The General Data Protection Regulation is coming. On May 25th 2018, countries across the EU will begin enforcing this massive rule change. How we conduct business will never be the same again when they do - are you prepared?
When we think of the EU and the UK, most of us now jump straight to Brexit. We do so with good reason – uncertainty, anyone? – but there is something far more pressing on the horizon that businesses need to consider: the General Data Protection Regulation, or GDPR.
Frankly, the GDPR will affect almost every business in the country, and the standards it will introduce will continue to affect businesses long after Brexit. But despite this, Experian recently found that a staggering 48% of UK businesses weren’t ready for the GDPR, and the Institute of Directors found a third of its members hadn’t even heard of the GDPR – this despite the fact the new regulation was passed in 2016.
Now, it may sound like a bore, but it’s crucial that you know all about the GDPR and that you take the appropriate steps to ensure your business is ready for when it becomes enforceable. Particular areas you’ll need to focus on are how your business approaches customer marketing and storing customer details, as the GDPR will transform how we do this forevermore. If you don’t take action, you could be fined up to 4% of your turnover – so don’t ignore it!
But what is the GDPR? When does it come into force? And, most importantly, how do you prepare for it?
GDPR – The Why
Data protection isn’t new to EU law – in fact, any organisation based in the EU that collects personal data has had to abide by the Data Protection Directive since 1995. This directive laid the groundwork for data protection across the EU, and pertains to anyone who collects data such as names, email addresses, birthdays – if it’s personal, it would be protected by the DPD. While some countries may have implemented more robust legislation, the minimum all EU member states have needed to enforce were the principles of the DPD. The UK, for instance, enshrined the DPD in UK law via the Data Protection Act 1998.
So, what were the principles and rights outlined in the 1995 DPD?
- Notice: All subjects must be notified when data is collected
- Informed: The subject must be told how their data will be processed
- Secure: All data must be kept safe and secure from abuse, theft or loss
- Confidential: Personal data should not be disclosed or shared without consent
- Access: Subjects should be able to access their data and correct inaccuracies
- Purposeful: Any collected data can only be used for a stated purpose(s)
- Accountable: Data collectors are accountable to their subjects against these principles
In the past, these principles were plenty. But as our technology has evolved and our world has become ever more data-driven, we need something more robust. We need the GDPR.
What the GDPR does is it takes the principles of the earlier legislation and vastly expands upon it. And the big changes come in the way data security and breaches are handled, and how consent is obtained. GDPR will be enforced from 25th May 2018 onwards, so you’ll need to know the ins and outs and be well prepared long before then.
Before continuing, it is worth clarifying a couple of key terms, as I’ll be referring to data controllers and data processors and it helps to get these straight. A ‘data controller’ is anyone who collects data, but what they do with this data can vary. The regulations state that a ‘data controller’ determines how data is to be processed. A ‘data processor’ on the other hand processes the data on behalf of the controller. An individual whose data is collected is known as the ‘data subject’. Bear this in mind!
Breaking the GDPR Down
The GDPR will expand the rights of individuals and how much control they exert over their personal data to an extent never seen before. That’s because the GDPR puts great emphasis on the fact personal data is the property of the individual. The rights they hold, therefore, include:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making, like profiling
These rights demand a series of changes to key areas of data protection protocol. Let’s look at the changes the GDPR will bring in greater depth. There are some overarching themes that make it easier to get your head around it.
Consent must now be unambiguous. EU citizens will need to opt in, their consent cannot be assumed; they must give full consent for their data to be used and can withdraw their consent at any time
The big one is consent. From here on in, how businesses, governments and other bodies use a person’s data must be approved by the person in advance. Therefore, most data controllers and processors out there will need to review their data collection and consent forms, as well as their privacy notices.
The key difference is that participants must opt-in to having their data used. But for someone to agree and allow an organisation to use their data, they must understand exactly what it is being used for and why. This information must be prominent and clear.
Likewise, it is now unambiguously stated that a lack of consent does not mean consent. You must always obtain permission to use an individual’s personal data. A popular consent-seeking method in the past was the pre-ticked box, but under GDPR this won’t cut it – individuals must opt-in and tick the box themselves.
Here’s a more concrete example of consent under GDPR: if Netflix wanted to collect data on my viewing preferences, it would need to tell me, in clear terms I could easily find and understand, why it wanted to do so. It would need to inform me about where it would store that information, and give me the option to withdraw my consent and have my data erased. Failure to do so would mean it was breaching the GDPR if it continued to collect data on me.
But my rights as an individual would go further wherever sensitive data is concerned. A great example here comes from 23andme.com – this service profiles a user’s DNA and ancestry. So if I wanted to find out more about my ancestry, I would have to give 23andme.com a sample of DNA so they could collect and analyse a specific genetic marker. As 23andme.com is collecting and processing my sensitive data, they would need my explicit consent to do so. I would need to know and approve of how they would use and store my data – in this case, my DNA.
Furthermore, if 23andme.com wanted to change how they use my data, such as to use it for a new study, it would need to ask me again for my consent. They would also need to tell me, upon request, how they use my data – this is known as the “Subject Access Request” process. Like with my Netflix example above, failure on any of these parts would mean 23andme.com was non-compliant with the GDPR, meaning it could face huge reputational damage and monetary fines.
In coming weeks, we’ll be looking further into consent – with a particular focus on consent forms and UX – and how to manage personal data in a GDPR compliant manner, so watch this space!
GDPR’s jurisdiction will extend globally, protecting the personal data and rights of EU citizens regardless of where an organisation is based
Another major change is how far the jurisdiction of the GDPR extends. Whereas before the data protection rights of an EU citizen extended only as far as the EU, once GDPR is enforced their rights will be upheld globally.
Any company that processes the personal data of an individual residing in the EU will now have to comply with the EU’s data protection rules. This is true even if the company is based in San Francisco, Hong Kong or even Buenos Aires. If the personal data of an EU citizen is involved, the GDPR will be enforceable.
This change resolves the ambiguous nature of the previous DPD. It limited the applicability of EU data protection laws in some cases, such as if a company was based in the EU, but data was processed outside of the Union. Now, no matter where the data is processed, if it is the personal data of an EU citizen and collected within the EU then the GDPR will apply.
DETERRENCE & PENALTIES
Fines of up to 4% of turnover or €20 million for non-compliance – whichever is greater
One of the biggest headline-grabbing changes under GDPR is how non-compliance will be deterred: substantial fines.
Companies who breach the GDPR can face fines of up to either 4% of their turnover – the key thing here is that it isn’t a company’s declared profit, which can be low, it’s total turnover – or €20 million, whichever amount is greater.
But not all infractions will warrant the maximum fines. Instead, the GDPR will introduce a tiered approach to penalties. For instance, violating GDPR guidelines could warrant a 2% fine on turnover if a company didn’t have their records in order or if it failed to notify the relevant people of a data breach.
Fines aside, perhaps the greatest damage to a non-compliant company will be through reputational damage. The GDPR is about trust and protecting privacy. Therefore, if you’re not complying your organisation appears untrustworthy, and it could be a long time until your reputation recovers.
PRIVACY BY DESIGN
Systems must feature privacy by design from the outset, not as an afterthought
All future systems created by organisations must be built with the inclusion of data protection best practice from the very beginning. The concept of privacy by design has been around a while now, but the GDPR will make its inclusion a legal requirement.
What that means for you, as the data controller, is that you will have to ‘implement appropriate technical and organisational measures […] in an effective way’ to adhere to the GDPR and the rights of EU citizens. Such measures could include data minimisation, a method that sees you collect and use only as much personal data as you need to complete a task – data you have obtained with full consent, of course.
Preparation - What You Can Do Now
As I said above, the GDPR will be enforced from the 25th May 2018 onwards. From that point on, your company will be liable if it uses or holds the personal data of customers inadequately. It therefore pays to get your preparation in now.
In a word, the biggest thing you need to do is review your services and practices. Likewise, you will need to explore how your systems, websites and apps cater for the GDPR’s requirements. You’ll need to review a variety of aspects in your business, making assessments about not only where your data protection policies are strongest and where they need to be improved, but also on how you can empower your user with better control of their data.
At Cyber-Duck, we believe that this is a great opportunity to create ever better user experiences. That’s because organisations that harness GDPR promptly will have a huge advantage over their competitors, offering cutting-edge experiences to their users that go above and beyond the call of duty when it comes to service quality.
THE SIX KEY GDPR PRINCIPLES TO ENSURE ACCOUNTABILITY
To help you prepare, settling on and adhering to a basic set of principles to focus on will prove a lifesaver. Fortunately, we’ve gone ahead and put together exactly that for you. Raise internal awareness about GDPR using the infographic below as your touchbase.
Based on the above, you can achieve some quick wins right now by:
- Completing a comprehensive information audit to assess what data you hold, where it came from and how you use it
- Ensuring your privacy notices are clear, concise and easy to understand
- Assessing whether your company protects the rights individuals have, including whether they can delete their personal data and how you handle their access requests
- Verifying and documenting your legal basis for processing personal data
- Comprehensively reviewing how you seek, obtain and record consent and note whether you need to make it more intelligible, transparent and easy to withdraw
- Introducing appropriate age verification systems if not present, as consent for children under 16 must be gained from a parent or guardian
- Reviewing your data breach procedures, ensuring you can detect, report and investigate a personal data breach quickly
- Familiarising yourself with the ICO’s Privacy Impact Assessments and figuring out how you will implement a privacy by design best practice
- Assigning a Data Protection Officer, or an individual who can take responsibility for data protection compliance
There’s a lot to do, especially if you want to make a smooth transition for your customers and their user experiences. But the key thing to understand is that it is doable – you just need to get cracking.
Cyber-Duck, the GDPR & You
At Cyber-Duck, we’re working tirelessly to ensure that we’re compliant with the latest data protection legislation, but our work doesn’t stop there. Once our policies and work practices are updated, we'll be able to pass that essential and beneficial knowledge onto our clients, too.
If you’re unsure about the new regulations and which areas of your business might be affected, we’re here to help. Be sure to contact a member of our friendly team today.