On May 25th 2018, one of the most significant legislative changes affecting online businesses comes into force, and if you do business online, you need to know about it. The General Data Protection Regulation, commonly referred to in the media as GDPR, is the new data protection legislation that will replace the current Data Protection Act 1998 (DPA), and it is absolutely essential for both small and large businesses to get familiar, understand the implications and take any necessary actions to comply.
A brief background to the GDPR
Although the GDPR originated from the EU, it has been confirmed by the British Government that it will still become a UK law despite the decision to leave the EU. Unlike the DPA which is specific to the UK, The GDPR legislation will apply to every country within the EU, as well as post-Brexit Britain, and also any organisations processing the personal data of any EU national. In the UK, the GDPR will be enforced by the Information Commissioner’s Office (ICO).
Essentially, the concept behind the GDPR is to bring a uniform set of legislation on the way personal information is handled that is more relevant to an increasingly borderless and networked society whose data transactions are now almost entirely technology driven. As well as transforming the rights of individuals, the act also has a huge effect on businesses who fail to comply – fines of up to 4% annual global turnover or 20 million Euros, whichever is higher.
So just what do you need to know and how can you prepare? Here are 10 essential steps.
1. Understand the Data Protection Act.
Whilst the GDPR is set to render the DPA obsolete in a legislative sense, the DPA has long been seen as a benchmark for standards in protecting personal information not just here in Britain but also beyond. As such, a lot of what you should already be doing within your DPA obligations will remain good practice – and therefore reviewing your compliance with the law as it stands, counter-intuitive as it sounds, is a good place to start.
To read the entire Data Protection Act in its original form, click here.
Key areas to ensure that you are familiar with are the principles of data protection. The ICO has some excellent and easy to understand support on their website – click here. Also important is recognising the difference between data controllers and data processors, which one applies to your organisation, and whether you need to register with the ICO. For this last question, the ICO has a useful online self assessment tool accessible here.
Rather than feeling intimidated by the GDPR, it is important to see it as an enhancement of existing rules, essentially broken down into additional details and an extra principle of accountability which effectively requires businesses (and their staff) to demonstrate due diligence at every stage of the data handling process.
2. Audit your data.
Under the principles of the current DPA legislation, it is already an expectation that you have clear, well-maintained records of what data you hold, consent obtained, when gained, by whom, for what purposes and who you share it with. The reality for many online businesses, however, it that the majority of data is held in the form of website customer data within their servers, and usually in a far from well-organised fashion. This is often not the fault of business operators themselves; websites are typically built to collect the data required to perform any given transaction, be it sign up for a newsletter, register for an offer or make an online purchase, and provided everything works, attention is rarely paid to the manner in which data is held. Larger eCommerce enterprises will no doubt have researched PCI compliance, and more often than not have solved the most operationally important aspect of data handling – the processing ot card details – by entrusting it to a compliant third party.
The actual requirements under the DPA actually mean that you should have a built in review process to ensure that the data you hold within your systems is appropriate and necessary for your business purposes, assess whether the data is properly and systematically managed and identify areas for improvement for improvement – all of which require you to have a good working knowledge of what customer data you have and where it is held.
Although the data collected and held by most websites is fairly limited in scope, it is very important to be aware of that which is defined as Sensitive Personal Data (or special categories of data). This refers to information presumed to be private in nature and potentially could be used in a discriminatory way.It includes, but is not limited to; race, sexual life, religious beliefs, political beliefs, health and potential criminal proceedings involving the individual. Any business processing sensitive data needs to meet exacting conditions to do so which are laid out by the ICO. If you believe that this might apply to your business then you should seek further guidance to ensure compliance.
3. Understand the rights of the individual
The GDPR enhances the rights of data subjects, or individuals and outlines eight rights for the individual over their personal data. These are:
- to be informed,
- have access,
- right to restrict processing,
- data portability,
- right to object
- and rights in relation to automated decision making.
To exercise any of their rights, the individual needs to contact the organisation to make their request. For more details on these rights, click here.
The majority of these rights are already established within the DPA and should therefore be no surprise to businesses. There are, however, also some notable differences:Firstly, under the DPA individuals already have a right to access any information you hold on them, for which you can charge a maximum fee of £10. Under the GDPR, you can no longer charge customers for access to data. Secondly, whilst the DPA allowed 40 days to respond to requests, the GDPR sets a requirement for a prompt response and in all cases, no later than one month.
It is important that you have a clear understanding of what this means for you as an online business.Whilst an individual is entitled to request and be told what information an organisation holds and processes on them, it does not impose any right of access to your systems. As such, there is no need to alter your systems and websites to provide direct customer access to their data. What you do need to be sure of is what you hold and where, so that it can be quickly and accurately collated and reported in the event of a request.
4. Understanding responsibility and accountability.
According to the DPA, every business will fall into the classification of either a data controller (you control the data, deciding how and why it is used) or a data processor (you process data purely on behalf of someone else). These definitions are a fundamental basis of current data protection legislation and will remain under the GDPR. However, businesses in both types of classifications will have broader responsibilities. Firstly, data controllers will be obliged to maintain records of what data they process.Secondly – and most significant when it comes to websites – they will be liable for data breaches. This means that you may need to consult with your website developers to ensure that you have implemented an appropriate security system to protect against hacking, data loss and other threats to data (see step 7 for more).
The requirement for Data controllers to be registered with the ICO remains, however they will now be duty-bound to ensure that contracts with processors are completely compliant throughout. Every organisation that handles personal data (which in reality is pretty much every existing organisation) is now accountable for that data – no matter how small a link you represent in the chain.
If your company operates a website that uses third parties to process personal details, such as payment gateways and email marketing platforms, you will likely be considered a data controller under the existing DPA as you generally decide how the data gets used. Under existing DPA legislation, you are already liable for the security of the data your company holds or transfers to other organisations for processing.
Although it has always been in a company’s best interests to choose trustworthy parties, a key change is that the GDPR stipulates that there must be written contracts in place with clear terms, responsibilities and liabilities negotiated by the parties.
As such, now is an opportune time to evaluate what third parties you might send data to and why and whether there are appropriate contracts do you have in place. Bear in mind that if you are using trustworthy, compliant partners then they will also be working hard to get ready for GDPR – so in most cases it should be a simple case of contacting them to seek clarification on if/when any new documentation will come into effect, if they haven’t already contacted you.
5. Ensure methods of obtaining consent are up to date
There has been a focus over recent months on improving transparency in the way companies obtain consent from clients for how, when and why their data can be used. Most respectable companies have already moved away from the once common pre-ticked boxes, default opt-ins/opt-outs, inactivity or silence or through generalised wording included in terms or policies.
It is important, however, under the GDPR to ensure your methods of gaining consent meet the new requirements, such as changing websites to show a prominent box that the customer must choose to click to opt-in, directly beside clear information explaining what they would be agreeing to and why. This may require changes to be made on your website to fully comply.
Consent must be specific, informed, freely given and an absolutely clear indication of the individual’s wishes and the individual must be able to give consent by means of a simple and affirmative action on their part. It is not acceptable to assume consent has been given.
6. Appoint a data protection officer if required.
Under the GDPR, certain types of organisation must appoint a Data Protection Officer (DPO) These include public authorities and any organisation carrying out large scale monitoring of individuals or large scale processing of special data. A DPO is a person within your organisation responsible for ensuring training, compliance, reporting and to be a point of contact on all matters related to the GDPR.
Although this particular requirement will not affect the majority of companies conducting business online, it is absolutely essentially to be sure whether or not it does apply to your organisation.
If your organisation is one of the above then you must appoint a trained competent person as your DPO before May 25th. DPO’s can be an employees or can be provided by third parties like specialist consultants. Even if you are not required to appoint a DPO under the GDPR, it is still good practice to have appropriate persons with a competent knowledge of data protection laws in place to be responsible for your company’s GDPA training and compliance.
7. Think security.
The GDPR will require all organisations to report certain types of data breach to the relevant supervisory authority within 72 hours. This will be the ICO for the vast majority of UK companies. Examples of data breaches are when data gets lost, stolen, hacked, destroyed, altered, inappropriately accessed or published without permission.Notifiable data breaches will be those where there is a likely risk to an individual’s rights and freedoms which could be significantly impacted by the information involved. Individuals concerned must be notified if there is a high risk to their rights and freedoms. There is not a specific time period for notifying individuals, the wording is without undue delay.
Whilst the majority of websites will be unlikely to handling data that comes within the scope of this obligation to notify, it is absolutely essential that you are aware of exactly what kind of data it relates to, whether you hold any such data and that you are fully aware of the obligations should they apply to your company.
It is important for your company to have a procedure for internal breach detection, investigation and reporting in place before the GDPR comes into force. Such as policy should include who within your organisation has responsibility for reporting it to both authorities and affected individuals. It is recommended that you train all staff so they understand the differences between loss of personal data and data breaches as well as what all procedures are for recognising and dealing with such situations.
Whether or not your data is subject to the notification requirements, there is clearly a huge shift in public awareness to the issue of data security and even the smallest of companies may find that customers seek reassurances before conducting transactions online. There is no better time than now to speak to your web developers about what security measures are currently in place on your online infrastructure and what measures could be taken to further enhance data security.
8. Understand the processing rules.
The GDPR defines six conditions for the lawful processing of data (plus additional conditions for special categories of data). All organisations must meet at least one. It is therefore imperative to think carefully about why and how your organisation uses personal data and whether it is absolutely necessary for your business purposes. As well as checking that the data you collect is lawful, it is advised to document your decisions and justify your reasons – both from an internal and customer perspective. To ensure compliance, review and amend your website’s privacy policies to explain your reasons for collecting data and what you use it for.
You can find the ICO’s guide to the legal grounds for processing here.
9. Handling children’s data
The GDPR include specific measures to protect children online. It will be generally considered that a child under 16 years of age cannot consent to their personal data being used and therefore the company must obtain consent from someone holding parental responsibility for that child. (There are limited exceptions, such as counselling).
It will therefore be necessary in some cases for website operators to establish systems for age verification as well as to obtain and record parental consent – including eCommerce websites.
If your products or services are reasonably likely to be purchased by a child, then you have a duty to make sure all of your privacy policies and statements are written in a clear and plain fashion that a child could understand.
10. Beef up your security.
The GDPR makes it compulsory for you to consider and apply data protection into all of your data processing activities through organisational and technical measures. In other words, you have a duty to make sure you can demonstrate that you have done everything within your reasonable power to protect the personal data you hold at every stage of storage and usage.
This means that there is a real and urgent need to review your IT systems. Do you have the most appropriate and effective information technology safeguards in place for your type of business and the data you store? Are they up to date or need upgrading? Speak to your IT providers and website developers for advice and recommendations.
According to statistics, a great many data breaches are caused internally by simple human error rather than external, malicious attacks. Staff training is therefore highly importnat. Every member of staff needs to know how to comply within their role as well as clearly understanding your company’s specific procedures for preventing, detecting, alerting and resolving potential data breaches. You should take measures to ensure that all types of data can only be accessed by employees who need access through necessity to do their job and/or have the correct authorisation.Remember of course that not all data will be held on computerised systems, you need to think about the security and access to all paper files containing personal data, as this is also covered within the GDPR.
Depending on the size and nature of your business, you may be familiar with Data Protection Impact Assessments (DPIA), also known as privacy impact assessments. These are essentially a form of risk assessment for your datam and considered a good practice tool under the DPA. Under the GDPR, they will become mandatory every time you introduce new technology or perform processing of data that is likely to result in a high risk to the rights and freedoms of individuals.
DPIA guidance templates are available from: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/
A final note – remember that there are many other areas of legislation that affect businesses and website operators beyond the GDPR – if you are unsure about the many rules and regulations, that may affect your business, it is recommended to seek independent legal advice.
The information contained within this article is intended as general information only and is not intended to be comprehensive or to constitute legal advice in any way. If you require any further advice or assistance on the GDPR, contact either the Information Commissioner’s Office at https://ico.org.uk/for-organisations/ or a specialist legal representative.