The GDPR has been called a lot of things…and it hasn’t even taken effect yet. It’s been described as a revolution, a paradigm change and a ticking time bomb (and probably a lot more I can’t print). I’m not sure if any of them quite hit the mark, but one thing is for certain: it’s set to shake things up.
It (necessarily) replaces a directive passed in 1995, a piece of legislation that came into effect before the commercial World Wide Web, email, Google, and pretty much any kind of digital management of personal data as we know it today.
It takes effect from 25th of May 2018 and is the most extensive revision of European privacy and data protection legislation ever. The GDPR isn’t limited to the EU either. In fact, the legal reach isn’t defined by geography at all, it simply looks at how personal data of European residents is used.
That means it applies to any business or organisation, regardless of size, located anywhere in the world, that:
- Offers goods or services to EU residents or
- Tracks and monitors the behaviour of consumers in the EU
That’s big, because any business that falls into either category will have to review every process that touches personal data, redesign it to ensure it complies with the new protection laws, or scrap it. There’s no half measure.
The GDPR isn’t limited to the EU either.
In fact, the legal reach isn’t defined by geography at all, it looks at
how personal data of European residents is used.
Will the UK government’s decision to leave the EU affect how the GDPR effects companies in Britain?
No. The GDPR will be introduced as scheduled in May 2018 and the UK government remains supportive of the new level of protection it will create around personal data.
Who does it apply to?
It takes in controllers and processors. The definitions are pretty similar to the Data Protection Act, ie the controller says how and why personal data is processed and the processor acts on their behalf.
As a rule, if you’re currently subject to the DPA, it’s almost certain you’ll be subject to the GDPR.
For processors, this is new ground as the GDPR will place specific legal obligations on them. For example, they’ll be required to maintain records of personal data and processing activities, and will have significantly more legal liability if they’re responsible for a breach.
Failure to meet the requirements will mean business-crushing
fines up to €20m or 4% of the company’s global turnover,
whichever is greater.
What if businesses don’t comply?
That’s really the point. It is not up for discussion or interpretation and failure to meet the requirements will mean business-crushing fines of up to €20m or 4% of the company’s global turnover, whichever is greater. To a large international organisation, that’s hundreds of millions, or even billions. To a small one, that’s the end of days.
As it stands, it appears there is no cheat sheet. The effort required to meet the new demands can be huge, and the penalties lined up for any business who tries to shirk their responsibilities are even bigger.
2017 is an important time for GDPR preparation,
because the impact goes beyond the company itself,
reaching vendors and service partners.
What are the key requirements of GDPR?
The new requirements are deep and delve into every aspect of data collection and it’s use, but it’s worth highlighting some of the most important provisions, such as:
What’s classed as personal data?
The GDPR defines personal data as anything that can be used to identify someone directly or when combined with other information. That includes identifiers provided by digital devices and applications, such as IP addresses, browser cookies and device IDs.
Consent to use data
Most companies rely on consent as the legal basis for collecting and processing personal data, but the GDPR takes it a step further.
It states that consent must be ‘freely given, specific, informed and unambiguous’. That means explaining the precise purpose(s) of the data collection and giving the individual the choice of opting in or out of specific purposes.
‘Unambiguous’ means consent can’t be inferred or assumed and the much-loved ‘pre-checked box’ is a total no-no.
Providers of online services can only ask for personal data if it’s required to deliver the service. And last, but by no means least, all requests must be ‘concise, transparent and intelligible’, so no more hiding behind mind-boggling terms and conditions or reams of legal wording no one can be bothered reading.
This one has piqued the interest of marketers, mostly because Recital 47 states: ‘The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’
This has been interpreted by most to mean that digital marketing practices will be exempt, but it won’t be quite so black and white as businesses are required to balance legitimate interests against the ‘fundamental rights and freedoms of consumers’.
Direct marketing is likely to be exempt only where the consumer is already a customer and has a ‘reasonable expectation of processing data’.
To put that into perspective, I can buy new runners online and have them delivered, using my name and address. Afterwards, the company can send me offers based on my purchase, but it can’t use other data from my phone or laptop, for example, to geo-target me or push offers that use my IP address to run target marketing for any other reason.
Partners and service providers
The 1995 directive applied to data controllers only, meaning those people determining the purpose for using data, but the new directive extends responsibility for compliance to data processors. That takes in any business that carries out processing on behalf of the controller.
For example, an employee benefits provider or payroll company is a processor, while the client (the employer), is the controller of the employee data.
As the use of cloud-based services grow, businesses look set to work with an increasing number of data processors, all of which must be carefully selected, monitored and governed to ensure end-to-end compliance with the GDPR.
Erasure and data portability
The new legislation states that consumers should have control of their own personal data, even data that’s deemed to be ‘on loan’ to a business for processing. That means an individual can contact a business at any time and request that their data be:
- Amended, if it has errors
- Erased entirely (and that really does mean everything) or
- Transferred to another business in an easily machine-readable format (even if the other company happens to be a competitor)
There are few exceptions on this one and all requests must be carried out within a reasonable amount of time.
This is the most fundamental obligation the GDPR lays at the feet of businesses. It says very clearly that it’s not enough for a business to follow the regulation to the letter of the law, it must be able to demonstrate that their policies, processes and even their behaviour ‘embraces and embodies the core principles around privacy and personal data protection as advocated by the GDPR’.
A Chief Information Officer (CIO) will be a necessary requirement within any business aiming to comply with the regulations, so if you don’t have one or may not have the budget to hire one, it is definitely worth considering a virtual CIO.
It asks businesses to look at data protection from a design and default perspective, so business systems and processes are designed to comply with the regulations and the default is designed to minimise any exposure.
So, what does that mean in everyday terms?
In practice, it means businesses must be able to show that every technical or business process that touches personal data demonstrated cyber security and has been designed to:
- Use as little data as possible
- For the shortest length of time
- Exposing it to the fewest number of people and
- Deleting it as quickly as possible when the relevant processing is complete
That’s a massive change to how most businesses have been trained to think about using data up to this point and questions loom large for businesses that rely on rich data for targeted marketing.
It’s early days, but change is coming down the tracks and the businesses that will fare best will be those taking time to understand what this new reality means and to prepare accordingly.
If this article reads like a horror story to you, fear not, because help is at hand. Get in touch with us and find out how an IT Consultancy such as pebble.it can help you prepare your business and its IT systems to meet regulatory compliance.
Discover what you need to do to start on the journey towards GDPR compliance and how certified experts can provide the support you need to meet legislation standards by downloading our free GDPR-readiness checklist: