The new EU GDPR - General Data Protection Regulation Law comes into effect on 25th May 2018. This builds on and supersedes current data protection regulations, and in the UK is administered by the UK Information Commissioners Office (UK ICO).
We've had quite a few conversations with clients about preparation for EU GDPR and as this overlaps business and pure IT considerations, we've made sure to read up on, and around, the subject so that we can help detangle the fact from the sales spin. In our approach we started by reading the actual text of the GDPR which you can access directly online on the EUR-Lex website. If you've got time then we'd suggest going straight to the source and reading that also - everything else you read is someone else's interpretation, including the rest of this article.
We must also mention that whilst we're experienced in business and IT governance, we're not lawyers so please do check through things with your legal advisors.
Our aim is to take a pragmatic view of things and help to put you in a position to evaluate measures in the context of what is needed rather than what the 'salesman proposes'. GDPR is a veritable salesman's dream and some of this is valid, but much is not necessary in achieving compliance.
GDPR In a Nutshell:
The main point of GDPR is to make sure that organisations respect personal data and act as a good custodian of this data; respecting it, keeping it safe and handling it appropriately.
There is a lot more detail to the regulations but basically this is it. It especially relates to sensitive personal data such as medical, political, genetic, biometric, sexual, racial and financial personal information and information relating to children (minors).
GDPR has come about in order to give people more rights over their personal data. If you have had calls from vehicle accident claims management companies, PPI claims firms etc. then these are examples of where third parties have been given (or purchased) your personal information; often to your distinct annoyance. GDPR comes partly in response to these activities and aims to reduce instances of preventable data leakages.
Compliance with GDPR is 'self certified' in the same way that current PCI (Payment Card Industry) standards are for protecting card holder data. There is not an official recognised body that can say that you are 'GDPR Compliant' (this is / was intended in the legislation but has not come to pass). This means that compliance is a matter of ensuring that you act appropriately for your business and that you are happy that you have managed your level of risk. If you were to suffer a data breach or a complaint was to be upheld against you, then you would be deemed non-compliant with GDPR and might be issued with a fine or face further legal action. The onus is therefore on a business owner and its management to ensure that compliance is good.
Practical Measures to compliance and further explanation:
Recommendation 1: Keep a 'GDPR Diary'
This is important as it allows you to note down what you have done, and when, towards GDPR compliance, what you have read and what actions you have taken. If you were to have a GDPR issue down the line, then being able to demonstrate that you made reasonable efforts towards compliance will be important. The ICO understand that some organisations are big and complex so may have a whole team dedicated to GDPR compliance; whereas other organisations are much smaller down, to a single person, and they will expect appropriate and proportional effort from each (a one-person company will, for example, be able to note down what data they hold and where it is with less effort than a 10,000-person company).
Recommendation 2: Make an internal communications plan and execute it, now and ongoing.
The importance of data protection compliance and respect for client data is something that people should be made explicitly aware of. If you have a board then this should be a recurring board meeting item (even if a brief one), but most importantly everyone in the organisation needs to be educated that respect for client data is of utmost importance to everyone's best interests. This might seem common sense and it is, but unless you make and execute a regular training / communications plan, then there is a risk that people might give away confidential information without realising it is an issue. Having an explicit internal policy about what personal information can be shared; by whom and with whom is a good idea and makes things clear. Your compliance and security are only as strong as the weakest link in the chain and must apply to interns, reception, temporary staff, cleaners, through to senior board level management.
Recommendation 3: Have a procedure to authenticate who you are sharing information with.
This will help protect against people trying to trick you into releasing confidential data which unfortunately does happen but is still your responsibility. The mantra should be: 'If in doubt check it out' i.e. if anything is at all unusual or if it is not someone you know. It is possible, for example, for someone to call an accounting department of a company to ask for a copy of your Sage Backup file to be uploaded or emailed to them to assist your accountants in their tax work. If a call like that came in from someone who sounded legitimate and convincing, what is the risk that someone in your organisation would accidentally be tricked into releasing your core accounts files? Probably higher than we would all like as tricks like this prey on all of our innate desires to help and people respond with the best of intentions but to unfortunate ends. Your accounts data in this example might not hold too much 'personal' information about individuals, but it is still potentially damaging to the business. We've even seen examples (and taped one of them - click through to read and listen) where people phone a company claiming to be from the Police in order to get through the switchboard. Highly effective as a tactic and, of course, illegal.
Recommendation 4: Don't be the easy target.
This applies to many areas of IT such as security. You can potentially spend millions on IT security very easily. The appropriate level though is one which normally comes down to common sense. For security (which is part of GDPR in that you need to be keeping your data safe) there will be sensible systems and processes (human and computer) that will allow you to store and share your client information safely. If you are at least as secure as the majority of your industry or peer group then you will be unlikely to be hacked or suffer a data breach. The nature of your organisation and the data you hold will determine appropriate measures so that you can satisfy yourself of compliance.
Recommendation 6: Listen to and communicate with your clients.
Make sure that when you collect personal information you make it clear what this will be used for and that people give their permission for this. Keep this documentation / record in case you need to refer back to it later.
If someone asks to be taken off a mailing list then respect that and act on it immediately. If the same person's data has been shared with other organisations or internal departments then also make sure the message is passed along and actioned as appropriate. Something that is sure to get you ICO complaints is if you get requests to remove someone's details from a mailing list / contact list but you continue to call / emall / mail them again and again. If someone does not want to hear from you then best to respect that and expend your efforts elsewhere with people who do appreciate that. The ICO will forgive a legitimate mistake (none of us are perfect) but if they see a pattern of abuse and no good system or process in place then they will take a dim view of this and you may well attract a fine and the poor publicity that may accompany it.
There is a tenet in GDPR that consent needs to be clear and explicit. Where in the past you might have had to untick a box in very small print to opt out of something, now you need to have a clear opt in and not assume consent.
Recommendation 7: Don't hold data if you do not need it.
The best way to be compliant with safe and secure handling of personal data is not to hold it in the first place. If you don't have a legitimate (and common sense) reason to hold data, then don't and it can't come back to bite you. In the world of Ecommerce, many small companies have benefitted from the services of payment providers like Paypal or Braintree. These providers allow you to take credit card payments, but at no point are you given or allowed to hold credit card details and expiry dates (which come with big responsibility); you benefit from the payment processing and collection system and not having the card details is a veritably positive benefit.
Recommendation 8: Complete a Data Audit - Know what data you hold.
On the basis of 'what you know you can manage', one of the steps towards compliance is conducting a data audit, to identify what information you record (particularly personal information), why this is recorded, where it is held, how you process it, and who you share it with etc. This then allows you to evaluate that data in respect of GDPR to make sure that you are keeping it safe, only keeping what you need to keep and what measures you take to make sure the information is accurate.
Information to collect and collate in a personal data audit includes:
- Data Source (where this data comes from).
- How & where it is stored (on the cloud, on local servers etc.).
- Is the data secured in transit and at rest?
- What information you are holding?
- What you are doing with the information (how it is processed)?
- What the legitimate reason for this processing is?
- Is personal consent required for this processing?
- If so, do you have this consent and is this documented?
- Who will the information be shared with and who, in your organisation, is allowed to share it?
- Is this on your privacy notice?
- How is the data kept up to date and how will you update subscribers to this data (i.e. organisations you share this with)?
Recommendation 9: - Consider the Importance of standards.
It is well worth considering Business IT Security Standards like Cyber Essentials and the fuller ISO27001. It's a fact that no organisation with ISO27001 certification has ever suffered a large scale data loss (true at the time of writing anyway). That's because the standard provides for a methodological and comprehensive approach to security. It can also be a business benefit. The Cyber Essentials standard is one promoted by the UK National Cyber Security Centre which is part of GCHQ. This covers the basics (80:20 rule) of security and Onega can help you prepare for certification to the standard. These standards overlap in IT Security with GDPR and would help reduce risks and, if anything untoward was to happen, would also help demonstrate that you had taken reasonable and recommended actions to secure your organisation.
How long should I keep data for?
This is a question of logic and common sense. There might also be regulatory requirements in certain industries that override other criteria e.g. if you are regulated by the FCA then you still need to stick to their guidelines. Keep data for as long as reasonably needed and justified for business and audit purposes, then remove.
Who is your Data Protection Officer?
The chances are, that if you have read this far, that could well be you! If it is not or will not be you, then it is important that this person be defined clearly and be given board-level backing to be put in place so that they have the authority to prosecute the role. Smaller organisations may not need to have a formal data protection officer but it is good practice to make sure there is a clear role and responsibility in any case.
What happens if there is a data breach?
If you do have a data breach that involves personal data being leaked, exposed or lost, then this may well be reportable to the ICO. It is important that any such breach be reported quickly and openly. There may be an investigation by the ICO but it is 100% better to be open, honest, and learn from your mistakes to reduce risk of recurrence than to try to bury this. How people react when there is an incident is as important as what has happened in many cases. If a data breach is likely to lead to negative effects to individuals then it needs to be reported. If how many widgets were made on production line 4 in May is leaked then that generally would not be a reportable incident as it does not involve personal data. Of course it is far preferable to secure data and reduce the risk of a breach in the first place than to need to report a breach.
Who has the right to access data?
Individuals have a right to ask to see (and have a copy of) what information you hold about them and rights to withdraw consent where previously this has been given. There is also a right to erasure from your records. Although this latter right is a request that you might not have to comply with; for example, if you have a statutory requirement to keep records for an amount of time then that requirement will override the request. If, however, someone asks to be taken off a mailing list then you should comply with that and do your best to make sure they are not sent further automated emails unless any are mandatory (i.e. a product safety recall notice could and should still be sent legitimately to a customer who has asked to be removed from your marketing emails).
Individuals can make subject access requests to ask for the information you hold about them and you have to comply with these within a month, at no charge. If you judge that an information request (Subject Access Request) is likely to be excessive or unfounded then you can refuse a request giving this reason. For example, some local authorities under the Freedom of Information Act rules have had to find a number of obscure statistics following multiple requests from the same person, where the only intention is to waste the Council's time and resource. Where you do decline a request, you have to let the requestor know that, if they disagree with your decision, they can complain to the ICO who will investigate if appropriate. The majority of smaller companies will never have had a Subject Access Request and so with GDPR this is something to be aware of but it is likely that it will rarely be an issue.
What about fines?
You have likely seen the headlines about fines for GDPR non-compliance and data breaches. These can be up to EUR 20,000,000 or 4% of organisation turnover. To attract a fine of EUR 20 Million you would have to have a turnover of half a billion Euros a year and have a serious data breach that you could have reasonably prevented.
To avoid (minimise the risk of) fines it is important to do your best to comply with the legislation. On the whole, this also overlaps with business interests i.e. what would your clients think of you if they learned that you had a data breach and exposed their personal information? Or if they received unwanted calls from third parties and learned that it was because you passed on their information without their consent? Generally we'd suggest asking yourself (knowing everything you know) whether you would be happy as a customer of your own organisation; are you satisfied that everyone in the organisation would respect your data and treat it professionally at all times? This latter point - applicability to everyone - is very important. It is important to make sure that everyone in your organisation knows that respect for, and confidentiality of, client personal data is their responsibility.
What is Privacy by Design?
Privacy by Design is a concept you might hear about in GDPR documents. The term is a little cryptic but what it means is that you need to think about privacy first in matters relating to personal information. If you are planning a marketing exercise for example you need to make sure that the people you are going to be communicating with are 'opted in' to your communications and that you make sure personal information you capture will be used and stored correctly and appropriately. We'd think of this as having Best Practice front of mind. If you are offered (or seek to licence or buy ) mailing lists, then you need to make sure these include upstream consent from the members of the list and be reasonably confident that the list vendor is not just playing lip service to consent. If you deal with a UK or EU mailing list provider of good reputation then you have the best chance of this all being legitimate. US and other International vendors are not bound by the same rules but you are when you use the data and would be liable for any abuse. Whenever you are considering new systems, processes etc. then it is important to consider security as part of the process so that you will remain compliant with the law.
What is Personal Data Processing and what are justifications for processing?
It is important to remember that GDPR relates to processing of personal data. It is important that you need to have a legitimate reason to store and process (use) personal information. One of the legitimate reasons can be explicit consent from an individual (who is given details so that they understand clearly how their information will be used), but there are other reasons too.
For example if you have a CCTV system then this may well be for reasons of security and business optimisation. You'd normally put signs up to let people know that CCTV is in operation but you don't need to ask for consent from individuals. A shoplifter or someone that broke in could not reasonably argue that they did not consent to being filmed if you use this as evidence against them. In this case of CCTV though, you do need to make sure that you keep the CCTV recording system secure and limit access to authorised staff.
Where consent is the reason for holding information, it is important that this is clear and that an individual has the right to withdraw consent later. In most cases clients will be happy to give consent where this is in mutual interest.
Do I need a new printer, or whatever else people say I need because of GDPR?
GDPR is being used as an excuse to sell any and many products at the moment. If you are uncertain whether you need X for compliance then please do run it by us and we'd be happy to discuss and help work out the correct response. Generally consider if a product significantly increases your level of security or compliance and if the problem that it solves is a significant risk in the first place. For example, if you have a small office without public access then you are unlikely to need super secure printing, especially if you make sure you collect print items immediately you print them out. The risk of a member of the public (or someone of ill intent) picking up something with someone else's private information on is quite a low risk. Hopefully you'd notice someone not of your staff in your office in the first place, but if you do print super sensitive documents, then consider secure printing or a small printer next to your desk that is not shared (a modern small laser or inkjet printer is now very capable).
You may well benefit from some enhancements to your systems and processes especially if some of your systems are already out of date, but we'll be happy to discuss these with you. Many measures towards increasing security have relatively low (and sometimes nil) costs, bar a bit of time to set up.
If you'd like to discuss any of the contents of this article further please don't hesitate to get in touch (or leave a comment below).
Many Thanks to Rock Cohen via Flickr for the header photo of the EU flag flying.
The UK ICO has a very good website with an overview of GDPR, a '12 steps towards GDPR compliance' document which we recommend and advice for particular types of organisation such as small businesses and financial services organisations.
ICO Main GDPR Site:
ICO 12 Steps PDF:
ICO Advice for smaller companies
ICO Advice for specific business sectors and myths to their 'GDRP Myth Busting' blog. All quite pragmatic.
https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/#faqs (this includes specifics for retail, micro organisations, small financial sector GDPR, for charities and local government organisations).
All the above pages are well worth reading and digesting.