Getting to grips with GDPR: a basic guide

Back in the 1950s, Charlotte and her web demonstrated how careful dissemination of personal data to a specific audience could be an incredibly powerful thing. Spoiler: she did a fine job of saving the little pig, Wilbur, from the butcher’s block! Now we have a different type of web in our communities that can be even more powerful. However, this digital landscape poses many risks and has made it much harder to protect our data from those who would seek to exploit it. New legislation, the General Data Protection Regulations (GDPR), plans to address this by ensuring data collectors and processors plug up potential areas of weakness and take steps to protect us. But how do you ensure the personal data you collect as a business is GDPR compliant?

Given the imminent changes, we have been reading up on and learning more about what’s due to happen and what we’ll be doing about it. So, I thought I’d share what we’ve learned so far in the hopes that it helps you tackle any necessary changes. Please note, I am not a legal advisor and the information here is based on my own reading and training.

What is ‘personal’ data?

Personal data is anything that can be linked back to an individual, whether that be a date of birth, place of work, IP address, health record, and so on.

How does GDPR differ from the Data Protection Act 1998?

By 25 May 2018 the Data Protection Act (DPA) 1998 will be no more, but will be upgraded to the GDPR. At that point, your business should be well and truly addressing any potential issues around data collection and use.

What happens if you haven’t? Naturally this depends on your business and what kind of data you hold but, worst case scenario? Not only will there be a whole bunch of bad press, should there be something like a very public data breach… but you are likely to be fined an incredibly hefty amount. Whilst in all probability fines will be scalable depending upon the size of the business and severity of the infraction, to give you an idea of how serious the GDPR will be taking breaches, the guidance states that large businesses can expect fines of up to 20 million euros or 4% of global turnover, whichever is greater[1]. Not to mention the additional cost of fixing any security issues and possibly being subjected to further legal proceedings with personal claims from the individuals affected.

That would be your first major difference. Another big difference is that there are likely to be legal consequences for data processors as well as controllers, should there be a breach.

GDPR insists that contracts with third party data processors are also compliant, which could be EU or non-EU businesses working within or for EU companies. If they are not, this could also result in a prosecution. If you’re working with a business outside of the EU, you need to have a good, long look at your contracts with them and their privacy policies to ensure data they work with meets the criteria.

What are you collecting and why?

No doubt you have spent a long time building up your brand’s reputation, spent a considerable amount of money on campaigns to build trust with your customer base, invested in your employees to improve retention rates, and so forth. If you fail to understand the importance of protecting what you know about the people you engage with, whether internally or externally, you run the risk of all that going down the pipe. You may now be getting the sense that you can’t afford to ignore data protection. Not just for monetary reasons, but also to protect against damage to your reputation.

Firstly, consider what information you currently keep. Such as:

  • HR records
  • CVs and applications
  • Credit history
  • Health records
  • Criminal Record checks
  • Contact details
  • Location
  • Behaviour
  • Browsing history

Now assess why you are keeping this information. The changes to data protection law insists that what you have on file, you have for a specific reason. If you don’t need it, you need to (safely) ditch it by deleting, returning to the data subject, destroying… etc.

For information you think you should keep, do you have consent for what you are keeping or using it for? The GDPR makes it clear that consent is of the utmost importance. If you don’t have it, you need to ask for it. If you can’t get it, you need to get rid of it.

Are you seeking consent?

Before you have that knee-jerk reaction to being asked to delete, just consider how you would feel about someone keeping or using personal information about you. I don’t know about you, but I find all those unsolicited sales calls, emails, and letters bad enough. But, what if you found your GP practice sold your personal medical history to pharmaceutical or insurance companies[2]? Or your colleagues were informed of those past indiscretions, disciplinaries, credit issues, or criminal charges you’d given in confidence to a select few? What if you’re put at risk after someone purchases data about your internet habits that imply when your home is likely to be vacant[3]?

These are, of course, extreme cases. If consent isn’t sought though, how are you going to know what is happening with information about you?

GDPR sets out to address this as it has the data subject as the priority. Data subjects must be informed as to what information you are collecting, why, and how you’re likely to use it. This must be addressed in a privacy policy and in the terms & conditions, which must also be in layman’s terms so that anyone can understand it. If you need guidance here, the ICO has lots of information on what you should be considering as you travel through the processes and culture shifts necessary to achieve, not only compliance, but win customer or client confidence because you’ve put them first.

Protecting & storage of data

I expect this is one of those topics that could go on forever, fortunately this is a basic guide… With that in mind, consider where you store the data you collect. Are there paper copies? In the cloud? On discs? With an external company? Have you audited what you keep, where, why and how long for?

If not, you need to. You also need to assess what levels of security you have to prevent the loss, theft or destruction of a person’s data. This should also be done for third parties who handle the data you have. If they aren’t compliant, remember that you’re both liable in the case of a breach. If the software or tools you use are outdated, this needs to be addressed immediately. The NHS breach recently is a prime and, most likely, often cited example of how outdated systems and poor security can pose a huge problem. Don’t let that be you!

I haven’t exhausted all avenues that need to be considered for GDPR compliance, but I hope you’re now a little clearer on what you should be starting with at least. If we can all tighten up how we use and store what we collect, it not only protects our customers or clients, but also ensures the data we have works harder for us. It is more relevant to our needs, helping us to achieve our goals with ethically sourced information. I’m sure Charlotte’s children would embrace the new changes because, if you don’t have your data subject at the heart of all you do, you’re unlikely to make the impact you hope to on the world. How are you planning to make data collection and storage under GDPR work for you?

To see more updates, you can follow the SG LinkedIn page here or our team members here.

References

[1] https://www.out-law.com/en/articles/2016/may/gdpr-potential-fines-for-data-security-breaches-more-severe-for-data-controllers-than-processors-says-expert/

[2] https://www.scientificamerican.com/article/how-data-brokers-make-money-off-your-medical-records/

[3] https://www.theguardian.com/technology/2017/mar/28/internet-service-providers-sell-browsing-history-house-vote

Leave a Reply

Your email address will not be published. Required fields are marked *