What is GDPR?
The General Data Protection Regulation (GDPR) is a new directive which will come into force on 25th May 2018, superseding the 1995 Data Protection Directive. In a nutshell, GDPR harmonises the standards and creates a uniform data security law on all EU members. Besides EU member states being subject to GDPR, any company that markets goods or services to EU citizens also must adhere to the new regulation.
Considering Brexit, GDPR will remain in force as UK Law if the UK remains part of the European Economic Area but leaves the EU. Even if the UK were to leave the EEA, the UK would have to adopt equivalent or adequate regulations to lawfully transfer EU personal data to the UK from EU member states.
For non-compliance, companies that breach the new regulations of handling the data risk fines of up to €20m or 4% of global turnover along with future bans of processing such data.
What it means for CTI and our clients
GDPR is a hot topic and we have now included it as a specific subject within our Discovery phase when we engage on new projects, as how clients store and process customer data is often unique to that organisation.
Whilst there are unique characteristics on an organisational level, there are some key guidelines from which we can develop data strategy with you that fulfils the new regulation.
Transparency and disclosure to individuals
Companies must be transparent and provide accessible information to individuals about what is being done with their personal data including the following:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- Identity and contact details of any data controllers
- Details of transfers to third country and safeguards
- Retention period
Should an individual request to see a copy of the information a company or organisation holds about them (a Subject Access Request) then GDPR has changed in that you have a month to comply and, in most cases, you will not be able to charge for it.
Companies must be able to have provable and explicit consent that is granular for distinct processing operations and clear records must be kept to demonstrate such consent. ”by a statement or by clear affirmative action.”
This means that gone are the day where pre-ticked option boxes are allowed as GDPR has specifically banned them. Furthermore, consent needs to separate from other terms and conditions and should not be a precondition to signing up to a service.
Therefore, if you ask customers to agree to your website’s standard terms and conditions of sale when making a purchase, don’t state that you will be automatically opting them in to receive marketing communications from you or your third-party businesses.
Furthermore, GDPR now requires companies to provide simple and easy-to-access ways for individuals to withdraw consent. Should a request be made of a company to withdraw consent and have the data record deleted, then this needs to be complied with, including all records associated with the customer across all your system, within one month.
Lastly, in regards to children, GDPR contains new provisions to protect their personal data which includes ensuring that a privacy notice is written in a clear and plain way that a child would understand, as well as requiring a person holding ‘parental responsibility’ to provide consent for the child should they be under the age of 16 (in some member states, a minimum of 13).
More information on Consent Guidance can be found here from the ICO.
Accurate and minimal
Data must be “accurate and where necessary kept up to date.” Therefore, if a customer updates their information in one system, make sure it's updated in all your others as well. This doesn’t just include the data in your own databases, but third parties you've shared that data with as well. From a top-level view, this could be a monumental undertaking, especially if you consider the number of third parties who may process an individual’s data albeit inexplicitly - think of Google Analytics and data gathered for re-marketing activities.
However, if you adopt a principle of data minimisation, by way of collecting only that which is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed...” then you will avoid data bloating and losing control of data accuracy.
On a technical level, ensure that you have a “single point of truth” for where customer data is stored, e.g. if you have multiple systems or websites which capture data, make sure that this all feeds back into a central database, whether it be a CRM, customer financial software or simply an email marketing database. Ensure that any change to the customer data is fed up to this single system and then disseminated to your other systems on a timely basis in order to maintain accuracy and avoid breaches.
You may already be familiar with pseudonymisation and not be aware of it. If you have a transactional website which is connected to a payment gateway provider with an iframe and use tokenisation to avoid the need of expensive PCI compliance attributed to storing the actual, highly-sensitive, customer payment information on your website then you are already carrying out pseudonymisation.
In simple terms, pseudonymisation is a process to transform data in a way that stops it from being attributed to an individual without the use of additional information. In the above case, the token that is sent from your payment gateway provider that marries up with the merchant is the unique reference ID for someone’s card details rather than storing them in their entirety.
This works the same way for personal data so that any information stored on an individual is compartmentalised and becomes nonsensical without the corresponding ID which would be stored on a separate system.
With pseudonymisation in effect, should a data breach actually occur and data be stolen, the data would not expose specifically sensitive information about individuals/names but rather just the additional data.
Pseudonymisation, therefore, may significantly reduce the risks associated with data processing, while also maintaining the data’s utility. For this reason, the GDPR creates incentives for controllers to pseudonymised the data that they collect. Although pseudonymous data is not exempt from the Regulation altogether, the GDPR relaxes several requirements on controllers that use the technique.
What if there is a breach?
Currently, only some organisations are required to notify the Information Commissioner’s Office if a personal data breach is suffered. Companies are only required to notify the ICO of a breach where it is likely to, for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
GDPR now makes it mandatory for organisations to notify those directly affected, i.e. the customer, if it is likely the breach may “result in a risk for the rights and freedoms of individuals".
What to do now?
The 25th May 2018 will be upon us in a blink of an eye and so it is recommended that you are prepared well in advance for the implementation of the new regulation.
The Information Commissioner’s Office has a wealth of resources to assist you in taking the next steps to becoming compliant with GDPR including a 12 step checklist for what to do in preparation: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Furthermore, there is a useful self assessment tool provided by the ICO which can be found here: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
If you would like further information about how we can help you prepare your website for GDPR, then fill in the contact form below to get in touch.