The minimalist guide to the GDPR

I was on a training course the other week with dozens of small to medium sized business owners. As it tends to happen at this kind of thing, whenever I mention I work in cybersecurity faces light up. And, as soon as we break for refreshments, people approach me with question after question. They want to know about one topic in particular – the GDPR.  

To know more about the GDPR, watch Microsoft’s latest episode of Modern Workplace, which is available today.

I tell them what I’m about to share with you now.

The GDPR (General Data Protection Regulation) is complex, extensive, and if you’re running your own business, collecting data on individuals (clients, customers, employees), making sales calls, using email or direct mail to market your products or services, and databases to record your notes and contacts, you’re going to have to change the way you’re collecting, handling, and protecting data.

Affecting all businesses, from sole traders to multi-nationals, from 25th May 2018, this new law comes into force. This means, long before that date, you need to understand three things:

1. What it is.
2. What you need to do to comply with it.
3. What the consequences are if you don’t.

So let’s go through them, so you can then make informed decisions on what to do about the GDPR.

What is the GDPR?

The GDPR is a regulation. It was created to modernise and simplify data protection for international business by unifying regulation within the EU, and to give control back to EU citizens and residents over their personal data. It applies to all companies that collect and process personal data (e.g. names, phone numbers, addresses, emails) and sensitive personal data (special categories include genetic and biometric data that can uniquely identify an individual, along with racial or ethnic origin, political opinions, religious/philosophical beliefs and other health data) of EU citizens and residents. The GDPR is ground-breaking, and is to become the first global data protection law with time specific breach notification guidelines, and potential hefty sanctions for non-compliance.

All businesses need to be ready for it by 25th May 2018 and this includes UK businesses, despite Brexit. The new GDPR regulations are also applicable if you’re a data controller or processor, which means you can’t outsource your liability.

What do you need to do to comply with the GDPR?

The GDPR specifies many requirements, is subject to interpretation, and there are many areas that are causing debate amongst those who are made accountable for it (lawyers, risk practitioners, data protection officers, and cybersecurity professionals). However, the main thing to note is that if you’re a UK business it’s essentially just a more proactive revision of the DPA (Data Protection Act of 1998) with more severe sanctions for non-compliance.

Briefly, you’ll need to:

• Prove that you’ve been given explicit and continuous consent from data owners.
• Respond to every request for information and the right to be forgotten.
• Maintain an audit trail so you can show where you legally acquired your data.
• Adhere to data minimisation, ensuring that your data processing only uses as much data as is required to successfully accomplish the given task and is not being re-purposed without further consent from your data owners.
• Notify the correct data protection authorities within 72-hours of a data breach, and provide them with a detailed report.

So, let’s look at some of these key areas in a bit more detail, specifically the right to be informed, consent of the data subject, legitimate interests, right to object, appropriate security and data breach notification.

Right to be informed.

In case you’re thinking the GDPR doesn’t apply to you, as you’re not collecting any data, please think again. If you’re using any tracking tools on your website, like Google Analytics, then it does. Individuals accessing your website have the right to know what personal information you’re gathering about them, how you’re storing the information plus what you’re going to do with it. This also includes anything that can be traced back to an individual, for example, IP addresses, cookie IDs, online identifiers and device identifiers. Having a Privacy Policy on your website, which states exactly how you’re going to deal with all of these aspects will help you to comply.

Consent of the data subject.

If you’re using email marketing you must ensure you have permission to email your recipients. Under the GDPR you need to explicitly ask for permission to market to an individual with email, and you must be able to prove that they’ve opted-in to your landing pages, check-out, opt-in, contact and registration forms. To comply with this aspect of the GDPR, ensure all forms on your website have tick boxes that are programmed correctly. If you’ve got pre-ticked boxes, double check that the default settings are in order. Additionally, record exactly when you were given permission. If you get an email notification when an individual opts-in, registers or checks-out, ensure you store this securely so you can clearly show what your tick box or consent form said.

When it comes to your existing clients and customers the GDPR says that if there’s another law that conflicts with it, you should abide by that law instead. If you’re a UK business, this means that the PECR legislation, which is applicable for email and telephone marketing, takes precedence. However, it’s worth noting that the UK government is currently considering whether to replace this and align it to the GDPR, so explicit permission is gained when opting-in.

When it comes to sales calls, although you don’t need to gain explicit consent, under the PECR you must check with the TPS (Telephone Preference Service) if you’re contacting individuals or the CTPS (Corporate Telephone Protection Service) if you’re contacting businesses before making any calls. If an individual or organisation is registered with either, and you call, you’re in breach of the law.

Legitimate interests.

When it comes to sending letters, mailshots, brochures or catalogues in the post, interestingly, you don’t need explicit consent from recipients. Direct mail is allowed under the legitimate interests of your business if the content is relevant to the recipient and you can make it clear how they can stop getting future mailings.

Right to object.

Under the GDPR when an individual asks you to stop marketing to them you must ensure it’s an easy process. This means you must provide them with a means to unsubscribe on your emails. On printed mailshots, brochures or catalogues you may want to give them a number to call, or an email address to reply to, or a link to visit. Importantly, you must stop marketing to them when you’re asked to. You must also keep a record of this, for example, via a ‘do not contact’ list.

Appropriate security.

When it comes to appropriate security, the requirements will vary from business to business. For example, these may include revising your processes around penetration testing/ ethical hacking, network monitoring, employee awareness training, incident response management and data breach reporting, plus implementing new technologies such as encryption, tokenisation or psuedonymisation. It may also include something quite basic, like migrating your website from http to https so you get the little padlock symbol in your browser bar (an SSL certificate). This demonstrates a website has been authenticated and is not a fake site, plus that it’s encrypting the data that’s being transmitted. It provides a higher level of trust for people accessing a website and is essential if you’re storing any personal data on your website.

Data breach reporting.

Under the GDPR you must notify the relevant data protection authorities within 72-hours of discovering a personal data breach. In other words, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” You will also need to present a security breach report, which will need to include the facts surrounding the breach, the effects of the breach, the actions taken after the breach, and the DPOs contact details if appropriate. With such a short timeframe it’s vital you have adequate people, processes and technologies in place to help you detect and respond.

What are the consequences if you don’t comply with the GDPR?

Under the GDPR there are a wide variety of sanctions that can be imposed from warnings in writing to regular periodic data protection audits and fines. If it’s the latter, there are two categories of fine. These are stiff and range from €10 million or 2% of your organisation’s global annual turnover for the preceding financial year (depending on which is greater) to €20 million or 4% of your organisation’s global annual turnover for the preceding financial year (depending on which is greater).

In the spirit of full disclosure, please be aware that I’ve received compensation for promoting this #ad for Microsoft’s Modern Workplace Episode. Because your success is important to me, I only align myself with brands I believe in, and Microsoft is one of them.

Arrange a Conversation