It feels like the world has gone GDPR crazy! Everywhere you look newly minted GDPR exerts are popping up with lots of conflicting advice and legal mumbo jumbo that is either scaring people or making people feel like putting their heads in the sand until it all goes away.
As if you didn’t know the GDPR is the General Data Protection Regulations that will be legally enforced from 25th May 2018. You can find details here on the Information Commissioners Website.
At the GDPR Alliance we are keen to offer the ubiquitous awareness training and the information sessions, but also keen to actually support business toward compliance. We operate in easy to understand language and suggest simple, specific steps to take, backed up by insights drawn from some of the best people in the sector, who all belong to the Alliance.
For the purposes of this article, I think we can break down GDPR into three areas. These are very much top line, and this article certainly doesn’t constitute proper consultancy or legal advice for your business, but it should give you a head start as to what to look for as you begin your journey.
First of all, who does the GDPR apply to? Basically anyone ‘processing’ personal data on European data subjects (people).
Processing means storing, or communicating with, or segmenting, or any number of other activities you can conduct with personal data.
‘Personal data’ means any information that could be used to identify a natural person. That is a person currently alive and living in Europe. And no, Brexit doesn’t mean GDPR won’t apply.
So, if you have a marketing data base, a HR database, a list of job applicants, a list of suppliers, a client list etc. then chances are you are processing personal data, and that data will need to comply with GDPR.
The three areas to think about are:
Cyber Security: You’ve heard the term no doubt, but what does it mean? Well, simply put, keeping your IT infrastructure safe. Safe from breach (someone or something breaking in) and safe from all sorts of nasty viruses. Chances are, if you have completed the Cyber Essentials or Essentials plus programmes, you are well on your way.
If you are buying ‘off the shelf’ services like CRM systems or websites, or invoicing platforms etc. it’s worth talking to your suppliers about how they are, or will be compliant, as they themselves are a risk in terms of the security picture for your business.
And even if you are being looked after by a reputable IT firm (and if you are not, it’s worth thinking about) it’s worth checking with them as to what steps they are taking. Get them to report to you on a regular basis on the state of your IT, and its compliance. But don’t be lulled into a false sense of security. There is more to GDPR than that.
Processes: The GDPR talks about having data security built into your processes. This means having your privacy statements up to date for each data set you use and making sure the citizens’ rights like the so called ‘right to be forgotten’ are honoured in all aspects of the business. How you gather data, how its stored, who gets to use it and the legal basis for which you are using the data are examples of the processes you need to think about.
Something like the BS 10012:2017 (Data privacy) standard is a great place to start to ensure you are running your business and the data you are processing in a compliant manner, but again, this is also something the GDPR Alliance can help you with.
The data itself: You must be aware of what data you have. And that includes understanding where you might be keeping data that you aren’t immediately aware of, like in a CRM system or a mailing list in Mail Chimp, or a survey tool, or even somewhere like your websites contact forms.
I mentioned your ‘legal basis’ earlier and I think this is the cause of much of the confusion, with many different versions of what is allowed and what constitutes ‘legal basis’.
Again, in simple terms, the GDPR says you are OK to process data if:
- You have the consent of the data subject. This consent must live up to standards of specificity and transparency, and it much be explicit for the use to which you will put it. It’s no longer good enough to have a pre-checked box on your data gathering forms. It’s also likely to mean that data you hold that might have had consent some time ago, maybe doesn’t have that consent anymore!
- You can have a legal basis if you have a contract with the data subject which requires the processing of their data. Such as a guarantee for instance.
- There may be a legal requirement for you to hold data on someone in order to comply with the law. Maybe safeguarding information or information on finance agreements.
- Your processing of the data might be in the vital interest of the data subject, for instance in order to save a life you might need to pass on privileged information to an ambulance crew.
- If you have a public task to comply with in the interest of the public based in law that can be the basis of your processing.
- You have a legitimate interest in processing the data, as long as that interest doesn’t outweigh the interest of the data subject.
You can get more clarification of the legal basis on the ICO website or by talking to your GDPR Alliance consultant or other professional such as your web developer or IT supplier.
If you haven’t got the contracted right, or the legal requirement, most business will be looking at ‘consent’ and ‘legitimate interest’ as the basis for their data processing. But the questions don’t end there.
Consent is intended to be weighted toward the benefit of the data subject and should be as easy to withdraw as it is to give.
And legitimate interested must be demonstrated through the application of a three stage ‘test’ called a Legitimate Interest Assessment the ICO and DMA advise you to apply. Namely, identification of the legitimate interest (the reason) a necessity test (can same be accomplished any other way?) and a balancing test (does the processing impose upon the data subjects rights?)
It’s a complicated picture, but like all processes it can be broken down into simple steps. You aren’t going to get compliant by May if you still haven’t taken any action, but even now, you can go a long way to offsetting your risk by acting now.
And if you really can’t do it yourself, look for a reputable, experience GDPR consult in your IT suppliers team, your web developer, or indeed, from the members of the GDPR Alliance.
This article was created with the support of Chris Roberts at The GDPR Alliance.