Whether or not you're haunted by the General Data Protection Regulation, it's still coming to get you – and there's nowhere to hide! But does it really have to be a nightmare?
Earlier this month we were delighted to host a fantastic and informative seminar by law firm Paris Smith LLP about the GDPR that comes into force on 25th May 2018.
LLP Partner Laura Trapnell pulled off a bit of magic: she nailed the trick of neatly summarising a dry and intimidating subject in a way that was concise and upbeat. For anyone haunted by a sense of impending doom at the prospect of GDPR, she has some encouraging words. "Don't panic," she says, "GDPR shouldn't be too much of a culture shock provided we're all practising good data management under existing privacy legislation," before adding, "GDPR is like that existing legislation...but with more teeth!"
In short, GDPR is about giving individuals more rights and protections than they previously had under the Data Protection Act in how their personal data is collected, used and processed by organisations.
If we're managing our customers' data well and understand how we should be communicating with those customers, then the new requirements should feel - as the Information Commissioner's Office puts it - like an evolution not a revolution.
As Laura points out, several generations of people have been subjected to unwanted communications that they didn't specifically sign up for (spamming or junk mail) due to their contact details being shared between organisations or businesses. Previous legislation allowed for implied consent, or for companies to share our data with few checks and balances. To people who have received unwelcome and irrelevant marketing information, GDPR will feel like a redressing of the balance.
But if GDPR is an evolution of existing good practice, there's still quite a lot to take in – and the severity of the financial penalties for breaches of the legislation is frightening businesses, especially SMEs.
As a point of interest, the Information Commissioner's Office itself has stated in a blog that "it's scaremongering to suggest that we'll be making early examples of organisations for minor infringements or that maximum fines will become the norm....The ICO's commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick." *
But there are real differences between the "old world" of the Data Protection Act and the GDPR which replaces it, and Laura suggests that nobody can afford to be complacent about the latter. It would be foolish to second-guess the ICO and the extent of the fines they will levy.
This blog is not an attempt to exhaustively outline or advise on GDPR itself; there are plenty of sources of authority able to consult on this, and law firms who can offer practical advice and guidance. But it is a reminder to all businesses, clients and readers to ensure they don't get caught out by GDPR next year.
I suggest businesses seek legal advice of their own to ensure they are ready for GDPR. It is something we need to think about, for sure - but it doesn't have to be a nightmare.
Some selected elements of GDPR in our own words.
The below content is not a point-for-point reproduction of the legislation itself, and it does not constitute legal advice.
- GDPR replaces the law we have on data protection and gives individuals more rights and protections in how their personal data is collected, used and processed by organisations.
- Under GDPR a company DOES collect people's data if it uses Google Analytics or any other tool that captures a person's IP address (as well as more obvious things like their name, email address, job description etc.).
- The laws on direct marketing already require organisations to have a private individual's explicit consent to send them marketing material. Under GDPR, this means consent cannot be inferred from silence or inactivity. For example, pre-ticked boxes on a website form, which must be un-ticked in order for a person to stop receiving communications from an organisation, are no longer allowed. Consent must be specific, informed, unambiguous and freely given.
- Consent must not be bundled in with other terms and conditions or a requirement for the provision of a separate service. As such, people must know what they're consenting to. An organisation cannot deliberately muddy or obfuscate this. E.g. if an individual signs up for one thing and is then added to a list where they receive spam email about something only vaguely related, this is a breach of GDPR as well as the existing laws on direct marketing.
- Don't forget that relying on consent is only ONE of a number of gateways that companies can rely on in order to process personal data legitimately. A better gateway might be "legitimate interest" or "in order to fulfil a contractual obligation". Where companies choose to rely on consent, they must be fastidious about recording consent to process data. They need to record when individuals give them consent to do this (opt in) and what those individuals were shown when they did so.
- When it comes to email and telephone marketing, PECR (Privacy and Electronic Communications Regulations) currently sits alongside the Data Protection Act and will continue to do so with GDPR until the ePrivacy Regulations come into force – hopefully by the end of the year.
- PECR allows a "soft opt-in" for a business to communicate with an existing client if it got that person's email address when the individual bought something, or negotiated to buy something, from the business – and provided the business is contacting the individual about something similar to the product or service they were originally interested in. Remember, PECR does not apply to business emails provided that the email address was lawfully obtained.
- However, PECR is going to be replaced, probably by stricter ePrivacy law. This is being debated now, so remain vigilant! It is probably wise to get clear, informed, unambiguous and freely given explicit permission to send marketing communications to all customers as soon as possible (i.e. before May 2018).
- Organisations who send out marketing materials must not conceal their identity and must be clear about the context under which they are sending the material.
- They must give clear information about how a recipient can withdraw their consent to receive marketing material in any media (opt out). It must be obvious how to do this.
- Businesses should keep a "Do not contact" list and always check the Telephone Preference Service before making live marketing phone calls. The penalties for contacting people who have withdrawn their consent could be severe.
- There is an alternative to using consent as a condition under which a business can process personal data. It is the condition of legitimate business interest. For example, a finance company chasing a debtor who is deliberately evading them (and who has changed physical address since incurring debt) would have the right, under GDPR, of sharing relevant data with a debt collection agency so the agency can locate the individual.
- If a company stores personal data on its website, the site will need to be secured (i.e. have an SSL certificate which encrypts the transmission of data).
- Fines for breaches of GDPR could be 4% of annual turnover of the previous year or up to €20 million Euros, whichever is higher.
The ICO provides authoritative guidance about GDPR. Its website can be found here: https://ico.org.uk/