There’s been a lot of noise about the forthcoming General Data Protection Regulation though not all of it accurate. John Paterson looks to weed out the fact from the fiction and offers practical tips for business owners…
The General Data Protection Regulation (GDPR) is due to come in to force on 25th May 2018. It’s designed to protect the privacy of EC citizens, ensure their personal data is not exported outside the EU and give them control of how the data is used.
Although the right to privacy from government surveillance has been included previously in legislation over the years, the advent of the Internet has meant large corporations are also able to conduct, what is in effect, mass surveillance. In the US, there is almost no privacy legislation, it being left to the god of free markets, and outside the EC only a few countries take privacy seriously.
GDPR effectively exports the European notion of the right to privacy to any business that collects personal data on EC citizens, backed up by stiff penalties for non- compliance.
Paterson comments “Modern technology has moved on leaps and bounds since the last update to the data protection regulations, and GDPR is the EU’s way of catching up with how companies are currently collecting and storing people’s data.”
What GDPR entails for business
From 25th May 2018 no organisation, regardless of which country they are based in, will be able to send marketing emails or SMS messages to EC citizens unless they have provided explicit consent to be contacted by that organisation. This means no more pre-ticked acceptance boxes; it has to be an unticked checkbox informing what will happen if you do tick it. Alternatively, you’ll need a double opt-in via a confirmation email where the person clicks a link to consent.
You’ll also need to be able to record how and when consent was given to provide proof should the regulatory body (in the UK this the Information Commissioner’s Office) receive a complaint.
Under the regulation you have just 72 hours to report any data breaches to the supervising authority. You should then inform the data subjects of the breach “without undue delay”, the timing dependent upon the likely risk of damage to that individual.
Fines & Sanctions
The maximum fine for a breach has been stated as 20 million Euros or up to 4% of global revenues, whichever is higher. In practice, the regulatory body is not likely to do anything if just one person complains, other than maybe sending a warning letter. The penalties are there for companies that flagrantly and repeatedly abuse GDPR.
Right to Erasure
Individuals can request that the data you hold on them is erased. There are some exemptions to this but in practice for most businesses you will have to comply. You must comply without delay, and certainly within one month.
Individuals can request a copy of the data you hold on them. This applies to data they have given you and would also include stored emails from them, and their purchasing and payment history.
If you hold personal data then you have a duty of care over the safeguarding of that data. This includes restricting access to only those who need access to do their jobs, making sure that the data is held securely. You also need to demonstrate compliance with GDPR.
You may only transfer personal data to countries within the EC, or those where the Commission has determined that the country has adequate levels of data protection. That list currently comprises Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Uruguay and New Zealand. Note that the list does not include the USA.
Defining Personal Data
Personal data is defined as any data which would allow a living individual to be identified. It specifically includes cookies, IP Addresses as well the obvious name, address, email address, land and mobile/cell phone numbers.
One of the biggest areas of interest for business will be whether US organisations seek to become GDPR compliant. With virtually no data privacy laws currently in place, the US takes a very different viewpoint to the EU. The US is not currently on the list of approved countries and in the current political climate they are unlikely to be able to make the changes needed to comply, especially when the current US-EU Privacy Shield is highly likely to follow the fate of its predecessor, Safe Harbour, and be ruled invalid. It looks likely that if a US company uses European based data centres that will be sufficient to comply, although US courts are currently seeking to force US companies to hand over locally stored data.
GDPR draws no distinction between B2B and B2C communications. Another piece of legislation, the new e-Privacy Regulation will replace the existing e-Privacy Directive and is designed to offer clarity for electronic communications, i.e. emails and SMS messages. As GDPR is a Regulation, not a Directive, it will automatically become law across the EC on 25th May 2018.
However, each member state will have to enact the legislation to enable e-Privacy. This gives each country some latitude as to the exact wording and could draw a distinction between B2B and B2C. “Until each country has passed the legislation we won’t know how B2B communications will be treated, if it is distinguished at all” say Paterson. “Therefore, our conclusion is that if and until e-Privacy legislation draws a distinction between B2B and B2C, there are no exemptions for B2B communications.”
Our GDPR Checklist
1. Appoint a Data Processing Officer who should quickly get up to speed with the legislation2. Make a list of all your systems that hold personal data: your CRM, accounting, HR system, contact databases in email clients like Outlook, all those spreadsheets scattered around people’s laptops with contact data in them
3. Make a list of all your Data Processors, those external systems you use that hold personal data. Make sure they only hold data in the EC and are, or will be, GDPR compliant. If you are in a regulated industry get a certificate or contract warranting compliance
4. Start capturing consents from new enquiries now
5. Work out how you are going to get consents from contacts in your existing database between now and 25th May 2018
6. Draft a procedure for managing breach notifications, for both the regulatory body and the contacts themselves. If a breach happens you won’t have time to consider the best way to do this so have it mapped out in advance
7. Review and update the privacy notices and terms and conditions on your web site