What is the GDPR?
GDPR stands for General Protection Data Regulation and is a new EU regulation aimed at strengthening data protection for EU citizens and residents within the EU and the rest of the world. The idea is that (unlike the current directive) the GDPR will amount to one single set of rules across Europe, something which EU policy makers believe will make it simpler – and cheaper – for organisations to do business across the EU.
When does it come into effect?
25 May 2018 – so organisations have less than a year to get to grips with it.
What about Brexit? Is the GDPR still relevant if we are leaving the EU?
Absolutely. When the GDPR comes into effect, the UK will still be a part of the EU (albeit at the start of the withdrawal process), so compliance with the GDPR will still be needed. The Queen’s Speech earlier this year also confirmed that the GDPR will continue to form part of UK law even after the country’s withdrawal from the European Union next year – so either way, the GDPR is here to stay. Crucially, the GDPR will apply to any companies worldwide that process personal data of EU citizens – so even if an organisation is based in the US, for example, but supplies its products/services to EU citizens (both pre and post Brexit), it will need to comply with the requirements of the GDPR.
Who is affected?
Anyone who collects and processes personal data (defined by the GDPR as a ‘Data Controller’). This includes organisations who run websites or apps, as well as any organisations who use internal databases, CRMs or even just email.
What constitutes ‘personal data’ under the new regulation?
The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information. In short, there is hardly any personal data that will not fall under the new GDPR.
What are the consequences of non compliance?
The maximum sanction for non-compliance with the GDPR is fairly onerous: fines of up to 20,000,000 EUR or up to 4% of annual worldwide turnover, whichever is the greater. It remains to be seen how these fines will be enforced in practice but considering the sums at stake, it is important that organisations get it right.
Who will be enforcing compliance?
Each member state must designate its own ‘Supervisory Authority’ (SA) to oversee and ensure compliance of the legislation. Here in the UK, it is the Information Commissioner’s Office (the ICO) which is the country’s independent authority set up to uphold information rights generally in the public interest.
What are the key components of the GDPR?
A major emphasis of the GDPR is transparency. There is a comprehensive list of information that must be made available to an individual before data is collected, including telling the user why the data is being collected, what it will be used for and the fact that he/she can amend the personal data or ask for it to be erased at any time.
Key to complying with these requirements will be a proper internal system for storing and processing data within an organisation. Depending on the nature of the business, an organisation may need to formally appoint a designated ‘data protection officer’. Questions such as ‘what data do we already store?’, ‘how did we obtain it?’ and ‘who do we share it with?’ will also need to be asked. For most companies, this will mean conducting a comprehensive internal audit to assess the current procedures, followed by a corresponding overhaul of the website’s terms & conditions to reflect the changes. Any amendments to the t&cs will almost certainly require legal input.
Being able to prove valid consent for using personal information is one of the biggest challenges presented by the GDPR. Simple language when asking for consent to collect personal data is key and organisations will need to be clear about how they will use that information. Silence or inactivity will no longer be enough. Organisations will need to be able to show “unambiguous” consent involving a “clear affirmative action”. No one knows for definite what this will mean in practice, but the ICO has published some useful guidance notes (most recently as September) on what will constitute provable consent under the regulation and how, in practice, this will be achieved – https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/accountability-and-governance/
So what might getting consent right look like in practice on a website?
There is a long list of what amounts to valid consent, but the headline is that pre-ticked boxes and blanket/otherwise vague consents will no longer cut it. Instead, the consent must be:
• a positive opt in – in other words, the individual is given a genuine choice and control over how their personal data is used and must take a deliberate action to opt in. For example: “I consent to receiving emails about your products and special offers” accompanied by an unticked opt in box, as oppose to: “By entering your email address, you agree to us sending you emails about our products and services”.
• unbundled, specific and granular – consent for processing personal data must be separate from other terms and conditions and consent must be obtained separately for each distinct processing operation.
• prominent, clear and concise – consent mechanisms must be easy to use and the language used should be clear, concise and easy to understand.
• withdrawing consent – you must tell people how to withdraw consent and make it easy for them to do so.
Again, specialist legal advice will almost certainly be needed but in the interim, it is worth looking at the websites for companies such as Sainsburys, Waitrose and Age Concern, all of whom have had a go at amending the wording on their websites to try and reflect the requirements of the GDPR – see https://www.econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent
The GDPR is definitely happening and will bring considerable changes to data protection law in the UK and beyond. The fines for non-compliance are substantial and, even though there may be question marks surrounding how the regulations will, in practice, be enforced, organisations need to allocate time and resources as soon as possible to getting it right. Here are a few suggestions on how to get started:
• look at the ICO’s website, particularly its helpful checklist entitled 12 Steps to Take Now –https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf and Getting Ready for the GDPR https://ico.org.uk/for-organisations/data-protection-reform/getting-ready-for-the-gdpr/
• embark on an internal data audit to identify current practices and changes that need to be made.
• make sure key decision makers within your organisation know that the law is changing and what their new responsibilities are. Consider whether you need to appoint a data protection officer and consider circulating some form of internal memo, outlining the basics of the GDPR and explaining what needs to be done.
• the GDPR is lengthy and complex, so seek specialist legal advice where necessary, especially in relation to any revised wording you think might be needed to the wording on your website.
• having decided what changes you need to make, such as consent to receiving email newsletters, cookies and the company’s ts&cs, we can help you effect those changes when you are ready.