By Darren Craig
As most readers will already know, the GDPR, General Data Protection Regulation, comes into force in May 2018. This major change to data protection and privacy legislation applies to any organisations that employ or serve EU citizens, which makes it pretty much a universal obligation for businesses in the UK. The penalties for non-compliance with GDPR legislation are potentially crippling – in serious cases, you can be fined the larger of €20 million or 4% of your previous year’s turnover.
So what are the key challenges facing organisations in the run-up to GDPR? In this blog, we look at five of the most common issues that Northdoor has been helping clients to tackle, starting with:
Under GDPR, you must be able to prove that any EU citizens you contact have consented to your use of their data for this purpose. “Consent” is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The key point to note here is that you will need a positive decision for, rather than just the lack of a negative decision against. What’s more, you’ll need to be able to record this consent in an auditable form, and to show that it didn’t involve misleading or intimidating the person giving the consent. Finally, you’ll need to make it just as easy for people to withdraw their consent as it was to give it in the first place.
There has been extensive speculation about how the law will apply in B2C versus B2B contexts. Northdoor’s view is that there is no distinction between (for example) business email addresses and personal email addresses if they both name the person in a way that makes them identifiable.
However you and your legal advisers decide to implement the consent requirement, you will need to consider how to store and manage the consent status across any relevant systems in a secure, provable, error-free and cost-effective manner. Given the likelihood that you’ll also be interacting with third parties (supply-chain partners, external marketing agencies and so on), you may need to think about a centralised repository that securely aggregates data from multiple internal and external systems, and can push/pull consent information to and from them.
When an individual no longer wishes you to store or process their data, GDPR empowers them to ask you to erase it. As this needs to happen within a reasonably short timescale, you will need a rapid and efficient way to process requests for erasure and ensure that they are implemented across all systems, databases, and other repositories (both online and paper-based). The right to erasure also extends to archived data in backups.
To avoid fines for non-compliance within the expected timescales, you may need to introduce automated workflows for triggering and confirming the erasure of data from multiple internal and external systems.
Third-party organisations are frequently involved in data breaches, such as the high-profile infractions at Target and Home Depot in the US. In the digital age, where marketing at scale often involves working with external technology firms, the UK ICO has stated that it will keep a close eye on arrangements that have the largest potential impact on the privacy rights of individuals.
Under GDPR, you need to be able to prove that your third-party partners – for example, external marketing agencies – are applying your own (ideally high!) standards to data protection and privacy. Given the potential for large amounts of customer data to be involved, this implies that you may need to introduce considerable automation, and/or have systems that enable you to recall all data from third-party control at the touch of a button.
The potential impact of financial penalties and reputational damage from GDPR makes it vital to embed compliance in the organisational culture. Employees at every level need to consider how they would feel about their data being processed, and seek to apply to same standards to their customers’ data.
GDPR establishes accountability as an organisational principle. To meet the expectations of the legislation, companies should establish clear responsibilities and budgets for compliance, properly document and record the stores and flows of personal data through systems (both electronic and paper-based), and implement awareness training for staff.
As stated earlier in this blog, GDPR requires that consent be “freely given.” Where there is perceived to be an imbalance of power between the consenting party and the organisation, that consent will be deemed invalid. Given the nature of the employee-employer relationship, it could, therefore, be tricky for employers to rely on “consent” to process their employee’s personal data.
Under GDPR compliance, there are alternative routes for data processors: for example, employers could argue that they need to process employees’ names and bank account details to meet the obligations of employment contracts. Likewise, employers may have a legal requirement to process data on absences to enable the payment of statutory sickness pay.
In fact, it is thought that most organisations will claim a “legitimate interest” in processing employees’ personal data, and that this interest logically outweighs the employees’ rights to privacy. Employers should probably not try to rely on employee consent, and should instead explore the idea of pursuing legitimate interest as grounds for data processing.