By now you have probably heard lots of mentions of the upcoming GDPR legislation, but do you know what it will mean for your organisation? The fact of the matter is that, whether you are a multinational, an SME, a marketing department or an agency, you will need to not only put in place adequate measures that show you are compliant with data protection and data privacy, and data processing requirements such as consent and legitimate interest, but also document how you are compliant in these areas.
If you are currently compliant with data protection laws, then you have a starting point, but don’t pat yourself on the back just yet. You will need to look at these laws and make revisions where required. If, however, you are not compliant with current laws, or don’t even know what legislation you need to follow, now and by the GDPR deadline of May 2018, then you need to start learning, because the regulators will be looking to set some examples from the start.
The fine is for non-compliance with GDPR is set to be 4% of turnover or €20 million: which of these can you afford to pay?
It all boils down to accountability and transparency, and being compliant in the following areas will require you reviewing your approach to data governance and how you manage data protection as a corporate entity.1. Awareness
Make sure that the key people in your company know that GDPR is coming.They need to start looking at this now - don’t wait for the last minute. Implementing GDPR compliance will take resources, so start planning. Identify which areas within your organisation may cause you problems, look at the legislation, and assess what you may need to do to meet these new rules.2. Information that you have on your system
You need to document the personal data you hold. Where did you get it? Did you share it with others? If so, who? You will need to conduct a data audit across your company to identify all of the personal data you hold, and document it. This will help cover you on the GDPR accountability principles. The regulation requires you to keep records of what you do with that information regarding processing activities, etc. So if you have input wrong information about a contact or individual and then shared it, it’s your responsibility to update the correct information with whom you shared it, so they can correct it. Build your policies and outline the procedures you will put in place to handle such incidents.3. Privacy Notices
GDPR enshrines the following rights for people when it comes to their personal data:
- To be informed
- To access
- To erasure
- To rectification
- To restrict processing
- To data portability
- To not have their data automated
- To not be used in profiling
These rights are much the same as the current DPA with some important and significant changes.5. Access requests
Make sure you have procedures in place to comply with the GDPR rules if someone makes a data request. These requests will usually have to be free of charge mostly, and must be performed in what the regulations describe as ‘a timely manner. This will be one month.
Sure, you can charge for the data request, or even refuse if the request is "over the top". But, you have to provide adequate reasons why and inform the individual that they can complain to the proper authorities. If you have a lot of such requests, look at making the information more easily available online (though obviously secure too).6. The lawful basis for processing personal data
This is much the same as the prevailing conditions within the DPA, but with GDPR there is a little more to it. GDPR gives people stronger rights to have their personal information deleted, for example, so if you are using consent or legitimate interest as your lawful basis, and you receive requests to have data erased, you will need to revisit your lawful basis to processes.
OK, we all know that this is a complicated issue, so rather than going into full details here, let’s just start with the following.
Review your procedures on how you manage, record and seek consent, and make any required changes to meet GDPR compliance. People generally have more rights when you rely on consent to process their data.
However, consent must be freely given, and clear. It cannot be inferred by silence, inactivity or the old pre-ticked box. It must be a standalone request and there must be a simple procedure for a person to withdraw consent.
Legitimate interest and consent are really the two big topics when it comes to GDPR and our line of business - digital marketing - so we will be returning to these thorny issues in the next few weeks.8. Children
GDPR has for the first time brought in legislation regarding children’s data, particularly in relation to commercial online services. If you offer an online service for children and it relies on consent, then you may have to get a parent or guardian's consent. GDPR sets the age at 16 but some countries will bring that down.
If you don’t have procedures in place that prevent the data of children who have not had a guardian give consent being processed, then you really need to get them in place before May.
You need to be able to detect,investigate and report a personal data breach. This has been in place for some companies and organisations already. GDPR makes it compulsory to report certain types of data breach to the relevant authorities and in some cases to individuals. If the breach is likely to result in a risk to an individual's rights and freedoms, you must report it. That includes risks such as:
- financial loss
- significant economic or social disadvantage
Get your procedures in place and check that you can detect, investigate and report on data breaches. If you don’t, and you have a breach, you will get fined - and that is on top of the fines you will receive for not meeting GDPR compliance.
10. Data Protection by Design and Data Protection Impact Assessments
Of course, preventing data breaches from happening in the first place is better than having a process that enables you to report them, and that is where this topic comes in. We have always recommended that our clients adopt a privacy by design process and carry out a privacy impact assessment (PIA) as an important part of that. But guess what? GDPR makes this an express legal requirement, citing ‘data protection by design and by default’. This requires carrying out Data protection impact assessments (DPIAs) in certain circumstances.
Look at the areas where you feel you will need to carry out a DPIA. Who will you get to do it? Who needs to be involved? Again, this is a body of work in itself, so get started before May.11. Data protection Officer
We recommend that, regardless of the size of your company or agency, you should have a data protection officer in place. While you may not be required to under the GDPR, it’s best to have someone in that role. Their role should be to take responsibility for your GDPR and sit within your company at a senior level. Don’t give someone the title if they don’t have access to senior management, so no, handing it over to the new guy so that nobody else has to deal with it is not an option.
If you decide not to appoint a data protection officer, please check that you are not in breach of GDPR, as some organisations and industries are required to have a DPO by law. You will find guidance from the Article 29 Working Party on the position, tasks and designation of DPOs.12. International
If your company operates in more than one EU country, you need to determine who your lead protection supervisory authority is, and document it. This is the authority in the state where your head office is. Your head office is where your central admin within the EU is, or where decisions regarding the purposes and means of data processing are taken and implemented.
As mentioned, there will be much, much more to come from us on GDPR, what you need to do to comply across several different areas, and how it all applies to the digital marketing industry, but this serves as a taster to get you started.
If you are interested in learning more about GDPR and the steps you need to take to be compliant, enquire about our GDPR survey that will help you assess how much you need to do to meet regulatory requirements.Send an email to firstname.lastname@example.org and I will send it out to you, giving you a clear idea of where your organisation currently stands.