The new EU GDPR - General Data Protection Regulation Law comes into effect on 25th May 2018. This builds on and supersedes current data protection regulations, and in the UK is administered by the UK Information Commissioners Office (UK ICO).
We've had quite a few conversations with clients about preparation for EU GDPR and as this overlaps business and pure IT considerations, we've made sure to read up and around the subject so that we can help de-tangle the fact from the sale spin. In our approach we started by reading the actual text of the GDPR which you can access directly online on the EUR-Lex website. If you've got time then we'd suggest going straight to the source and reading that also - everything else you read is someone else's interpretation, including the rest of this article.
We must also mention that whilst we're experienced in business and IT governance, we're not lawyers so please do check through things with your legal advisors.
Our aim is to take a pragmatic view of things and help to put you in a position to evaluate measures in the context of what is needed rather than what the 'salesman proposes' - GDPR is a veritable salesman's dream and some of this is valid, but much is not necessary towards compliance.
GDPR In a nutshell / 60 Seconds / elevator speech:
The main point of GDPR is to make sure that organisations respect personal data and act as a good custodian of this data; respecting it, keeping it safe and handling it appropriately.
There is a lot more detail to the regulations but in a nutshell this is it. It especially relates to sensitive personal data such as medical, political, genetic, biometric, sexual, racial and financial personal information and information relating to children (minors).
GDPR has come about in order to give people more rights over their personal data. If you have had calls from vehicle accident claims management companies, PPI claims firms etc. then these are examples of where third parties have been given (or purchased) your personal information and often to your distinct annoyance. GDPR comes partly in response to activities such as this and aims to reduce instances of preventable data leakages.
Compliance with GDPR is 'self certified' in the same way that current PCI standards are (Payment Card Industry) for protecting card holder data if you have to deal with that. Ie there is not an official recognised body who can officially say that you are 'GDPR compliant' (this is / was intended in the legislation but has not come to pass). So compliance is a matter of ensuring that you take appropriate to your business and so that you are happy that you have managed your level of risk. If you were to suffer a data breach or a complaint was to be unheld against you, then you would be deemed non compliant with GDPR and might be issued with a fine or face further legal action. Thus the onus is on a business owner and its management to ensure that compliance is good.
Recommendation 1: Keep a 'GDPR Diary'. This is important as it allows you to note down what you have done and when towards GDPR compliance. What you have read and what actions you have taken. If you were to have a GDPR issue down the line, then being able to demonstrate that you made reasonable efforts towards compliance will be important. The ICO understand that some organisations are big and complex so may have a whole team dedicated to GDPR compliance; whereas other organisations are much smaller down to a single person and they will expect appropriate and proportional effort from each (a one person company will for example be able to note down what data they hold and where it is etc. with less effort than a 10,000 person company).
What about fines?
You have likely seen the headlines about fines for GDPR non compliance and data breaches. These can be up to EUR 20,000,000 or 4% of organisation turnover. To attract a fine of EUR 20 Million you would have to have a turnover of half as billion euros a year; and have a serious data breach that you could have been reasonably prevented.
To avoid (minimise the risk of) fines it is important to do your best to comply with the legislation. On the whole this also overlaps with business interests also- ie what would your clients think of you if they learned that you had a data breach and exposed their personal information? or if they got calls from third parties they did not want and learned that it was because you passed on their information without their consent? Generally we'd suggest asking yourself (knowing everything you know) if you would be happy as a customer of your own organisation that everyone in the organisation would respect your data and act professionally at all times with it. This latter point - applicability to everyone - is very important. It is important to make sure that everyone in your organisation knows that respect for and confidentiality of client personal data is their responsibility. Your compliance and security is only as strong as the weakest link in the chain and must apply to interns, reception, temporary staff, cleaners, through to senior board level management.
Recommendation 2: Make an internal communications plan and execute it, now and ongoing. The importance of data protection compliance and respect for client data is something that people should be made explicitly aware of. If you have a board then this should be a recurring board meeting item (even if a brief one), but most importantly everyone in the organisation needs to be educated that respect for client data is of utmost importance to everyone's best interests. This might seem common sense and it is, but unless you make and execute a regular training / comms plan, then there is a risk that people might give away confidential information without realising it is an issue. Having an explicit internal policy about what personal information can be shared: by whom and with whom is a good idea and makes things clear.
Knowing what data you hold (doing a Data Audit):
On the basis of 'what you know you can manage', one of the steps towards compliance is doing a data audit to record what information you record (particularly personal information), why this is recorded, where it is held, how you process it, and who you share it with etc. This then allows you to evaluate that data in respect of GDPR to make sure that you are keeping it safe, only keeping what you need to keep and measures that you take to make sure the information is accurate.
Information to collect and collate in a personal data audit includes:
- Data Source (where this data comes from)
- How & Where it is stored (ie on the cloud, on local servers etc.).
- Is the data secured in transit and at rest?
- What information you are holding.
- What you are doing with the information (how it is processed)?
- What the legitimate reason for this processing is?
- Is personal consent required for this processing?
- If so - do you have this consent and is this documented?
- Who will the information be shared with? and who in your organisation is allowed to share it?
- Is this on your privacy notice?
- How is the data kept up to date? And how will you update subscribers to the data (ie organisations you share this with).
Recommendation 3: Have a procedure to authenticate who you are sharing information with before sharing where you do need to. This will help protect against people trying to trick you into releasing confidential data which unfortunately does happen and the onus is on you to keep things safe. The mantra should be: 'If in doubt check it out' - ie if anything is at all unusual or not someone you know. It is possible for example for someone to call an accounting department of a company to ask for a copy of your Sage Backup file to be uploaded or emailed to them to assist your accountants in their tax work - if a call like that came in from someone who sounded legitimate and convincing, what is the risk that someone in your organisation would accidentally be tricked into releasing your core accounts files? Probably higher than we would all like as tricks like this prey on all of our innate desires to help and are thus done with the best of intentions but to unfortunate ends. Your accounts data in this example might not hold too much 'personal' information about individuals, but it is still potentially damaging to the business. We've even seen examples (and taped one of them - click through to read and listen) where people phone a company claiming to be from the Police in order to get through the switchboard.. very effective as a tactic, and also quite illegal.
Recommendation 4: Don't be the low hanging fruit. This applies to many areas of IT such as security. You can spend potentially millions on IT security very easily. The appropriate level though is one which normally comes down to common sense. For security (which is part of GDPR in that you need to be keeping your data safe) there will be sensible systems and processes (human and computer) that will allow you to store and share your client information safely. If you are at least as secure as the majority of your industry / peer group then you will be unlikely to be hacked or suffer a data breach. The nature of your organisation and the data you hold will determine appropriate measures so that you can satisfy yourself of compliance.
Sources: The UK ICO has a very good website with an overview of GDPR, a '12 steps towards GDPR compliance' document which we recommend and advice for particular types of organisation such as small businesses and financial services organisations.
ICO Main GDPR Site:
ICO 12 Steps PDF: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
ICO Advice for smaller companies - https://ico.org.uk/for-organisations/making-data-protection-your-business/
ICO Advice for specific business sectors and myths to their 'GDRP Myth Busting' blog. All quite pragmatic: https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/#faqs - this includes specifics for retail, micro organisations, small financial sector GDPR, for charities and local government organisations.
All the above pages are well worth reading and digesting.
Practical Measures to compliance and further explanation:
Privacy By Design is a concept you might hear about in GDPR documents. The term is a little cryptic but what it means is that you need to think about privacy first in matters relating to personal information. If you are planning a marketing exercise for example you need to make sure that the people you are going to be communicating with are 'opted in' to your communications and that you make sure personal information you capture will be used and stored correctly and appropriately. We'd think of this as having best practice front of mind. If you are offered (or seek to licence / buy ) mailing lists then you need to make sure these include upstream consent from the members of the list.. and be reasonably confident that the list vendor is not just playing lip service to consent. If you deal with a UK or EU mailing list provider of good reputation then you have the best chance of this all being legitimate. US and other International vendors are not bound by the same rules but you are when you use the data and would be liable for any abuse. Whenever you are considering new systems, processes etc. then it is important to consider security as part of the process so that you will remain compliant with the law.
What is Personal Data Processing and what are justifications for processing?
It is important to remember that GDPR relates to processing of personal data. It is important that you need to have a legitimate to store and process (use) personal information. One of the legitimate reasons can be explicit consent from an individual (who is given details so that they understand clearly how their information will be used), but there are other reasons also.
For example if you have a CCTV system then this may well be for reasons of security and business optimisation (ie in retail environments CCTV is used to count footfall, note which isles are busier than others and generally make the customer experience better as well as just to catch thieves and shop lifters). You'd normally put signs up to let people know that CCTV is in operation but you don't need to ask for consent from individuals. Ie a shoplifter or someone that broke in could not reasonably argue that they did not consent to being filmed if you use this as evidence against them. .. in this case of CCTV though you do need to make sure that you keep the CCTV recording system secure and limit access to authorised staff.
Legitimate reasons for processing data include statutory legal requirements to record certain information, Contractual requirements, Vital Interests, Legitimate interests and these are described at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
For each piece of data you hold, you need to be able to justify reasonably what you hold, why this is so and how long it is held for. One example might be for CVs sent to a company to apply for a job. In this case you might actively need the CVs while you are choosing which candidate to hire, but equally it may be useful or necessary to store all the CVs securely after the hire decision is made - ie down the line you might be asked to justify a gender imbalance in the workplace. If you have in archive the job advert and the CVs that were sent in then you could demonstrate that the job was given to a female candidate and that 99% of the applicants were female) etc. (in IT sadly this seems to be the opposite but everything balances out in the end and over time). However though you may have legitimate reasons to store this information you should only use it for legitimate purposes. Contacting some shortlisted candidates later when you have another opening might be a legitimate purpose but giving / selling their CVs and contact details to a double glazing company would not be a good thing to do.
Where consent is the reason for holding information, it is important that this is clear and that an individual has the right to withdraw consent later. In most cases clients will be happy to give consent where this is in mutual interest. For example an estate agent might ask for consent to hold and process client contact details if they are looking for a new home and for permission to share that information with trusted partners like movers or decorators should that person move house which are services they may well need so win win for all. If the individual says no thanks to that offer then you need to pass on that part for them.
There is a tennet in GDPR that consent needs to be clear and explicit. Where in the past you might have had to untick a box in very small print to opt out of something, now you need to have a clear opt in and not assume consent.
Recommendation 6: Make sure that when you collect personal information you make it clear what this will be used for and that people give their permission for this. Keep this documentation / record in case you need to refer back to it later.
Recommendation 7: If someone asks to be taken off a mailing list then respect that and act on it immediately. If the same person's data has been shared with other organisations or internal departments then also make sure the message is passed along and actioned as appropriate. Something that is sure to get you ICO complaints is if you get requests to remove someone's details from a mailing list / contact list but you continue to call / emall / mail them again and again. If someone does not want to hear from you then best to respect that and expend your efforts elsewhere with people who do appreciate that. The ICO will forgive a legitimate mistake (none of us are perfect) but if they see a pattern of abuse and no good system or process in place then they will take a dim view of this and you way well attract a fine and poor publicity that may accompany it.
Recommendation 8: Don't hold data if you do not need it. The best way to be compliant with safe and secure handling of personal data is not to hold it in the first place. If you don't have a legitimate (and common sense) reason to hold data, then don't and it can't come back to bite you. In the world of ecommerce, many small companies have benefitted from the services of payment providers like Paypal / Braintree etc. in these cases they allow you to take credit card payments, but at no point are you given or do you hold credit card details and expiry dates (which come with big responsibility) - you benefit from the payment processing and collection system and not having the card details is a veritably positive benefit.
Do I need a new printer? or whatever else people say I need because of GDPR?
GDPR is being used as an excuse to sell any and many products at the moment. If you are uncertain of if you need X for compliance then please do run it by us and we'd be happy to discuss and help work out the correct response. Generally consider if a product significantly increases your level of security or compliance and if the problem that it solves is a significant risk in the first place. For example if you have a small office without public access then you are unlikely to need super secure printing - especially if you make sure you collect print items immediately you print them out. The risk of a member of the public (or someone of ill intent) picking up something with someone else's private information on is quite a low risk - hopefully you'd notice someone not of your staff in your office in the first place.. but then again if you do print super sensitive documents out then consider secure printing or a small printer next to your desk that is not shared (a modern small laser or inkjet printer is now very capable).
You may well benefit from some enhancements to your systems and processes especially if some of your systems are already out of date, but we'll be happy to discuss these with you. Many measures towards increasing security have relatively low (and sometimes nill) costs bar a bit of time to setup.
Recommendation 9: - Consider The Importance of standards. It is well worth considering Business IT security standards like Cyber Essentials and the fuller ISO27001. It's a fact that no organisation with ISO27001 certification has ever suffered a large scale data loss (true at the time of writing anyway). That's because the standard provides for a methodological and comprehensive approach to security. It can also be a business benefit. For example an online dating website that has 27001 compliance would, all other things being equal be more attractive to people looking to share their personal details than one without - especially after the high profile hacks of websites like US website Ashley Maddison hopefully people will pay more attention to these things. The Cyber Essentials standard is one promoted by the UK National Cyber Security Centre which is part of GCHQ. This covers the basics (80:20 rule) of security and Onega can help you prepare for certification to the standard. These standards overlap in IT security with GDPR and would help reduce risks and if anything untoward was to happen then they also help demonstrate that you had taken reasonable and recommended actions to secure your organisation.
If you do have a data breach that involves personal data being leaked / exposed / lost then this may well be reportable to the ICO. It is important that any such breach be reported quickly and openly. There may be an investigation by the ICO but it is 1000% better to be open, honest, and learn from your mistakes to reduce risk of recurrence than to try to bury this. How people react when there is an incident is as important as what has happened in many cases. If a data breach is likely to lead to negative effects to individuals then it needs to be reported. If how many widgets were made on production line 4 in May is leaked then that generally would not be a reportable incident as it does not involve personal data. With regards to breaches though of course it is far preferable to secure data and reduce the risk of a breach in the first place than to need to report a breach.
How long should I keep data for?
This is a question of logic and common sense. It also might have regulatory requirements in certain industries that override other criteria. Ie if you are regulated by the FCA then you still need to stick to their guidelines. Keep data for as long as reasonably needed and justified for business and audit purposes then remove.
Who is your Data Protection Officer?
The chances are that if you are reading this far then that could well be you! if it is not or will not be you, then it is important that this person be defined clearly and be given board level backing to be able to put in place so that they have the authority to prosecute the role. Smaller organisations may not need to have a formal data protection officer but it is good practice to make sure there is a clear role and responsibility in any case.
Rights to access data
Individuals have a right to ask to see (and have a copy of) what information you hold about them, and rights to withdraw consent where previously this has been given. There is also a right to erasure from your records. This latter right though is a request that you might not have to comply with - for example if you have a statutory requirement to keep records for an amount of time then that requirement will override the request. If someone asks to be taken off a mailing list then you should however comply with that and do your best to make sure they are not sent further automated emails unless any are mandatory (ie a product safety recall notice could and should still be sent legitimately to a customer who has asked to be removed from your marketing emails).
Individuals can make subject access requests to ask for the information you hold about and you have to comply these within a month at no charge. If you judge that an information request (Subject Access Request) is likely to be excessive or unfounded then you can refuse a request giving this reason. For example some local authorities under the Freedom of Information act rules have had to find a number of obscure statistics from many requests from the same person where the only point is to waste time and resource of the council. Where you do decline a request, you have to let the requestor know that they can complain to the ICO if they disagree with your decision and they investigate if appropriate. The majority of smaller companies will never have had a Subject Access Request and so with GDPR this is something to be aware of but likely that it will rarely be an issue.
If you'd like to discuss any of the contents of this article further please don't hesitate to get in touch (or leave a comment below).
Many Thanks to Rock Cohen via Flickr for the header photo of the EU flag flying.