Article:

General Data Protection Regulations - Am I bovvered?

23 November 2016

One of the biggest changes in data regulation will come into force in April 2018. It’s called the General Data Protection Regulations (GDPR) and it’s got a lot of businesses concerned.

What GDPR does is replace all existing national and EU data protection legislation in one fell swoop in all 28 EU states. In the UK, that means it replaces the Data Protection Act (1998) and the EU-inspired Directive 2002/58/EC on Privacy and Electronic Communications.

We may have voted to leave the European Union but that doesn’t mean UK businesses don’t have to worry about it. We are not going to trigger Article 50 before March 2017, meaning the new rules will come into force in April 2018, 10 months before we leave. Furthermore, if you intend to continue to conduct business within the EU then you will still need to comply.

So, what is GDPR, how do you start preparing for it and what are the consequences of getting it wrong?

The primary goal for GDPR is to “give citizens back the control of their personal data”. It sets certain benchmarks for the way consumer/citizen data is treated. One thing it does is subtly change the definition of consumer data.

At the moment, named business email marketing data, for example roger.jones@mycompany.com is considered as business data. That’s because Roger will be emailed at that address for reasons to do with the business he represents.

Roger’s “home” email address (for example roger.jones@gmail.com) is treated legally as consumer data because if he is sent a marketing email, he will be making personal decisions for himself on what he does with it. Under the GDPR rules, the first example will now also be classed, and subject to the rules, as the second.

So how does GDPR affect the way that personal data is treated?

It’s there to ensure that it is collected for “legitimate, explicit and specified” reasons. All of your company departments must ensure the following:

  1. Personal data must be processed fairly, lawfully and transparently
  2. Its scope must be kept limited to what a company needs for processing. Therefore, the fields have to be “relevant” and “adequate”
  3. A subject’s data must be kept up-to-date and accurate
  4. A subject’s data must be processed in a way to ensure maximum security.
  5. Personal data must be kept in such a way so that the person it relates to can only be identified for as long as it’s necessary for processing
  6. Individuals can demand that all personal data, whether live or on backups is deleted (The Right to be forgotten).
  7. Complaints can be made via clearly defined paths and at no cost to the individual.
  8. Data on children under 13 can only be held with the explicit permission of their parents
  9. Opt in, not out – data processing will require the approval of the individual in advance, it can’t be assumed. And the approval will be for a specific task only. So no more cookies on websites as a default

These new principles share many aspects with the current guidelines. They just take them a lot further.

So, what could my business expect if we get it wrong?

No system is perfect. No matter the care and due diligence you take it choosing a system to comply with GDPR and how well you implement it, there has never been a company or government security system built that the most talented hackers out there will not try to break.

If there is a data breach once GDPR has been enacted, you will have to inform the Information Commissioner's Office (ICO). After that, you’ll have to contact each customer with an individual assessment on how that person’s personal data or privacy has been affected. You must then record it in a log. At any time thereafter, the ICO can visit your premises. They’ll be looking to see whether you did everything you possibly could have done to prevent the breach.

If the ICO are not happy that you did everything you could to prevent the breach or that you have not followed the new rules, you can be fined up to 4% of your turnover.

As you can see, the GDPR is serious. It’s coming. It’s not particularly welcome in many quarters. But we all have to prepare for it nonetheless.

What do you need to do?

Your sales and marketing teams are probably underway already in making the necessary adjustments to comply with GDPR but it is something the technical side of your business has to be ready for.

What’s crucial is that both teams consult regularly to provide a robust system which everyone can use and which minimises the chances of breaches.

There are two main parts to complying with GDPR:

  1. What information is held legitimately?
  2. Who has access to the data?

For each database you have:

  • Build a picture of where personal data is in your systems. Consider reducing the locations to make data management easier. Don’t forget about all the spreadsheets that could be lurking on shared drives or in email inboxes.
  • Limit access to the data through strong password controls and ensure there are audit trails showing who has accessed, modified or moved what data.
  • Deploy encryption techniques to safeguard the data from unauthorised users, and keep the decryption keys safe. Any fields on any consumer you hold that doesn’t pass those tests will need to be permanently deleted from the database in such a way that the information can never be recovered.

From a sales and marketing point of view, what is really necessary?

Information such as previous purchases, credit scores, director profiles and more will, in the vast majority of cases, be considered fair. This information helps you understand your customers better. It makes interaction between your company and its customers much smoother.

More personal details about the directors or contacts within a company need further consideration. If the directors or contacts within a company have changed, there is no legitimate reason to keep the details of the previous individuals who have left their post. This information provides you with no useful additional insight that your sales and marketing teams can profitably use.

Take the next step

The GDPR presents many challenges and opportunities. Getting ready for it will make sure that your sensitive data will be compliant for years to come. It will make it much more difficult for disgruntled or careless employees to access. Hackers will find it more difficult to compromise your security.

The BDO Technology Advisory Services team will be helping lots of our clients make the hugely important transition to GDPR compliance. If you would like further information on this on any IT matter please contact: Gavin Davis on 0118 925 4400 or email gavin.davis@bdo.co.uk