GDPR – you’re sure to have come across it recently. It’s the reason why you’ve been inundated with e-mails from various companies asking you if they can carry on sending you e-mails. And if you’re a business (or any organisation for that matter) then you should pay particular attention to this new law, because it affects you in more ways than you think!
What do I know?
Let me start by explaining why I know a bit about GDPR. I have 3 reasons. First, I run a business (Nettl.com) so I need to make sure I’m on the right side of this new law. Secondly, I’ve had to get to grips with GDPR because it has a significant impact on our customers’ websites that we build, as you’ll find out below. Thirdly, I know about GDPR because I’m an individual, a human at that. And GDPR gives me rights over my data in a way I didn’t have before. I like knowing my rights, and you should too! But I’ve had to learn what I know, and I’m not in any position to give legal advice (it’s not what I do!). So this quick guide is here to start you off, but you should seek your own legal advice and do your own research to properly understand how GDPR affects your organisation.
Let’s start from the top. GDPR stands for General Data Protection Regulations. It’s a new law that came into effect on 25th May 2018. It’s designed to give protection to any data that can be used to identify individuals – that’s any data that can identify you either on it’s own or in conjunction with another piece of data. The data we’re taking about includes what you’d expect like your name, address, e-mail, NI number, etc, but also things like your IP address – the unique number assigned to your connection by your Internet Service Provider when you browse the internet.
GDPR is actually an EU regulation and all countries in the EU have implemented it. So you may ask “what happens after brexit?”. Well, GDPR is brexit-proof. Because in the UK, it’s been implemented within the new Data Protection Act 2018 – that’s UK law. So even after brexit plays out, we’ll still be subject to GDPR in full.
The Information Commissioner’s Office is an independent public body which reports directly to parliament. It’s role is to protect information rights and enforce laws such as GDPR. If you’ve not come across the ICO before, then it’s worth taking a look at their website www.ico.org.uk – it packed with information about information!
It’s worth noting that ICO is not shy of taking action when it deems it’s necessary. This month they fined BT £77,000 for sending nearly five million nuisance emails to customers. Public bodies are not immune either; Gloucestershire Police were fined £80,000 for sending 56 e-mails with the addresses in the “To” field instead of the “Bcc” field – this meant that the e-mail addresses were visible to everyone on the e-mail list. (it was quite a significant security breach because it revealed the identities of abuse victims).
Don’t be under the illusion that only big organisations are within the ICO’s radar. A small newsagents in Coventry was fined for failing to register with the ICO while using in-store CCTV. Take note – if you use CCTV, you need to register with the ICO!
Key principles of GDPR
Let’s now delve a little deeper into GDPR. Every organisation is different in what information it collects and how it uses it. So my explanations below are extremely brief and rather generic – this is supposed to be a quick guide after all! For more details on how this affects your organisation look at the ICO website or take legal advice.
Lawfulness, fairness and transparency
Transparency means you must clearly state what you will use the data for. Fairness means you will only process data for the purpose you said you would use it for. And Lawfulness explains the reasons why you can process data. These are broken down into a further 6 categories as follows:
- Consent – you have consent to process the data
- Contract – processing the data is necessary for part of a contractual obligation or for entering into a contract
- Legal obligation – processing the data is necessary to meet your legal obligations
- Vital interest – processing the data is necessary to protect someone’s life
- Public task – this reason is most relevant to public authorities who can process data in the exercise of official authority.
- Legitimate interests – this is quite flexible, in that it can be the legitimate interest of your organisation or that of the person who’s data is being processed. But you need to be able to clearly identify what the legitimate interest is and why the data needs to be processed to achieve that interest.
You can only use the data for the purpose you said you would use it for.
The data you collect must be adequate, relevant and limited to only what is necessary.
You need to take reasonable steps to ensure the data you hold is accurate and not misleading.
You should keep data for only as long as necessary. The retention period will clearly be different for different organisations. Your Doctor’s Surgery will probably keep all your data for as long as you are their patient. A taxi firm probably doesn’t need to keep your journey details for too long after you’ve completed the journey.
Integrity and confidentiality (security)
It is your responsibility to ensure you take steps to keep the data you hold in a secure manner. Do you store data on un-encrypted laptops? Do you lock data away securely? This principle is particularly pertinent to websites, especially where you have a registration or contact form asking for personal data. It’s fairly easy for a hacker to intercept the data being passed to you from your website – so you should ensure you have an SSL security certificate. This encrypts the data as it leaves the web browser and reaches you so that even if it is intercepted, it can’t be read. You’ll know if your website has an SSL certificate if you see “https://” instead of “http//” in the address bar. Most modern browsers will display a green padlock too when the site is secure.
So there you have it, the 6 key principles of GDPR. Clear now? No, I thought not. Seems like a lot of work, and you still don’t know why you need to do all this in your organisation right? I find that looking at GDPR from the point of view of you as an individual, helps bring home the true purpose of GDPR, so let’s do that now.
What does GDPR actually do?
To really make sense of GDPR, let’s look at what rights it gives you and me as individuals. Again, the individual rights below have been taken directly from the ICO website where you will find lots of in-depth information.
- Right of access : you have the right to ask for access to your data, and if the request is reasonable the organisation usually has 1 month to comply.
- Right to rectification : when data is inaccurate or incomplete you have a right to ask for it to be updated.
- Right to erasure : you have the right to be forgotten by an organisation, and ask them to remove all the data they hold on you. Bear in mind this right is not an absolute right, and only applies in certain circumstances. You can’t ask the DVLA to forget all the points on your licence I’m afraid!
- Right to restrict processing : You can ask an organisation to stop using your data for certain purposes, while still retaining the data. This right is why you need that unsubscribe button on your e-mail newsletters and opt-in options on your website’s contact form – remember it has to be opt-in to receive marketing material, not opt-out. So you can’t have a check box that says “uncleck this box if you don’t want to receive marketing from us”. This is not allowed.
- Right to data portability : you have a right to ask for your data (data you supplied in the first place) in a structured machine readable format and ask for this to be passed on to another organisation. (This is not very clearly defined – your data could be considered portable if it is supplied in a csv file).
- Right to object : you have an absolute right to stop your data being used for direct marketing – and the organisation must comply.
- Rights related to automated decision making including profiling : remember the comedy sketches where “computer says no”. Well GDPR says (amongst other things) that if an organisation uses automated decision making that has a legal or similarly significant implication for you, then you have the right to request human intervention.
Hopefully, by considering your rights as an Individual through GDPR, you can see why and how the key principles above come in to play.
What were all those e-mails about?
During the months and weeks leading up to 25th May 2018, you will probably have received e-mails from many organisations asking you to confirm if you would still like to receive e-mails from them in the future. What was all that about then?
Remember “consent” in the key principles above? Under GDPR you need to be able to prove when someone gave you consent to send them direct marketing via e-mail. As many organisations have built up their database over many years, they don’t always have that consent. So these “can we still e-mail you” e-mails were an attempt to get that consent in time for when GDPR came in to effect.
However, GDPR also says that if another law conflicts with it, then the other law takes precedence. It just so happens that there is another law called PECR (Privacy and Electronic Communications Regulations) which says your existing customers can be considered as a “soft opt-in”. So you’re ok to still send your existing customers marketing e-mails, as long as it for a similar product or service and the customer has not explicitly opted out. So a bit of good news for you there! The bad news though is that PECR is also being debated in parliament, and new stricter ePrivacy laws could be on the way. So you should still start getting explicit opt-in from your new customers.
What is an organisation to do?
Like I said a the start, I don’t give legal advice. You need to make your own assessments as to how you will comply with GDPR. But there’s one area where I can help – your website. There are 3 things you should consider for your website (and these are what we have been implementing for our own customers over the last few months):
- Make sure your contact forms comply. As I said above, you need explicit consent to add someone to your mailing list and they have to actively opt-in to receiving marketing e-mails from you. So you need to take a good look at your contact form and assess if it complies with GDPR. We have integrated Mailchimp into the sites of many of our customers. Mailchimp is a great tool to help you stay legal while sending out your marketing campaigns.
- Get Secure. You website should have an SSL security certificate. This ensures any data sent from your site is encrypted and thus secure.
If you would like to discuss your website needs drop us a message using our (secure!) contact form on our website.
So there you have it. A quick guide to GDPR. I hope you’ve found this useful!
Note to self: change title of this blog post to a “quick(ish) guide” before publising it. ?