We could be forgiven for having been somewhat distracted over the last few months when it comes to Europe and other international developments. As a result we may have missed the fact that the UK, which is so seemingly obsessed with opting out of stuff, has decided to opt-in to the General Data Protection Regulations (GDPR).
Why should you care? I hear you ask. Well apart from the fact that having robust data management processes in place to ensure the relevance and accuracy of your data, and being in a position where you can ensure that you only send information to your clients and contacts that they actually want to receive, there are now very significant fines for failure to comply.
We might fall in to the trap of thinking that this is just simply about harmonising data protection legislation across the EU member states, but GDPR has some significant changes to it that we need to be aware of.
Consent and Information
Interestingly, consent is probably one of the least significant changes. Certainly definitions over what constitutes consent have been tightened and there is now a greater requirement around recording consent, but in many respects the core principles that were established from previous legislation are present here. There is a definite change in emphasis within this legislation and additional responsibilities for data processors and international data controllers and processors who market to EU data subjects.
The key thing to note with consent is that it has to be verifiable, it can be withdrawn at any time and failure to respond or uncheck a box cannot be taken as consent.
If you already comply with the DPA consent regulations then you will not necessarily be required to re-obtain consent but you need to be aware of these subtle changes.
Data subjects have been given additional rights. One of these is the right to be informed. So a clear action that we all need to think about is to re-evaluate our information and privacy notices. GDPR provides very specific guidance on what needs to be included in these sorts of notices.
The other key rights extended to subjects, in addition to withdrawing the right for processors and controllers to charge an automatic fee for subject access requests can be summarised as
A . R . E.
- The right of ACCESS – access to their data, information about what is being processed
- The right to RECTIFICATION – contacts may now request for their data to be corrected if it is not accurate
- The right to ERASURE – this is not the same as the right to be forgotten but data can be erased in certain circumstances e.g. if the subject withdraws consent or objects to the processing or it is no longer necessary for the purpose
There are additional rights to rectification and portability but the A-R-E rights are likely to have the most impact on the marketing departments of most professional services firms.
Compliance and Accountability
One of the biggest shifts is that historically demonstration of compliance was a “reactive” obligation e.g. if you were under investigation. Now there is a specific obligation of accountability. This means that the technical and organisational measures MUST be implemented to demonstrate that you comply and documentation of all data processing activities must be maintained. As with data protection legislation the policies of the firm must be included in staff contracts and training but there is definitely a move to a more proactive form of compliance. This is further reflected in other changes including:
- The need to appoint a data protection officer
- The need to ensure that data processor contracts and obligations are tightened
- The tightening of obligations around reporting data breaches and the fact that there is a need to demonstrate proactive attempts to prevent them not just react and report when they occur
- The need to actually demonstrate and document the legal basis on which you justify why you should be allowed to process data in the first place
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size. Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
On the surface some of these changes might seem superficial but it speaks to a 180 shift in obligations and in ensuring that firms proactively avoid issues and demonstrate compliance.
So what are the key things you need to remember?
1. Define your legal basis for data processing
2. Identify your data protection officer
3. Evaluate your procedures for reporting data breaches
4. Evaluate your contracts with data processors
5. Understand your definitions for both "consent" and "explicit consent".
6. Remember the subject's rigts - ARE. Access, Rectification, Erasure. How able are you to comply with this?
7. Prepare for the accountability principle. This means that compliance is now PROACTIVE not REACTIVE i.e. organisations must show how they comply not just "defend" an accusation of non-compliance
8. Evaluate the data you hold on data subjects. Personal data definitions have been tightened e.g. an IP address is now defines as personal data.
9. Evaluate your data management processes - are you able to comply with the accuracy principles.
10. Evaluate your privacy statements and email marketing preference management processes