If you are a business owner or marketeer, then I would be surprised if you haven't heard about the changes to the Data Protection laws on the 25 May 2018.
The current rules will be replaced with General Data Protection Regulation (GDPR) and depending on the type of business you are it could have quite an impact. But if you have a good data protection policy in place already, then hopefully the transition to GDPR should be fairly painless.
One of the biggest problems I've found is trying to find useful clear and concise information. There has been lots of publicity about big fines and beating us with a stick, but little on what you actually need to do. So I've pulled this information and summarised it directly from the official ICO website and the information is correct as of December 2017!
At the bottom are links to ICO resources so you can learn more if needed.
Accountability
Document what personal data you hold, where it came from and who you share it with. If you have inaccurate personal data and have shared this with another organisation, then you will need to tell the other organisation so it can correct its own records.
Communicating privacy information
The first principle of data protection is that personal data must be processed fairly and lawfully. You should currently have a privacy policy that explains what you do with peoples data, but GDPR will have further requirements.
Analyse why you are collecting data, any possible impact and explain this in your privacy policy.
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
Any information you provide to people about how you process their personal data must be:
- concise, transparent, intelligible and easily accessible
- written in clear and plain language, particularly if addressed to a child;
- and free of charge.
Privacy information needs to be communicated at the point of collection as well as in a privacy policy. eg:
- Where you need consent from an individual in order to process their information you need to explain what you are asking them to agree to and why.
- Individuals need to be able to have a choice not to give their details.
- There also needs to be the ability to withdraw consent and allow individuals to easily remove any data or information and for you to give confirmation this has been done.
- Allow the ability for individuals to see any information held on request.
Consent
Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity.
In real terms, this may mean telling a potential customer that they cannot proceed with their transaction if you are unable to hold their data. Or ensuring there is an unsubscribe/remove me button on communications or your website that gives a visual confirmation that information has been completely removed once selected.
Other things to watch are email newsletter lists and communications. If communications are essential to allow the functionality of your product or service, eg a password reset, then be transparent and explain this. But consent will be required before allowing any marketing or promotion activities.
Children
For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. If your organisation offers online services (‘information society services’) to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.
Data Breaches
Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most cases.
Data Protection by Design
GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. In other words, you need to look at how you collect and store data. eg, have an opt out button or link to your privacy policy before a submit data button. If you are storing personal data, ensure that it is encrypted and secure.
Data Protection Impact Assessments (DPIA)
A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:
- where a new technology is being deployed
- where a profiling operation is likely to significantly affect individuals
- where there is processing on a large scale of the special categories of data.
Personally I don't think this is a cause for concern for any smaller businesses
Data Protection Officers
Regardless of requirements, you should designate someone to take responsibility for data protection compliance .
Under the GDPR, you must appoint a DPO if you:
- are a public authority (except for courts acting in their judicial capacity)
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking)
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
The GDPR does not specify the precise credentials a data protection officer is expected to have.
It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.
Reading that, I personally would say most smaller businesses wouldn't need to officially point a DPO, but it would certainly pay to be fully aware of data protection compliance and makes sense to assign that responsibility to someone if not yourself.
Summary
GDPR is happening, it's getting rolled out on the 25 May 2018. But if you have pretty decent data protection policies in place then it shouldn't be too much of a cause of concern. The impact will be felt by larger companies and those that deal in large volumes of data.
But there are significant changes and most of us deal with personal data at some level, so pay attention, don't ignore it and see what applies to you.
Unfortunately a lot of the information is confusing and the ICO themselves still haven't finished writing documentation. But over the coming months hopefully we will get a lot clearer step by step guides, particularly for smaller businesses.
Let me know what you think, any questions, anything I've misinterpreted?
Sources:
Guide to the General Data Protection Regulation (GDPR) - ICO
Preparing for GDPR - ICO (PDF)
Privacy notices, transparency and control - ICO