GDPR, which stands for General Data Protection Regulation, is something most businesses will be aware of by now. And the clock is ticking, in terms of compliance.
The new regulation has been developed by the European parliament and comes into force on 25 May 2018. It affects any business that is operating in the EU, whether the company is physically located there or otherwise.
Why is GDPR being introduced?
GDPR is designed to increase and protect the rights of EU citizens by setting out strict rules around the use of ‘personal data’ – from how it is collected, to how it is processed and how long it is held.
The regulation has been created, in part, due to the many digital advances that have been made in recent years, particularly when it comes to the web, apps and social media. These types of developments simply didn’t exist before and are evolving at such a rate that current data protection laws are inadequate to deal with them. GDPR aims to catch up the regulation with the technology.
It builds on existing data protection rules, but is far stricter and more detailed, including in how it defines personal data. Responsibility is placed firmly on the company, when it comes to proving that its actions are compliant. There are also strict timeframes within which firms must act, such as when an individual requests their personal data is erased.
The potential penalties for non-compliance are severe. Firms who break the rules could be hit with a maximum fine of up to £20,000,000, or 4% of worldwide annual turnover, depending on which is higher.
What is classed as personal data?
At the heart of GDPR is personal data and what is classified as such goes far beyond that of previous data protection laws. In the eyes of GDPR, personal data is anything that can directly or indirectly identify an individual.
This includes name, email address, bank details and photos. It also covers work email addresses, if they can be used to identify a specific person (so generic addresses such as info@ will be exempt, whereas Tom.Smith@ would be classed as personal data).
If an individual can potentially be identified by a pseudonym, username or other unique handle, then this data will also now be protected under GDPR.
What are your responsibilities under GDPR?
If you are already complying with the Data Protection Act, then you’ll be well on your way towards compliance with GDPR. There are, however, some key differences.
When holding personal information, you must ensure:
- You have a lawful basis for processing the data
- Data is processed for a specific, explicit and legitimate purpose
- All information held is relevant for the specified purpose
- All data is accurate and up-to-date
- You do not keep data for any longer than necessary
- Data is processed lawfully, fairly and in a transparent manner
- Information is handled and processed in a way that maintains security
- Consent has been obtained for any new and existing data that you hold or process
To help you ensure your business is compliant, we’ve broken the process down into 12 easy steps. You can download your free checklist here:
The last point about existing data is an important one.
GDPR rules apply to any data you already hold. If it was obtained in a way that complies with GDPR, then great! You’re good to go. If it wasn’t gathered and recorded in a manner that complies, then you’ll need to act, or delete it.
For example, if you have an existing list of people signed up to your company newsletter. If you obtained explicit consent and have evidence of it, then your list is likely to be compliant.
If you haven’t got a record of consent being given, or if you used an automatic opt-in button or similar, then you will need to gain consent again. Make sure you do so in a way that fully meets the new requirements, otherwise it won’t be lawful for you to use it.
Legally acceptable reasons for processing personal data
GDPR specifies six legally acceptable reasons for which personal data may be processed. They are:
1. Consent for a specific purpose
For consent to be used as the lawful basis, individuals must give their explicit consent (not assumed through a pre-ticked box etc) and positively opt-in for their data to be held and used. It must be given for a specific reason, with separate consent sought for separate actions. If services are being offered to children, then parental consent will be a requirement.
2. Contractual necessity
You can lawfully process data if you have a contract with the individual and you need to process their personal data in order to comply with your contractual obligations. This option also covers applies if you don’t yet have a contract, but have been asked to do something that requires you to process their personal data, such as producing a quote.
3. Controller’s legitimate interest
4. Controller bound by legal obligation
You can also process personal data if you are required to do so to comply with a common law or statutory obligation. This doesn’t, however, apply to contractual obligations. If you can reasonably comply with a law without processing personal data, then this basis won’t apply.
5. To protect vital interests
This only applies to organisations who are required to process data to protect someone’s life. For example, if providing emergency medical care. Even in these cases, if the individual can provide consent, then it must be sought.
6. Public interest or official duty
This lawful basis allows you to process personal data on individuals if the task is in the public interest, or if you are required to perform a function that has a clear basis in law.
Under GDPR, individuals have much stronger rights and greater control over their personal data and how it’s used.
Individuals need to agree to their information being gathered and to exactly what it will be used for. Records must be kept of this consent, to prove it has been gained lawfully.
They can then request that any data you hold be amended, updated or erased at any point. They can object to the gathering or processing of their data, and withdraw their given consent at any point. You’ll have just 30 days to comply with any such request.
Who is the ICO?
The Information Commissioner’s Office (ICO) is the body responsible for overseeing GDPR in the UK. If an individual is unhappy and feels their personal information has been mishandled in any way, then this is where they can turn to for help.
In the event of a complaint, the emphasis will be on you to prove you have acted in a legal way and are compliant with GDPR rules. The importance of accurate record keeping is therefore vital.
For more information see the ICO ‘Guide to the General Data Protection Regulation (GDPR)’
Complying with GDPR
So, where should you start?
The key thing is to understand the current situation and what data you are holding, then to implement any system changes that may be required.
It’s important that everyone within the business knows about GDPR and what compliance entails. It’s also advisable to give someone within the organisation responsibility for overseeing your GDPR compliance. This is a legal necessity if you have over 250 employees, but is good practice for any business.
We have also pulled together a handy infographic specifically for marketing teams that contains the key information they need to know about:
Plus, take a look at:
- GDPR compliance in B2B marketing: Let us help you through those hard decisions
- What does GDPR mean for B2B marketing?
- How Lead Forensics complies with GDPR
DISCLAIMER: Lead Forensics is a global market leading SaaS organisation. We have conducted extensive research into the GDPR and have an active working knowledge intended to help our clients to become better prepared ahead of the GDPR coming into force. Lead Forensics however does not provide legal advice on the GDPR and cannot be held responsible for the GDPR compliance of any organisation other than its own, it is the responsibility of each business to ensure their own compliance with the GDPR. If you have any need for legal advice, please contact a solicitor or visit the ICO website for further informationwww.ico.org.uk