My first day in GDPR

Last week I was excited to be given the chance to attend a training course run by Perpetuum Training on how to get your business GDPR (General Data Protection Regulation) compliant in time for the legislation, which comes into effect in May 2018.

The day was run by legal and digital professional Will Roebuck, who is also a guest lecturer at Manchester University. I was eager to attend a seminar by a university lecturer, as having never attended university myself I thought that it would be a great experience for me. I wasn’t disappointed and I found that the day really set me up in good stead for getting KDR GDPR compliant.

I have a keen interest in the fundamentals of running a business and the legislation and policies that go behind that. Because of this and the fact that a large part of my role here is dealing with the data that we hold, our MD Mark thought that it would make sense to appoint me as the GDPR data protection officer for KDR. This is something that the ICO (Information Commissioner’s Office) is suggesting as part of their 12 steps to preparing for GDPR.

My main concern in the lead up to the legislation coming into effect is that all the news has reported on for the past 6 months is Brexit. Of course we must be prepared for the changes the UK leaving the EU will bring, however businesses have, in my opinion, a more pressing issue in their cyber security and getting GDPR compliant. People are simply not talking about GDPR enough and I fear that come December this year many companies will find themselves rushing to get compliant in time for the deadline.

Another issue that I have heard surrounding GDPR is that the businesses that are aware of it, are confused on the timescale compared to Brexit. Mark even overheard last week a cyber security company saying that because of Brexit, companies don’t need to comply with GDPR. This is incorrect and frankly very worrying that a company (that specialises in that sector!) is saying this.

GDPR comes into effect in May 2018 and the UK is due to leave the EU in March 2019. This means that companies have ten months of GDPR compliance needed, and even after Brexit has happened, if your company holds any data on an EU citizen you must comply. Professionals are fairly certain that the government will employ their own version of GDPR alongside it to compliment data protection here in the UK.

We started off our day by discussing what the implementation will mean. The overall impact of GDPR will mean that businesses have to be a lot clearer with their data terminology, tighter cyber security, take on more accountability for the data they hold, and consent policies are going to be completely reformed – meaning the end of ‘opt out’ or pre-populated tick boxes and automatic enrolling to marketing preferences.

Data Terminology

In one of the ‘12 steps towards compliance’ that the ICO has written it mentions that businesses should communicate their privacy information. But what does that mean?

Currently when your business collects any personal data on a subject, you must inform them of your identity and how you intend to use that information, amongst other things. This can usually be found in a privacy notice in the small print. Under GDPR there are additional things that you have to communicate to your service users.

An example of this is that companies will now have to inform service users of the data retention policy. This must be clearly and transparently written so that the general public can easily understand the terminology used. However, it is up to you and your board of directors to decide what that retention policy is. You are not permitted to keep data for ‘any longer than is deemed necessary’ but an acceptable retention period is not outlined in the article. The legislation expects your business to be able to decide this for yourself and clearly define why that decision has been made in your Privacy Notice.

The ICO also recommends that if you are a company where a percentage of your service users’ first language is not English, then you need to supply the privacy notice in that language. An example of this would be that county councils in Wales would also supply this in Welsh, or have an option to translate their whole website into Welsh.

As people will now have a stronger ‘right to be forgotten’ when data is obtained via consent, businesses must also document and include in their privacy notice if they determine a clause in the policy any reason that subject access (a data request) may be declined.

Take Control

Companies will need tighter policies in place to show that you comply with GDPR and the Data Protection Act (DPA). GDPR is not replacing the Data Protection Act, as previously thought.

You are expected to document everything about your data:

  • What personal data do you hold?
  • Where did that come from?
  • Who do you share it with?

Companies will be expected to inform any 3rd parties that you share data with if you find out any data you hold is incorrect or out of date, taking the responsibility away from the service user.

However, this doesn’t mean that the service users’ rights have changed, they have just become more enhanced.

As under the DPA, subjects still have a right to:

  • Subject access (a right to request any data that you hold on them)
  • Have inaccuracies changed
  • Be forgotten (deleted NOT archived)
  • Prevent direct marketing
  • Prevent automated decision making i.e. email subscription tick box pre-populated agreeing to it

The ICO suggests that ‘This is a good time to check your procedures and to work out how you would react if a subject asks to have their personal data deleted. For example, would your systems help you locate and delete the data?’

This factor may take some time to change for some companies, as I personally know that a few CRM systems used have a readily accessible archive feature, but make it more difficult to actually delete data.

GDPR has added a subject’s right to data portability, which is not under the original DPA. This means that when a service user requests access to the data your company holds on them, you must provide this information electronically and in a ‘commonly used format’.

Silence does not mean consent

One of the main changes under GDPR law is what defines as consent. The government have decided that consent will now have to be a ‘positive indication of agreement’. This puts an end to automatic enrolment (pre-ticked boxes) and no answer means service users don’t mind being contacted.

For example, if you email someone and in the small print in your signature it says something along the lines of “Please respond/click here if you do not wish to be added to our mailing list” and the person you have emailed does not respond, you cannot assume and sign them up to your newsletters. You must get an auditable (email, letter or recorded phone call) form of consent.

It came about in the news last week that the ICO had fined Flybe and Honda for different offenses against the Privacy and Electronic Communications Regulation (PECR). One online news forum headlined the story by stating that these companies were fined as they were trying to comply with GDPR. However, this is incorrect as both Flybe and Honda were in breach of the new legislation as well.

Flybe deliberately sent over 3.3 million emails to service users who had already informed them that they did not want to receive any form of marketing email from the company. Honda, on the other hand, sent out just under 290,000 emails to service users asking for marketing preferences and were unable to prove that they had ever received consent to contact them.

Personally, I find the ICO’s rigorous approach reassuring, as a member of the public I know that when GDPR comes into effect I can count on them to ensure that companies are compliant.

As with any legislation, there are grey areas, and a few of these seem to be surrounding consent. GDPR stipulates that no person under the age of 13 can give consent for themselves – it must be a parent or legal guardian. However, it does not state whether once the subject has turned 13 (as children do have a tendency to grow up!) they then have to reaffirm their consent, as the consent given before was not their own. This could also cause some issues for the health services where the age for consent is 17. And how would a company verify a person’s age, as when giving date of birth it is very easy to claim someone is older (or indeed younger) than they are.

Both GDPR and DPA refer to consent and explicit consent, but no definition of the difference is provided – leaving us to wonder if this is down to company policy to define, as with the retention period.

In the end

To conclude, my course was very informative and I really enjoyed Will’s presenting style. There was lots of room left for discussion and debate and it was good to be involved in the process so early on.

As more questions surrounding GDPR come out in the works, I will ensure that KDR will be ready to make small changes to accommodate the answers, and build on our sound GDPR compliance and strong cyber security.

What issues do you foresee with the new legislation?

KDR Recruitment is the home of the best Information Management and Analytics jobs.

This blog was originally published on LinkedIn. To read the original blog click here

You might also like: