If you’re someone in or amongst the digital, tech or marketing industry you’ve probably seen the term ‘GDPR’ being circulated at the moment. If you don’t know what it is, first of all, it stands for ‘general data protection regulation’ and it’s replacing the 1995/1998 Data Protection Act. It’s standardising, expanding and essentially modernising a wide range of privacy legislation into one central set of regulations to help further protect EU citizens from privacy and data breaches. It’s being put into place on the 25th of May, 2018. Before you ask, yes; we’ll all still have to adhere to these regulations once we leave the EU as the UK has already stated that compliance with GDPR will not be affected by Brexit.
As a company that places a high value on user privacy and data protection, our view is that GDPR is, frankly, a long time coming. In a world where technology is racing ahead with things like super targeted ads and the threat of AI-led security threats being bandied around, the need to protect how organisations use customer or user data is becoming increasingly important and the current DPA is simply getting out of date.
What are the key changes?
Organisations must now be extremely clear when asking for a user’s consent by communicating exactly how they will be using someone’s personal data. Consent from a user must be documented and it must be verifiable. Pre-ticked boxes or inactivity, which are prevalent within charity websites registration forms, do not count as consent under GDPR and therefore only an affirmative action such as ticking a box will act as clear demonstration of consent. Furthermore, when processing consent for multiple purposes, each must be clearly specified and distinguishable. For example, when a user ticks a box to register with an organisation’s website this doesn’t necessarily mean they consent to the organisation’s email marketing. Therefore a separate indication of consent would be needed in an equally intelligible and accessible way before sending them a newsletter.
This also means that organisations will have to go back through their mailing lists and ensure that everyone on there has previously explicitly consented to receiving their company newsletter. If they can’t prove this consent then the organisation will have to remove them.
There’s been a lot of talk of GDPR fines worth €20 million or the equivalent of 4% of annual turnover, but don’t panic. It’s important to note that these are the absolute maximum figures that would be issued and supervisory authorities can instead take a range of actions including warnings and reprimands before issuing fines.
It’s not clear-cut how much a fine would be for breaching regulations. However, what will be taken into account is how the organisation in question has actively tried to take steps towards data privacy and promoting a culture of compliance internally. In other words, intentions and attitudes towards breaches and GDPR as a whole will likely be taken into account.
Increased territorial scope
Essentially, the consequence of GDPR for any organisation that handles personal data outside of the EU is that they will also have to comply with European Data Protection Obligations if they either handle, monitor or process personal data belonging to anyone within the EU. This includes organisations based outside of the EU selling goods and services to any EU citizens, and also includes social networks that want to monitor and offer their service to EU citizens. It is important, for example, that UK and EU based broadcasters and media companies check with international vendors and third party suppliers, including cloud vendors, that they are GDPR compliant.
New data subject rights
Right of access
Anyone is now entitled to contact organisations to which they have given any personal data and request the information on where and why their data is being processed. This would also include transparency in the way that an organisation’s algorithms work to serve up personalised content, for example, how exactly an on-demand TV service generates suggestions to its users. The organisation then has to provide a copy of this data in its entirety and for free in an electronic format. It is therefore highly recommended that data is extremely well internally documented in an audit and part of the reason why data protection officers will be required in most cases, but more on them later. In the case of nonprofit organisations, volunteers will need to be kept just as up to speed on new data regulations as employees to ensure compliance across the entire organisation.
Right to data portability
This is the right for anyone to receive all of their own personal data stored by an organisation in a ‘commonly used and readable format’.
Right to erasure (or the ‘right to be forgotten’)
Anyone has the right to have their personal data held by a organisation erased permanently upon request.
If an organisation handling people’s personal data becomes aware of a data breach within their system they must notify their data subjects (everyone they store personal data on) within 72 hours.
Privacy by design
Privacy and data protection compliance should be considered from start to finish when designing systems rather than bolted on down the line. By approaching a project from the standpoint of privacy by design you can minimise risks of breaches and eliminate potential problems at an early stage. Data minimisation will become a legal requirement within GDPR, meaning organisations should only store and process data that is absolutely necessary for the completion of its duties. This includes limiting access to personal data to only those needing to carry out the processing.
Data protection officers
At the moment, organisations have to register their data processing activities with local data protection authorities. Instead, under GDPR, organisations will be required to keep internal records and an appointment of a data protection officer will become mandatory for organisations that regularly monitor or process personal data on a large scale. They must have thorough knowledge of data protection law and practices and cannot carry out tasks that may result in a conflict of interest.
So, should you be worrying?
No, but you should prepare. GDPR is indeed a fairly big subject which will undoubtedly require some additional research if these regulations are a concern to you or relate to your job responsibilities. There are plenty of online resources designed to educate you on the specific regulations and rules that will come into play at the end of May, so go ahead and do some reading if needed.
Cookies are not considered personally sensitive information therefore organisations can still utilise this form of customer data to provide a tailored experience. It’s the personal information about the individual that is sensitive; for example, names, religious background, sexual orientation and addresses.
How is GDPR a good opportunity?
As an example, newsletters should have much higher engagement rates since everyone receiving them will have explicitly consented to them, rather than receiving something they never wanted in the first place and therefore will never open. As a result of this need for explicit consent, levels of accuracy within segmentation should improve and organisations should ultimately gain much better insights into their audiences and consumer behaviour, allowing organisations to provide better quality content and customer service.
How has Joi Polloi prepared?
Even though we have always viewed privacy and data security as a priority within our work, we will be taking any necessary steps to comply with GDPR. We understand how important it is to help our clients adhere to GDPR and will ensure that the design, development and most importantly the handling of data within what we make is compliant and of the highest security standards.
If you feel your organisation needs a helping hand in preparing for GDPR then feel free to get in touch — firstname.lastname@example.org.