What Businesses Should Know About GDPR Legislation
If your business handles personal data belonging to EU citizens, you need to know about the upcoming GDPR legislation. Check out the basic info here.
If you manage a business within the EU or you handle personal data belonging to EU citizens, you may have heard about the upcoming GDPR legislation, which updates and standardises data protection rules across all EU states.
But what exactly will companies need to do? How will data handling practices need to change? Read on as we explore the basic information you’ll need to know.
What is it and When Will it be Applicable?
The General Data Protection Regulation, known as GDPR (or to give it its proper name, “Regulation (EU) 2016/679”) is a new piece of European legislation which governs the data protection rights for all individuals within the EU. It serves to strengthen and unify all data protection rules and practices across the European Union.
The new regulation comes into force on the 25th May 2018, but was brought into law on the 27th April 2016. A 2-year grace period was awarded to allow businesses to get up to speed.
The GDPR gives European citizens clear rights to access, amend, and restrict access to personal data held by companies about them. Companies who deal with such data need to be compliant with the new rules as of the 25th May 2018, or potentially face a hefty penalty; fines could go up to €20 million or 4% of the company’s worldwide annual turnover from the preceding financial year (whichever of those figures is greater).
What Are the Rules of GDPR?
The Importance of Consent
Consent is an important concept within GDPR, and revolves around individuals providing companies with specific permission to use and store their personal data. Consent must be knowingly and willingly given by the user, with companies making their intentions for data use made clear. Soft opt-ins, implied consent, and hiding data policies within confusing T’s and C’s are all against GDPR rules.
An auditable trail of consent needs to be kept in case a claim of GDPR infringement is made against the company. Businesses must be able to prove that an individual has actively provided their consent to use their data for a given, clear purpose and nothing else.
Individuals will also have the right to retract that consent at any time, and also have the “right to be forgotten,” which means that if they request a company delete their data, the company should do so immediately.
The Right to Object
EU citizens will have a legal right to opt out of marketing communications. If a customer withdraws consent from an activity – such as receiving marketing materials or phone calls – that activity must cease immediately unless the individual consciously and willingly opts back in again.
The ruling also provides protection with regards to automatic profiling. If you use systems that make automated decisions about people with no human input, and those decisions present a significant legal or financial effect on the person, they will have a right to opt out of this process and get a second opinion from a human decision maker.
Rights of Access, Rectification and Restriction
Every EU citizen will have the right to ask and be informed about how any company uses their personal data, where it’s used and why. If they find that a company holds incorrect information on them, they have a right to contact the company in question and have that information put right. Individuals are also now able to object to certain uses of their data, for example when companies sell personal data for profit.
Citizens will also have a “right to access” which means that they have the right to request a digital copy of any information a company has about them. Consumers will also be able to request limits to the access of their data.
The focus here is on transparency and fairness. If a citizen finds out that their data is being used in a way that they do not consent to, it is within their right to object to that use and have it stopped.
Notification of Breaches
In the event that you suffer a breach of personal data that results in the loss, alteration, access or unauthorised disclosure of people’s data; and the breach is significant enough to “result in a risk to the rights and freedoms of individuals”; you will need to notify those individuals directly as soon as possible. These individuals must be advised of how they may be affected and told what the company is doing to remedy the situation and minimise further risk.
The company must also inform their relevant supervisory authority within 72 hours of the company becoming aware of any breach. For more information about dealing with data breaches under the new legislation, check out this page from the ICO.
Rights to Portability
The GDPR grants individuals the “right to portability”, which is the right to move data and services to another provider with no hassle or strings attached. For example, if an individual wants to change banks, they have the right to do so without any fuss or complications.
Increased Protections for Children
The GDPR also contains provisions enhancing the protection of data belonging to under 16’s. If your services are directly offered to children, privacy notices need to be explained in a way that a child would understand. Online services provided to under 16’s may need consent from someone holding “parental responsibility”. However, a guardian’s consent is not required when offering counselling services to those under 16.
What Do Companies Need to Do?
The first important step is to become familiar with the legislation itself and the nature of your existing client data. Establish what consent has already been given, what elements of that consent can be proven, when it was given, and what this allows you to do with their data.
Next, take a look at how you are currently using existing data. If you are sending marketing materials to people who have not provided consent, stop immediately and obtain consent before you market to them further. Marketing to previous customers and parties who have registered general, vague interest without giving explicit consent to receive marketing materials is also a breach of GDPR.
Then, take a look at new data that’s flowing into the business. Consent needs to be proven, so make sure that any consent is properly sought in an auditable way, down to the time and date they opted in. Any objections to marketing or to the transfer of data to a third party will need to be noted accordingly, and that data needs to be ring-fenced so marketing communications can’t go to non-consenters by accident. The ruling applies to any kind of acquired data; online or offline. If someone wants their data to be deleted from your systems, make sure you can do so immediately and effectively.
Every single person in your company who receives or processes client data will need to be aware of the new ruling, as well as their revised confidentiality, access and portability responsibilities. Assign someone the role of Data Protection Officer to handle compliance with the new rules, to keep an eye on ongoing data handling practices, and to deal with any data breach issues should they arise.
- Perform your own research into the new legislation and become familiar with what will be required of you.
- Establish what auditable consent has been provided for the data you currently hold and establish systems to request consent in future.
- Implement an auditable trail of consent for marketing and data usage from both your existing database and from new contacts going forward.
- Know what data you hold on individuals and businesses. This isn’t just client and prospect data; it also includes internal things like employee details and HR records.
- Know how that data is accessed, who by and what for.
- Know whether that data passes to a third party and whether the individual is aware of this.
- Know where individuals’ data is stored; whether that’s on a standalone PC, your internal network, or in cloud storage; and assess the security of that storage medium.
- Implement a system to deal with data amendment and deletion requests in keeping with GDPR rules.
- Appoint a Data Protection Officer within your company who can be responsible for compliance, preferably someone who has knowledge of IT security and data protection.
Will Brexit Affect the Implementation of the Legislation in the UK?
According to the Information Commissioner’s Office, the UK Government has confirmed that leaving the EU will not affect the commencement of the GDPR, and though there may be questions for its future within the UK after Article 50 concludes, compliance with GDPR should remain the focus for British businesses in the interim.
DISCLAIMER: This blog post is provided only as a guide to the new GDPR legislation and should not be considered legal advice. FIVE CRM advise you to seek your own appropriate legal counsel.
Overview of the GDPR from the Information Commissioner’s Office
“What Is GDPR?” from the University of Roskilde, Denmark
“The road to GDPR Compliance” by HPE Software
“GDPR – Simply Explained in 3 Minutes” by In 3 Minutes
What you need to know about the EU’s new privacy law by Jan Philipp Albrecht MEP