GDPR is Coming, Act Now

Introduction

New EU data protection regulations take effect on 25th May 2018. To comply, most organisations will need to make changes to contracts and IT systems, yet many remain unaware of the GDPR. The potential costs could be significant as could the amount of time needed to make the necessary changes.

Broadly, the GDPR assigns “individuals” (i.e. anybody your organisation holds data on be they customers, employees or supplier personnel) the following rights in respect of systems:

  • subject access,
  • to have inaccuracies corrected,
  • to have information erased,
  • to prevent direct marketing,
  • to prevent automated decision-making and profiling, and data portability.
  • The GDPR applies to all companies that want to trade with the EU irrespective of location. For example, a US based seller of electronic software must refuse to take orders form EU clients if it does not want to comply with the legislation and presumably must also not hold any data on EU citizens that work for suppliers.

    To be compliant many organisations will need, as a minimum, to review where data is stored, what’s recorded and how it’s used. In addition contracts (with both customers and suppliers) will need to be reviewed and changed to be compliant with the legislation. The review and resulting implantation of changes will provide a lot of work for legal and IT departments.

    BREXIT will not make any changes to the UK’s implementation, this has been confirmed by ministers and the Information Commissioners Office (ICO) in the UK.

    Not complying with the regulations could be expensive – the great of between 2% and 4% of GLOBAL turnover or EUR10-20million.

    Consent

    The first major area of change is gaining an individual’s consent to using and retaining their data for period of time. This applies retrospectively – on 25th May 2018 your organisation needs to have consent from individuals to holding and using their data even if where the relationship ceased years ago (unless you erase old records). No changes will be necessary if your exiting privacy notice meets the new requirements.

    There are some interesting implications for systems – a prospect might be recorded in a CRM and give consent to have their information to be used for the purposes of providing product information and quotes etc, but if they become a customer and use an online portal then additional consents will be needed as you have changed the way in which you use their data.
    Consent must be informed, clear and unambiguous – Silence, pre-ticked boxes or inactivity does not constitute consent. It must also be verifiable, i.e. a record of what was agreed to and on what date.

    Each time your organisation change the way in which data might be used, you need to ask for permission before you apply the change to the individual’s data.
    Children have additional protection under the GDPR (in the UK likely to be regarded as anyone under the age of 13). Parents will need to give consent where a child is planning to use a service; this may mean that you need to collect dates of birth (and have some verification of same).
    Individuals may also give consent verbally – for example via a conversation with a call centre. Your systems need to be able to record this and ideally issue a digital receipt to the individual confirming what that they have agreed.

    Lastly, consents can we withdrawn at any time – and this may mean that it become impossible to service a customer.

    Transfer of Data Outside the EU

    Organisations will not be able to transfer personnel data outside the EU unless there are approved agreements and safeguards in place between both your organisation and the receiving party and the EU and Data Regulator of the receiving country; it’s not enough to have passed your organisation’s legal and data risk assessments.

    There are a number derivations and for most organisations this will mean asking for an “informed” consent form the individual before making the transfer.
    This has implications for those using cloud based solutions which run on servers that aren’t in the EU. Using an out of EU cloud provider, even where this is in effect a private cloud, would come within scope.

    If you are using a Platform as a Service (Database and CRM solutions are common) you will you need to ensure that the data stays within the EU (so the service provider can’t move data around at their convenience) or that the locations are approved by the EU or that your organisation has consent from every individual to hold their data outside the EU.

    Right to be Forgotten & Correct Data

    The GDPR also brings in the right to be forgotten – a customer, supplier or member of staff can request that their personally identifiable data is erased from your organisations systems (including backup copies – after a restore the data on those that have been forgotten cannot come back!).

    This raises some interesting questions – if a customer’s details are recorded on a support ticket should your organisation erase the ticket or just the relevant information (e.g. the individuals email address and name). However, problems will arise if the individual requesting the removal of their data works for a customer organisation and there is some later dispute as to who agreed the change.

    Personally identifiable data includes such things as IP addresses, even where the IP of the IP address belongs to a customer or supplier for whom an individual works. In October 2016 the European Court ruled that it was OK to store IP addresses for the purpose of preventing cyber attacks. However, if your organisation uses IP address data for anything else then this could fall within the scope of the act.

    The GDPR also mandates that individuals can ask for inaccurate data to be corrected (most likely after a subject access request which in most cases cannot be charged for and must be serviced with 30 days). Where this data has been shared with a 3rd party for (for example a HR Services Provider) then the corrected data must be sent on to the 3rd party. Clearly to be able to do this you need to know who your organisation has or is sharing data with.

    Data Portability

    Organisations may also have to provide data to users (or transmit to another organisation if requested to do so by the user) in electronic form. The GDPR suggests that a CSV file is sufficient but other standards will emerge – midata in the UK is commonly used by banks. Organisations must service such requests within 30 days and cannot charge for suppling the data.

    Increased Legal Obligations for Data Processors

    Another big change is that Data Processors (which is broadly defined as an organisation undertaking some service using your organisations data) now more liability under the GDPR. For example, if your organisation places data on systems (e.g. your e-commerce solution) in the Cloud then the cloud provider is a “data processor”. Your organisation must have appropriate legal agreements in place stating what the processor may do with your organisations data, how it’s protected and for what duration they undertake the service. Broadly speaking the contract needs to support the GDPR principals.

    Should there be a data breach, the data processor and your organisation could be fined. This may mean that existing contracts between organisations have be rewritten.

    Notification of Breaches

    As soon as a breach has been detected your organisation must report to the relevant authority within 72 hours of it becoming aware of the breach. Data Processors must inform your organisation of any breach without “undue delay”.

    Data Protection Officer

    Depending on the activity and volumes of data being processed, your organisation may also need to appoint a Data Protection Officer (DPO) to take responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively.

    Awareness

    Over the last few months I have asked various technical and business colleagues about the GDPR and the usual response is “GD what?” I asked a project manager at a client about it this week and had the “GD what?” response – which was slightly amusing as across the large open plan office I noticed an area with a small team sign saying “GDPR”. A few companies have started to hire in project managers in this area (a scan of the job boards usually finds one or two openings) while compliance training companies have been running awareness and certification courses for over a year.

    Conclusion

    This is a long article and it doesn’t get into the many areas of fine detail and or nuances of the GDPR and how it might affect your organisation. The guidance on best practice is still emerging, and much of the online content has been written over the last year (mostly by legal firms) as details emerged. A number of companies are offering consultancy on the GDPR as well as training courses.

    Based on my own research, I suspect that organisations will find many “grey areas” as they seek to be complaint. No doubt the regulator, in the event of a complaint, will take a common sense approach where organisations present clear and strong reasons as to why they have taken a particular course of action but ultimately, some issues will be determined by court cases.

    What is clear is that all organisations need to be aware of the GDPR and actively determining what action they need to take to be complaint. May 2018 may be a way off, but if significant changes are needed then it will seem like small amount of time indeed.

    Further information:

    https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr