You will no doubt be aware of the GDPR, or General Data Protection Regulation, which comes into force on 25 May 2018. This article briefly explains what your business and your marketing team need to do before and after that date to become compliant.
What you need to remember about the GDPR
The GDPR is an EU regulation but will continue to be applicable to UK based businesses after Brexit due to the UK’s incoming Data Protection Act 2018. The GDPR will restrict how businesses can handle personal data; that is data that can be used to identify individuals. It does not restrict business-to-business data handling.
The GDPR uses some specific terminology. Data processing refers to almost any handling of personal data. A data processor carries out the processing. A data controller determines how personal data will be processed. A data subject is a person identifiable by personal data. Your business is likely to be both a data controller and a data processor.
Personal data will be required to be processed in accordance with 6 principles. Summarising these principles, data must:
- Be processed lawfully, fairly and transparently
- Be collected for specified, explicit and legitimate purposes
- Be adequate, relevant and limited to what is necessary
- Be accurate and up to date
- Permit the identification of data subjects for no longer than necessary
- Be processed with appropriate security measures
Data subjects will also be given a number of rights. These include rights to information, access, rectification, erasure and portability.
What this all means in practice will be discussed below. Failure to comply with the GDPR could result in your business being fined up to the greater of €20 million or 4% of your business’ global annual revenue. Compliance with the GDPR will be enforced by the Information Commissioner’s Office (ICO) in the UK.
What your business needs to do before 25 May 2018
There are 5 steps which your business must take prior to the GDPR coming into force.
1) Review your data
Compliance with the principles above must be documented, therefore the first step any business must take towards compliance is to identify all of the personal data it processes. This could range from the collection and storage of personal data in employee records to the use of customer email addresses to carry out marketing campaigns. This identification process should result in a map, which shows how data flows in to and out of your business. The map should detail what data is held, from where it was collected, with whom it is shared, and what is done with it.
2) Ensure that all processing is lawful
Having identified what processing activities your business undertakes, you must ensure that each activity is lawful. To be lawful, processing must usually be undertaken either following consent, be necessary as part of a contractual arrangement, or be necessary for your businesses’ legitimate interests.
Most commonly, consent will be required before processing can take place. Consent must be actively given and cannot be assumed. Data subjects must know what they are consenting to in simple terms, and consent must be obtained separately to an acceptance of other terms. Your business must record this consent, in addition to how and when consent was obtained. Consent may be withdrawn by a data subject at any time. Consent should be obtained in accordance with the GDPR prior to 25 May 2018 to ensure that data processing may continue beyond that date.
An example of a contractual arrangement displacing the need for consent would be the use of a cookie to track products added to a shopping basket prior to purchase. As shopping cart data processing is necessary in the lead-up to an ecommerce contract, consent is not required.
A legitimate interest may be used as a lawful basis for processing where processing is necessary to achieve that interest and that interest is not overridden by individuals’ interests. Processing justified on this basis should only take place if individuals would reasonably expect the processing to take place, and there is a minimal impact on their privacy.
Third party data processors
If your company outsources any data processing activities, you are responsible for ensuring the processor’s GDPR compliance in relation to the processing. For example, Impression, as a data controller, outsources many of its HR functions to CharlieHR, an online platform acting as a data processor in relation to employees’ personal data. To help ensure that this outsourcing is GDPR compliant, Impression must have a written contract with CharlieHR, and CharlieHR must only process in accordance with the instructions in that contract. As the GDPR prohibits the transfer of personal data outside of the EU unless strict protections are in place in the destination territory, Impression must also ensure that CharlieHR stores Impression’s personal data inside the EU. As it does, Impression need not find an alternative supplier.
3) Revise privacy notices
All privacy notices, including internal notices and public facing notices, such as website privacy policies, should be updated to ensure that the following information is present:
- Your business’ identity
- How personal data will be used
- The lawful basis for each processing activity (such as consent or a contractual arrangement)
- How long personal data will be retained
- That the data subject may complain to the ICO
Notices must be concise, transparent, intelligible, free and easy to access. Legal jargon should not be present.
4) Prepare for data subjects’ new rights
As previously suggested, data subjects are given a variety of new rights under the GDPR. Data subjects may request a copy of all information held about them; request that information is rectified, or request that information held on them is deleted. Subject access requests must be responded to within 1 month and may be rejected with reasons and information about the data subject’s right to complain. Template responses should be prepared to facilitate these requests. It should also be considered how data access and portability requests will be handled. For example, it should be considered in what format customer data could be sent.
If the lawfulness of any processing is dependent on consent, systems must be put in place to facilitate data subjects’ withdrawals of consent.
5) Update internal processes
The final step to be taken prior to 25 May 2018 is to prepare internally for the GDPR. The following documentation should be prepared:
- A draft ICO data breach report
- A draft data subject breach notification
- A revised data protection policy, setting out your business’ approach to data protection
- An information security policy
- Data protection impact assessments for any processing activities which pose a high risk to the rights and freedoms of data subjects
- Data protection training materials
Every business should nominate a person responsible for GDPR compliance. An official Data Protection Officer must be nominated if the business carries out “regular and systematic monitoring of individuals on a large scale.” Their responsibilities will be discussed below.
What your business needs to do after 25 May 2018
Once the GDPR is in effect, businesses must ensure ongoing compliance. The regulation intends to inspire a culture of “data protection by design and default” throughout businesses. There will be a general obligation on businesses (data controllers and processors) to illustrate that they are actively considering their data processing activities. The designated responsible person or Data Protection Officer should be responsible for facilitating this culture and training staff in compliance. In addition to illustrating this ongoing consideration by reference to the 6 processing principles, businesses will be required to do the following.
1) Manage ongoing consent and data subjects’ requests
Businesses must respond to data subjects withdrawing their consent to processing activities or submitting the variety of request types within their new rights.
2) Report data breaches
Any personal data breach under the GDPR must be reported to ICO within 72 hours if it is likely to result in a risk to the rights and freedoms of data subjects. If there is a high risk to data subjects, the breach must also be reported to those subjects without undue delay.
3) Carry out data protection impact assessments
If a proposed processing activity is likely to result in a high risk of a personal data breach, such as where a new technology is being used, or where the processing will be systematic and extensive, a data protection impact assessment must be carried out. This assessment must contain a description of the processing activity; an assessment of necessity and proportionality in relation to the purpose of the processing; an assessment of the risks to data subjects, and a description of the controls put in place to address the identified risks.
What marketers need to do
A large proportion of the personal data held by your business will likely be personal data collected for marketing purposes. Marketers must ensure that data held from 25 May 2018 onwards was and is collected in a GDPR compliant manner. If consent is used as the lawful basis for a processing activity, consent must be obtained; data must be managed appropriately, and opt-out measures must be put in place. Alternatively, if other bases are used, individuals should be informed accordingly. Here are some examples of how marketers might justify their processing activities.
1) GDPR and email marketing
Most email marketing data relating to individuals is personal data. Marketers must ensure that names, email addresses and other personal data is collected, stored and used only after users have actively consented to everything to be done with that personal data. Users can only consent after they have been told in simple terms how their personal data will be used. Consent must be recorded and opt-out options must always be available. Email marketing service providers should be checked to ensure that they are GDPR compliant data processors. Although it may be possible to rely on a legitimate interest basis to process data for the purpose of sending marketing emails, there is additional legislation in this area (the soon-to-be-reformed Privacy and Electronic Communications Regulations) which usually requires consent to be provided.
2) GDPR and Google Analytics
As Google Analytics collects personal data such as cookies, IP addresses and User IDs, it is likely that informed consent will be required before Google Analytics can be used on websites from 25 May 2018. Google have said their data storage methods are GDPR compliant and will offer a way for website owners to remove particular sets of data, facilitating compliance with users’ rights of erasure. If consent is used as the lawful basis for processing, users must also be offered a way to opt-out of tracking at any time. If your business uses Google Analytics for a specific purpose such as to understand where website visitors come from and what they are looking for, it may be possible to justify this processing on the basis of a legitimate interest. It is expected that websites will track basic information about their users. Using a legitimate interest, as opposed to consent, to justify this processing does not displace the need for obtaining ‘cookie consent’.
3) GDPR and social media advertising
4) GDPR, remarketing and marketing personalisation
Using collected data to personalise online content and marketing materials should be justifiable on the basis of a legitimate interest, although this will depend on the processing activities taking place. If processing activities impact significantly on the rights of individuals or might not be reasonably expected to take place, consent may be the most appropriate legal basis for the processing activities. Using visitors’ website analytics data to target Facebook ads may be justifiable on the basis of a legitimate interest, however, using email addresses collected from order data to target specific users will be harder to justify on the same basis and may require the use of consent as a legitimate basis.
By carrying out the steps outlined above, your business should be in a good place when 25 May 2018 arrives.
Disclaimer: This article represents the author’s interpretation of the GDPR and does not constitute legal advice. It is recommended that businesses seek professional advice to assist with GDPR preparations. This article was last updated on 4 April 2018. This article was last updated 18 April 2018.