Since its introduction in May 2018, we’ve learned that the General Data Protection Regulations (GDPR) is a broad topic with many facets.
Where does a business begin if they want to grapple with the intricacies of the regulations? We’ll make a start by breaking them down for you.
GDPR is based around seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
Some of these come into play more than others, but they all weave together and each principle is important. As long as you’re following these when you’re gathering and processing data, you’ll remain compliant.
To explore this topic further, let’s look at each part of the data gathering process individually.
Key principles involved: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; integrity and confidentiality; accountability
Data gathering is the process you use to acquire data from individuals. If your business has been running for a few years, data gathering applies to acquiring new data as well as how you’ve collected existing data.
In the run-up to the General Data Protection Regulations, companies scrambled to reconfirm permissions from their existing databases so that they could continue to send marketing emails without breaking the law. You may remember a slew of emails with subject lines like ‘let’s stay in touch’ from companies you’d forgotten about.
This turned out to be a useful exercise because firms could clear databases of uninterested customers and those with old email addresses, preventing ‘data graveyards’ full of old and useless information (more on that later). As a result, companies could really streamline their marketing and get to know their engaged customers better.
Know what information you’re asking for
In the spirit of data minimisation, pay attention to what information you’re asking for. Really challenge yourself on whether you need that info. For example, asking about someone’s previous home addresses when you don’t need them would be seen as superfluous, going against the data minimisation principle.
“Data for the sake of data can be a recipe for future problems,” said Daniel Milnes, a partner specialising in information law at Forbes Solicitors. “GDPR compliance is based on the legitimacy an organisation can attach to its use and holding of personal data and that purpose should be established before the data handling starts. It shouldn’t be thought up afterwards as a means of monetising a pre-existing stash of data.”
Of course, email isn’t the only way to collect marketing data. Read our guide on How to keep your marketing GDPR compliant for marketing done by phone, fax, post and more.
We’ve gone pretty heavy on the marketing side here, but the basic principles of the General Data Protection Regulations also apply to data you collect from individuals who aren’t customers. In any case, they’ll need to know:
- Who or what your organisation is
- Why your company needs the data and categories of personal data
- How long the data will be kept for
- Whether data will be transferred to a recipient outside the EEA
- That they have a right to a copy of their data
- Their right to file a complaint with the DPA and the right to withdraw consent at any time as well as their rights to have their data deleted
This information should be provided within one month of obtaining the data and the person’s consent can be given orally or in writing.
Key principles involved: integrity and confidentiality; lawfulness, fairness and transparency; accountability
With data protection, you’re looking at organisation-wide measures to keep information safe. This is largely based around technology and systems, company policy and staff training. Let’s take them one at a time.
Technology and systems
You want to ensure that your tech is up to date enough that it’s compatible with newer software and hardware. Having older systems could leave you more vulnerable to error because the tech likely won’t have the same capabilities and may not offer the higher level of protection that your organisation needs.
With that in mind, it’s important to keep your programmes up to date too – think anti-virus and firewall as well as existing programmes that you use daily. Updates will usually help the programme to perform more effectively and fix bugs from previous versions, including ones that could compromise data that you’re holding.
Encourage your staff to keep on top of updates so that your company is broadly working on the same updated programmes. If you can implement automatic updates on staff machines, all the better.
Reviewing your tech so regularly can help you identify vulnerabilities that are specific to your business. It might be an idea to have a regular external audit to pinpoint these vulnerabilities.
The last element is staff training. Dyann Heward-Mills, ethics expert of the European Commission and CEO of HewardMills, says you need to provide different level of training:
“There can’t be a one-size-fits-all approach across an organisation. Everyone should receive the basics in cyber security, with additional training on what to watch out for when working remotely. But then different functions should receive training specific to their roles.”
You have different options here. Opt for an external expert to come in and do training or, if your staff are working remotely, find online training courses such as the National Cyber Security Centre (NCSC)’s staff cyber security training package . They can give you access to professionals online and test staff on what they’ve learned.
All this being said, your tech, your company policy and your staff training need to work together for your protection to be at its best.
“Technical solutions which are not properly supported by the right policies and processes risk creating a false sense of security and in the event of a data centre breach, will be quickly undone by any ICO [Information Commissioner’s Office] investigation,” says Milnes. “A policy or procedure that is never enforced or maintained amongst staff will not be seen as effective and will do little good during an investigation into a data breach and the resulting measures taken to avoid a repeat breach.”
He adds that any ICO data breach reporting form will need details about the organisational and human elements of the breach and will be followed up. Issues will need to be addressed in any report and subsequent action plan.
To handle all of this, you might be thinking of taking on a Data Protection Officer (DPO). The ICO says that you’ll only need a data protection officer if you’re an authority or other public body, or you process certain information. Your DPO can be an existing employee or someone from outside the company.
Key principles involved: storage limitation; data minimisation; lawfulness, fairness and transparency; integrity and confidentiality; accuracy
There’s no set answer to how long you can hold on to data for. The only rule is that you don’t keep it for longer than you need it – the shortest time possible, ideally. Even then, you need to justify why you’re keeping it for that length of time. It’s best to set data retention limits from the outset. When it reaches its endpoint, delete or anonymise the data.
For example, CVs have short-term interest in keeping data, unless you need to keep information to file for potential legal claims in future. Even then, the information could be out of date by the time you need so it wouldn’t be of use anyway.
Reviewing your data
Once you’ve established those data retention limits, it’s important to keep reviewing this data to determine whether you still need it. Not only that, but you’ll need to document your usage of it to keep in line with GDPR rules. You can keep data indefinitely if it’s for public interest archiving, statistical purposes or for historic or scientific research.
Regular audits help you sidestep the aforementioned data graveyards where you’ve got loads of unused and unnecessary data. It often just sits there clogging up your servers which ultimately comes at a greater cost to you.
Where you store your data
Now would be a good time to reassess where you store your data as well. Programmes like Microsoft Excel are not recommended for large amounts of information as data may be entered inaccurately.
Jon Taylor, principle consultant at Conosco, recommends going for cloud software over a programme that relies on manual data entry.
“There’s one term you want to look out for when selecting a database: ACID. An ACID-compliant database guarantees that all updates and changes to data are atomic, consistent, isolated and durable,” he said.
“Without an ACID-compliance, you lose the assurance of data consistency despite errors, power failures or other mishaps.”
Just remember that individuals have a right for their data to be erased, should they request it.
Key principles involved: purpose limitation; lawfulness, fairness and transparency; integrity and confidentiality; accountability
In most instances, the consent that you’ll get will only be valid for the original purpose of the data collection.
But if your company has gathered data for legitimate interest, a contract or vital interest it may be possible to use it for a new purpose. However, you must check that the new interest is compatible with the original purpose. Think about the context in which the original data was collected. Is the data sensitive, for example? If it is, then you’ll probably need to get consent again. This page from the ICO goes further into compatibility.
There are stronger legal protections for more sensitive information like a person’s gender, religious beliefs, race, sexual orientation or their biometrics. This point is particularly noteworthy when thinking about your staff as you’re likely to hold more of their personal details.
Individuals also have rights if their data is being used for automated decision-making processes or profiling.
Once you’ve absorbed the information above, there are other places that you can go for additional advice and examples. The UK Domain has content dedicated to the General Data Protection Regulations under its legislation section. There are also lots of videos on sites like YouTube if you’re more of a visual learner, but be careful that these are up to date and provided by appropriate organisations as you cannot rely on these for legal advice. The Information Commissioner’s Office (ICO) website is always a good place to start.
For dedicated help, it may be worth speaking to a professional. Many law firms will have specialists in GDPR or for cyber security related concerns, seek out a tech expert.
This article was brought to you in partnership with the UK Domain.