There’s been a lot of noise about the forthcoming General Data Protection Regulation (GDPR) legislation that comes into force on 25th May 2018. Our CEO, John Paterson, looks at the facts and offers practical tips for business owners in preparing for the change.
What is GDPR?
The GDPR is an EC regulation designed to protect the privacy of EC citizens, ensure their data is not exported out of the EC to countries that do not have adequate privacy laws, and makes sure that citizens have control over how their data is used.
Privacy – What Privacy?
To readers outside of the EC, it must seem that we are fixated about “privacy”. Indeed, the concept is a recent one that has come about with the change that technology has made to society.
The right to privacy from government surveillance is enshrined in many documents including UN Declaration of Human Rights (1948), the European Convention on Human Rights and the Fourth Amendment to the US Constitution. It wasn’t until the advent of the Internet that large corporations were also able to conduct, what is in effect, mass surveillance. In 1999, Scott McNealy, then CEO of Sun Microsystems, (in)famously said “Privacy is dead. Get over it!” and Google’s then chairman, Eric Schmidt, made multiple public statements that privacy was a bad idea.
In the US there is almost no privacy legislation, HIPAA being an exception, it being left to the god of free markets. If you want privacy then don’t use free services such as Facebook or Google Search. That’s the deal, the services are free and you pay by giving them your data so they can sell it to advertisers. There is also a host of legislation that allows government agencies unfettered access to data with extremely limited judicial oversight, particularly in the US.
Outside of the EC only a few countries take privacy seriously, namely Australia, Canada and New Zealand. Other countries such as Russia and China are also trying to enforce that data on their citizens is only stored within their legal jurisdiction, but that is less about citizens’ right and more about government surveillance. I’m told that in the Chinese language the closest pictogram to “privacy” is “loneliness”.
GDPR effectively exports the European notion of the right to privacy to any business that collects personal data on EC citizens, backed up by stiff penalties for non-compliance.
What GDPR Entails for Business
- Consent: You can’t contact people unless they have explicitly consented
- Data Breaches: strict reporting rules for data breaches
- Fines & Sanctions: Big fines for breaking the rules
- Right to Erasure: an update of the Right to be Forgotten
- Data Portability: Personal data must be made available to the citizen if they request it
- Data Protection: Data must be held securely
As of 25th May 2018 no organisation, regardless of which country they are based in, will be able to send marketing emails or SMS messages to EC citizens unless that citizen has provided explicit consent to be contacted by that organisation about the specific topic.
You’ll also need to be able to record how and when consent was given to provide proof should the regulatory body (in the UK this the Information Commissioner’s Office) receive a complaint.
Consent can be gained by a dedicated check box on a form, or by clicking a dedicated link from an email. Handing over a business card or calling in on the telephone is not giving consent!
Needless to say, buying personal data in the form of mailing lists is dead as “bundled” consents are specifically outlawed.
You have 72 hours to report any data breaches to the supervising authority. You should then inform the data subjects “without undue delay”, the timing dependent upon the likely risk of damage to that individual.
A breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Fines & Sanctions
Lots of scary headlines have been written about the draconian penalties for breaching GDPR. The maximum fines are €20 million or up to 4% of global revenues, whichever is higher.
But, these are the maximum penalties in the same way that you could, in theory, be given a jail sentence for not buying a train ticket. In practice, the regulatory body is not likely to do anything if one person complains other than maybe sending a warning letter. The penalties are there to stop those companies that flagrantly and repeatedly abuse GDPR, such as spammers and companies that make nuisance cold calls. And, of course, the EC’s favourite whipping boys, Google and Facebook.
Right to Erasure
Individuals can request that the data you hold on them be erased. There are some exemptions to this but in practice for most businesses you will have to comply. You must comply without delay, and certainly within one month.
Individuals can request a copy of their data in machine readable format. This applies to data they have given you, and as well as their personal data includes stored emails from them, and their purchasing and payment history.
If you hold personal data then you have a duty of care over the safeguarding of that data. This includes restricting access to only those who need access to do their jobs, making sure that the data is held securely. You also need to demonstrate compliance with GDPR.
In certain circumstances, such as the processing of sensitive data (e.g. criminal records, health data) and where the processing of data will have legal consequences, you will need to conduct a Privacy Impact Assessment.
You may only transfer personal data to countries within the EC, or those where the Commission has determined that the country has adequate levels of data protection. That list currently comprises Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Uruguay and New Zealand. Note that the list does not include the US.
Separating the fact from fiction
There has been a lot of misinformation about GDPR. Here I have taken a look at the most common misunderstandings.
US Companies Can Comply With GDPR
US companies can probably comply with GDPR but only if they store personal data on servers based within the EC. If they store personal data in the US then they don’t, despite what they may claim. This is a complex and disputed subject but the logic goes like this:
- If personal data is to be transferred out of the EC, the individual must be told in advance
- The Safe Harbour arrangement negotiated between 1998 and 2000 between the EU and US was designed to allow US companies to comply with the EC’s data privacy laws. However, in October 2015 the European Court of Justice (ECJ) ruled that Safe Harbour was invalid as it did not offer adequate protection
- In July 2016 the US – EC Data Privacy Shield was negotiated as an attempt to overcome the ECJ’s reservations. Again however, GDPR is much stricter than the previous data directives and the same problems persist in the US, vis the US Government’s ability to access anybody’s data. There are minimal safeguards for US citizens’ data, and everybody else gets none
- On 12th April 2017 the Article 29 Working Party on data protection concluded that the EU – US Privacy Shield does not meet EU standards because, amongst other concerns, “The position on massive and indiscriminate collection of data for national security purposes is unclear.” In the current political climate in the US it is difficult to imagine that the administration would offer better protection to EU citizens than its own.
- It is a moot point as to whether data is completely safe when held by US companies in the EC. In theory it should be, but US courts are still trying to force companies such as Microsoft to hand over data stored in the EC
B2B Marketing is Not Covered by GDPR
There are quite a few articles circulating that claim B2B communication will be allowed by GDPR because the forthcoming e-privacy legislation that will be enacted at the same time as GDPR will make that distinction and allow opt-out rather than opt-in consent. In other words an unsubscribe link.
The new e-Privacy Regulation replaces the existing e-Privacy Directive and is designed to offer clarity for electronic communications, i.e. emails and SMS messages. It is a Regulation and not a Directive, which means that while GDPR will automatically become law across the EC, each member state will have to enact legislation to enable e-Privacy. This gives each country some latitude as to the exact wording and so could draw a distinction between B2B and B2C.
Until each country has passed the legislation we won’t know how B2C communications will be treated, if it is distinguished at all. We also don’t know what data will be considered B2B data instead of B2C data. Personal Gmail accounts, mobile telephone numbers and IP addresses could all be personal. We don’t even know if the legislation will actually be passed into law in time.
Therefore, our conclusion is that if and until e-Privacy legislation draws a distinction between B2B and B2C, GDPR does not draw such a distinction and there are no exemptions for B2B communications.
If I’m Not Based in the EU so the Ruling Doesn’t Apply
If you hold personal data on EC citizens and you do business with customers in the EC then you will be affected by GDPR. Whether the EC can do anything about it is another matter.
You have until 25th May 2018 to comply and as from then you won’t be able to send electronic communications to EC citizens unless you have their specific consent. For most companies that means they won’t be able to email anybody on their existing marketing database as they won’t have formally gathered such auditable consents. You therefore need to start gathering such consents now, both from new leads and from your existing database.
General Data Protection Regulation Checklist
- Appoint a Data Processing Officer who should quickly get up to speed with the legislation
- Make a list of all your systems that hold personal data: your CRM, accounting system, HR system, contact databases in email clients such as Outlook, all those spreadsheets scattered around people’s laptops with contact data in them
- Make a list of all your Data Processors, those external systems you use that hold personal data. Make sure they only hold data in the EC and are, or will be, GDPR compliant. If you are in a regulated industry get a certificate or contract warranting compliance
- Start capturing consents from new enquiries now
- Work out how you are going to get consents from contacts in your existing database between now and 25th May 2018
- Draft a procedure for managing breach notifications, for both the regulatory body and the contacts themselves. If a breach happens you won’t have time to consider the best way to do this so have it mapped out in advance
- Review and update the privacy notices and terms and conditions on your web site
Read More About GDPR
We have written a series of blogs to help you understand GDPR and what you need to do to be compliant:
GDPR Compliance for Really Simple Systems explains our CRM compliance
The Good, the Bad and the…GDPR? looks at the pros and cons of GDPR
GDPR Marketing Compliance Launch introduces the first phase of our GDPR compliance features