On 25th May 2018, GDPR will come into force. As both providers and users of digital services, its compliance is not just an act of legal obligation, but one of social responsibility, user protection, and preemptive action against what may be to come.
The problem is, with so much misinformation and misunderstanding surrounding the new regulation, to most businesses GDPR means lots of work and hefty fines, and therefore most likely paying out a fortune at the last minute for a ‘GDPR expert’ to avoid any such trouble.
So, in early 2017, we and a number of other digital agencies commissioned an in-depth, authoritative look into GDPR to help clear things up. The result is a hearty 6,000-word document that sets the facts straight and outlines exactly what digital businesses need to know to device their own strategy for GDP adoption.
You can view the report here: ‘GDPR for business owners and senior executives’. But to help ease digestion of the often dense subject matter and provide a less intimidating way into GDPR compliance, we’ve distilled the whole thing into the short and to-the-point summary below.
What is GDPR?
General Data Protection Regulation (GDPR) is Europe’s new framework for data protection law. It will replace the 1995 Data Protection Directive — administered in the UK by the Data Protection Act of 1998 — and in doing so unify laws across Europe and bring the regulatory landscape of data protection and privacy up to scratch.
Regarding its laws and principles, on the whole, GDPR can be seen as a move from a culture of “collect it all, keep it all, and share it all” to one of “collect the minimum, keep less, and share nothing”.
Like the existing data protection regime, GDPR pertains to the creation, use, and storage of personal data and personal sensitive data. It upholds, and greatly expands upon, original principles such as fair and lawful processing, adequate technical and security measures, and crucially, accurate and up-to-date records.
Personal data is defined as any “information about a living individual who could be identified form that data, on its own or when combined with other information.” Personal sensitive data goes beyond this to include any information concerning the likes of racial or ethnic origin, health, and criminal convictions, and, rightly so, yields a higher punishment should it be lost or breached.
As of the introduction of GDPR, personal data also includes genetic, biometric, and location data, as well as online identifiers.
Online identifiers are particularly important for digital businesses. They describe any personal or personal sensitive data created through interaction with a site, app, wearable, or online service. For example, data from a check-in map that could identify an individual’s location.
Who does GDPR affect and when?
If you do business in Europe, GDPR affects you. European data protection law is universal and applies to all personal data collected or processed in Europe, across all sectors, industries, and situations — regardless of individuals’ nationality or citizenship or the location of your businesses’ physical presence or incorporation.
If your business is already in compliance with the 1995 standards, it will adjust to the new requirements with ease. If it’s all new to you, it may be more difficult. Either way, now is the time to start. Particularly as the UK government has confirmed it will adopt GDPR despite what happens with Brexit.
Importantly, however, that’s not to say UK data protection law is secured for years to come. Rather it highlights the need for vigilance and involvement on the part of digital professionals today, so as to make it clear to the government where businesses stand and ensure we stay aligned to strict GDPR standards.
How do you get started?
The best place to start is with understanding. Read this overview and get your feet wet. Then move onto comprehensive resources such as the full commissioned GDPR report and the Information Commissioner Office website, where you’ll find helpful guidance on many aspects of GDPR compliance.
GDPR compliance is an ongoing process that requires integration into your everyday processes and workflows. There’s no shortcuts to take, software to download, or certifications to acquire — as said, GDPR is a cultural shift and therefore warrants due time and effort.
As in the report, this brief guide approaches GDPR compliance by splitting it into three areas: Records, information, and communication; the protection of individual rights; and the incorporation of Privacy by Design into workflows.
1. Record, inform and communicate
Author of the report Heather Burns said if GDPR could be summed up in two words, it would be document everything.
But documenting everything is not just about creating inventories — it’s about recording every process in fine detail. It’s about knowing what you have, what you’re doing with it, where it’s stored, who has access to it, and how you’re safeguarding it.
Some of it will be internal, some of it will be public, some of it will be old data, some if it will be new, some will be personal, and some will be personal and sensitive. Whatever the type, document it — heavy penalties will be issued for failing to supply complete documentation to data protection regulators.
As well as documenting the data, in most cases, it must be done with the consent of the people the data is about. Consent is defined as active, granular, unbundled, named, balanced, verifiable and documented. In practice, this looks like fair user-provider relationships, no opt-in by defaults, and detailed proof of consent, although the exact nature of consent is hotly debated and varies among data protection authorities.
When it comes to communicating your compliance and ways in which you use data to the public, this is the role of your privacy information notices.
Privacy information notices replace the current privacy policies that exist on websites and apps, and need to meet the new GDPR standards of transparency and communication. That means no complex terminology or dense formatting; privacy information notices must be written in simple plain language and presented in a way that’s appropriate for your users. They must also include specific information laid out by ICO or your national regulator.
Just as you need to communicate your compliance to the public, it’s equally important to make everyone in your organisation aware of GDPR principles and how it impacts their work — regardless of whether data handling is their job.
Brief contractors and temporary staff, schedule refreshers for regular staff, integrate data protection training into new employee inductions, sit down for a more in-depth look with senior management and the Board. And, you guessed it, document everything on personnel and hiring records.
Data protection is in part, everyone’s job, but under GDPR, certain businesses dealing in the systematic monitoring or large-scale processing of personal data are required to appoint a primary Data Protection Officer or DPO. The general rule of thumb is if you think you might need a DPO, you probably do.
Even if you fall outside of this requirement, it’s strongly recommended to appoint a DPO voluntarily, a sort of health and safety officer for data protection and privacy issues.
2. The protection of individual rights
The second broad area concerns users legal rights over their data. These are greatly expanded upon under GDPR and, as well as the rights that users can invoke, include responsibilities regarding data security and breaches.
In brief, a user’s rights are the right to be informed through privacy notices; the right to access the data collected about them, known as subject access requests; the right to correct or erase data, known as the right of rectification and right to be forgotten (RTBF), respectively; the right to restrict or object to processing of their data; the right to download their data, known as the right to portability; and certain rights in relation to automated decision making and profiling.
As mentioned, under GDPR, meeting user’s rights involves taking thorough action in the prevention of data breaches. Under GDPR, this means doing everything in your power to stop them, preparing contingency plans for the worst-case scenario, and reporting any beach that’s “likely to result in a risk to the rights and freedoms of individuals”, within no more than 72 hours.
Again, reporting a data breach fits the theme of record everything. Regulators will expect to see everything from the category of data and how many individuals are affected to information on how it happened and what measures you’ll put in place to deal with it.
But in the case of a data breach, this will be the least of your worries. Regulators will also expect to see documentation of your data security standards and compliance. Things like password hashing and salting, automated updates, staff training, physical data security, encryption, and internal alerts and reporting.
Under GDPR, your data security standards are part of the documented evidence of your compliance. And, just like everything in the new regulation, if it isn’t documented, it’s as good as never having occurred.
3. Privacy by Design as default
The third major area of GDRP compliance revolves around the implementation of the now mandatory Privacy by Design (PbD) framework into your workflows and the in which you collect data going forward.
Similarly to it’s proactive approach to avoiding security breaches by means of prevention, the GDPR approach to reducing data protection issues is to reduce the data you collect in the first place. In accordance with PbD principles, your data minimisation process needs to ensure that privacy is proactive — i.e., privacy as default — in place throughout the full lifecycle, visible, transparent, and user-centric.
In practice, this looks like creating specific workflows for data minimisation, establishing defined time limits for data retention, and engaging in regular data deletion.
The recording everything rule here takes the form of your privacy impact assessment (PIA) — the documentation you assemble to prove your PbD process. Your PIA workflow will most likely be unique to a business or project, although certain steps are required, and should be run on all new and past projects. Although following PbD principles have been voluntary since the 90s, under GDPR they are required and the process should not be taken lightly.
A final word on noncompliance
It seems GDPR cannot be mentioned without its hefty fines and penalties. And as we near closer to May 2018 and more ‘GDPR experts’ try to capitalise on businesses lagging in their compliance, this will become ever more the case.
Less will be heard about the actual reality of the matter, which is that under GDPR a process is in place to prevent the majority of issues from ever reaching a penalty outcome.
The fines for data protection breaches or poor advice come in two levels: Level 1 fines of up to €10m or 2 percent of a company’s global annual turnover, and level 2 fines up to €20m or 4 percent. So yes, they are weighty. But they’ll only be issued if a business fails to comply, for instance by refusing to cooperate, repeating the mistake, or, in extreme cases, committing a serious privacy violation. What’s more, for the vast majority of businesses, regulatory involvement is strictly reactive — meaning action from a regulatory body can only come in response to complaints and concerns raised by consumers.
This is by no means a comprehensive guide to GDPR compliance — even the full report isn’t designed to be an authoritative instruction manual. Rather, it’s a way to get you more familiar with the soon to be legal regulation and help move you beyond thinking and into acting. GDPR is an obligation that will disrupt your business, but at its core, it’s a significant step toward a culture of transparent and responsible data regulation. As such, the sooner you do something about it, not only the easier it will be in terms of implementation, but the better it will be for your business, its users, and the landscape as a whole.