Looking for your GDPR summary? Then keep reading…
In a world that is increasingly data-driven and where our digital fingerprints can be left in so many places, it’s never been more important for our private data to stay just that – private.
Fortunately, this is the aim of the GDPR (General Data Protection Regulation): to protect all EU citizens from breaches of data and privacy.
What impact will GDPR have?
Effective from 25th May 2018, GDPR’s biggest impact will be the extended jurisdiction it affords people’s privacy, as it applies to all companies handling the personal data of anyone within the EU, irrespective of the company’s location. So if you’re based in the UK but dealing with a company in the States then they will have to comply with GDPR when it comes to data-handling.
So who does GDPR apply to?
‘Controllers’ and ‘processors’ will both need to abide by the new GDPR rules. If you’re wondering who controllers and processors are, let’s take a look at an example:
A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So, the controller could be pretty much any organisation, from a profit-seeking company to a charity or government, while a processor could be an IT company responsible for the data processing.
With the introduction of GDPR, controllers and processors based outside the EU will still be subject to the new legislation if they are dealing with data belonging to EU residents.
However, the impact will be slightly different on B2B communications as it will be on B2C.
Can SMEs ignore GDPR?
Sadly not, although there are different requirements depending on the size of your company.
If it has fewer than 250 employees, you must hold internal records of its processing, activities where the data could risk someone’s rights and freedoms or where the data concerns criminal convictions and offences.
If your business has more than 250 employees, it must keep more detailed records – including the name and details of the business, its data protection officer, why it’s processing the data and proof of data safeguarding for foreign transfers outside of the EU.
What are the penalties for breaching the regulation?
Penalties are split into two broad categories.
Under GDPR, if an organisation disregards the basic principles for processing data, it can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
There is a tiered approach towards fines depending on the transgression. For example, a company can be fined 2% (of annual global turnover) for breaches such as not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment.
To put things into perspective, under GDPR, TalkTalk’s record £400,000 fine in 2016 by the ICO would have cost the company an eye-watering £59 million. Here’s hoping they’ve learned their lesson…
What’s the deal with consent?
GDPR is raising the standards when it comes to consent. Companies will no longer be able to hide behind reams of illegible terms and conditions full of legalese, as GDPR requires that the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
For an example of the changes in practice, existing data protection law requires a clear, affirmative action, but the language used is often ambiguous and allows for companies to pre-tick an opt-in box on your behalf. To tackle this, GDPR affirms that pre-ticked opt-in boxes are not indications of valid consent.
A brilliant example of a compliant mobile notice. Recommended by the ICO.
A brilliant example of a compliant web notice. Recommended by the ICO.
GDPR will also strengthen the requirement for clear and plain language when explaining consent and decree that it must be as easy to withdraw consent as it is to give it.
The right to be forgotten
Article 17 of the regulation states that data subjects have the right to request the erasure of personal data – without undue delay – if one of the following applies:
- the personal data is no longer necessary for the purpose of which it was collected;
- the individual withdraws their consent (and the controller doesn’t need to keep it from a legal perspective);
- the subject objects to the data processing, under their rights as laid out by Article 21;
- the personal data has been unlawfully processed;
- there is a legal requirement to remove the personal data.
Data subject rights
GDPR grants people, in their capacities as consumers, citizens and so forth, a range of specific data subject rights. Learn more about the rights of data subjects.
What’s the upshot on cookies?
In the GDPR, we see the new cookie rules referenced just the once and that’s in Recital 30. It essentially tells us that cookies, where they are used to uniquely identify the device or the user or individual associated with the device, should be treated as personal data. Therefore the GDPR rules on consent apply.
In case you’re wondering, the use of pseudonymous identifiers (like strings of numbers or letters), are still considered personal data under GDPR. This guidance is reinforced in Recital 26.
GDPR has different implications depending on whom you’re speaking to. For B2C marketing, the rules are pretty strict – you can only contact people about promotions or subject matters they have opted in to receive. Once that information has been sent you can no longer approach B2C contacts without further opt-in permission, and you can’t keep their details on file.
The rules are more flexible for B2B marketing, largely thanks to something called ‘legitimate interest’. In simple terms, legitimate interest says a business – i.e. the controller – can process a contact’s data when it can show a valid reason for doing so. So, what constitutes legitimate interest?
- The processing of data that is of a clear benefit to the receiving business
- When there is limited privacy impact on the individual
- When the individual can reasonably expect you to use their data in this way
In determining whether your B2B communications satisfy legitimate interest, you should ask yourself whether processing their data is a necessity. The Direct Marketing Association suggests something is necessary only if the communication can’t be achieved by other means.
In truth, this is all still a bit of a grey area. And, as should be a running theme in getting to grips with GDPR, if you’re unsure of anything then contact a legally qualified professional for clarity.
Whether you’re a data controller or data processor, the ICO has put together a useful checklist to help you prepare for GDPR.
If you’re still confused about how to go about tackling the GDPR elephant in the room, get in touch and let’s chat about how we can help.
When it comes to GDPR we know our stuff. But the information provided above is only that – information. It is not legal advice and cannot be relied upon as such. Should you need legal advice about GDPR or need to determine how GDPR might apply to you and your organisation, please speak to a legally qualified professional.