The General Data Protection Regulation (GDPR) comes into force in just under a year, but if you are feeling confused or anxious about what you need to do to ensure compliance, don't worry - you are not alone. In fact, only 54% of businesses surveyed by the Direct Marketing Association (DMA) expect to be compliant come May 2018 (Marketing Week, 25th May 2017).
To help get your head round it, we've summarised answers to some of the questions we are most commonly asked:
GDPR is a European Union thing right? So does Brexit mean UK organisations can ignore it?
Haha - nice try, but no! GDPR applies to ALL companies worldwide that process personal data of European Union (EU) citizens, effectively making it the first global data protection law.
What sort of data is covered by GDPR?
GDPR considers ANY data that can be used to identify an individual as personal data. This includes things previously not covered by data protection laws, such as genetic, mental, cultural, economic or social information. Yup - that's basically everything!
Does my 'cookie opt in' messaging cover me for 'obtaining valid consent'?
Errr - no way! In fact, the requirement for individuals to consent to you using their personal data is one of the most significant aspects - and the one most organisations will struggle to implement. GDPR requires all organisations collecting personal data to be able to prove clear and affirmative consent to process that data. However, most of the consent mechanisms in the market are not valid under the GDPR. We recommend Mydex which provides a complete GDPR compliance service.
So what are the 'rights of the individual' that I need to comply with?
GDPR creates some new rights for individuals as well as strengthening some of the rights that currently exist under the data protection act (DPA):
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
How can I demonstrate that I comply?
To ensure GDPR compliance, you must:
- Document and implement a 'compliance framework' including things like staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintain relevant documentation on processing activities.
- Where appropriate, appoint a data protection officer.
- Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
- Data minimisation;
- Allowing individuals to monitor processing; and
- Creating and improving security features on an ongoing basis.
- Use data protection impact assessments where appropriate.
Yikes! There are some new buzz phrases in there - what do they mean?
OK - here are the two big ones:
- Data protection by design (or 'Privacy by Design')
- Data protection impact assessments (or 'Privacy Impact Assessments' or PIA's)
This is about being proactive about privacy, rather than reactive and is therefore a fundamental part of the 'Privacy by Design' approach. PIA's are basically a risk assessment tool that you can use to identify and reduce the privacy risks of your activity. You can integrate the core principles of the PIA process into your existing project and risk management policies, to reduce the resources required to conduct the assessment and increase awareness of 'privacy by design' throughout your business.
What do I do now?
If you take nothing else from this blog post, remember privacy by design. Put data privacy at the heart of your business or organisation not because you have to, but because it is the right thing to do. A great place to look for inspiration is Government Digital Service (GDS) who have written an 'ethical framework for data privacy' which is based on 6 principles:
- Start with clear user need and public benefit
- Use data and tools which have the minimum intrusion necessary
- Create robust data science models
- Be alert to public perceptions
- Be as open as possible
- Keep data secure
These 6 points just about sum up the purpose of GDPR. If you are a business, copy and paste them, replacing the word 'public' with 'customer' and you are on your way to your own privacy by design policy!