular basis, and delete anything that isn’t necessary.
There’s no minimum data retention period specified in the regulation, so this will be your call. One-off data (perhaps people attending an event, or buying a train ticket) should only be held for a short period, but if there’s an ongoing customer relationship then it makes sense to hold the data for longer.
Obviously, there’s a balance to be made in e-commerce. Experience shows that “guest checkout” facilities will hugely increase the trade done by an online retailer. But if the data has to be thrown away quickly, it reduces the opportunity for further promotional activity.
The regulation requires firms to create a data retention policy that explains the types of data that will be deleted and the criteria for removal. If you have a website, you should include this policy – or a link to it – in the privacy notice.
Customer interaction is an important part of deciding when to remove personal data. Let’s imagine two online retailers, one selling coffee beans, the other selling shoes. Coffee is likely to be a regular purchase, with orders placed every month or two. But shoes – unless you have Imelda Marcos tendencies – are probably only bought once or twice a year. The coffee vendor should delete customer data if they don’t return within a couple of years, but the shoe seller would be wise to wait a little longer.
Also, remember the tip that I gave you in principle four – you don’t always have to delete data; you can often just anonymise it, allowing you to run high-level analysis.
Integrity and confidentiality This last principle often makes the headlines when firms suffer large fines and bad publicity over sloppy data security. It requires data processors to handle data “in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
But notice the word “appropriate”. What constitutes appropriate security? It’s all down to the nature of the data. You’ll be in much deeper water if you leak things such as sexual health information or details about a person’s criminal convictions, as opposed to divulging what type of car they drive or where they do their weekly shop. While the latter pieces of information still need protecting, the word “appropriate” introduces a scale.
The size of your company and your cybersecurity budget won’t be seen as a defence here. If you’re handling very sensitive data then a one-man-band company needs to take as much care of it as a big PLC. Also, integrity and confidentiality goes way beyond cybersecurity. It isn’t just about keeping the hackers out; it also covers accidental loss of data, or unauthorised use. So you need both policies and systems to ensure that only authorised staff have access to personal data, and you should also be able to demonstrate that you review these on a regular basis.
Of all of the GDPR principles this is the one that’s most worrying for many firms, as the fines for any breach are up to 20 million euros, or 4% of your turnover. Ouch!
As I mentioned at the start of the column, GDPR is a big and complex subject, and one that can easily make your head spin. But if you take these six principles that form the backbone of the regulation as a starting point, and try to understand what they’re trying to achieve, you’ll be most of the way there.
One final note of caution is to beware of training courses appearing to offer official GDPR certification. In the UK, only the Information Commissioner’s Office (ICO) can create the necessary certifying bodies, and at the time of writing, it hasn’t done so. So, none of these so-called certified qualifications have any official standing. Don’t get me wrong, there is good training out there – it just doesn’t pretend to be
“Customer interaction is an important part of deciding when to remove personal data”