May 2018 is going to be an important month. Prince Harry will marry Meghan Markle and the GDPR will be implemented into English law. I know which will get the most press coverage. But it will be the other that will have an impact how your business operates. That is unless you sell royal family memorabilia.
In this post, LoyaltyLion’s GDPR expert, Dan Pearson, of Humphreys Law, explains what GDPR exactly means for ecommerce merchants and marketers.
You’ve probably heard the term GDPR floating around for a while, but what does it actually mean? “GDPR” stands for the General Data Protection Regulation. It is a new EU Regulation that seeks to harmonise and update the law in respect of how businesses deal with personal data. It will be formally implemented into UK law on 25 May 2018. And before you ask, Brexit won’t stop it.
The GDPR will change the law for any business that is established in the EU AND for any business outside of the EU that offers goods or services to EU citizens AND for any business outside of the EU that monitors the behaviours of EU citizens.
What if my company is in the US and offers goods and services to US citizens only? Do I have to comply? Well, the good news is no. All you need to know is that if you use suppliers in the EU to process personal data, your customers’ data will be afforded the new best level of protection on the planet. As a result of GDPR, your suppliers may update their terms to your existing agreement to ensure their GDPR compliance, but these will essentially all be in your favour as the obligation to comply lies with them.
Once the GDPR is in force, failure to comply could lead to a fine of up to EUR20m or 4% of global turnover (whichever is greater). The extent of losses from a PR perspective for such non-compliance is unquantifiable.
Time to go through all 99 Articles of the GDPR one by one…
Let’s start at the very beginning so it is clear what all this data protection stuff really is. What is personal data? Personal data is any data which relates to a living individual who can be identified from that data. Good examples are emails addresses and mobile numbers.
Every time you sign-up to a new online service, do your online shopping, apply for a new job or hand over your business card, you are providing a company with personal data. In GDPR terminology you are the Data Subject. The company receiving the data is referred to as the Data Controller. Data controllers process your data in order to provide you with the goods or services you provided the data for. If the data controller needs to engage a supplier to assist with this purpose, as soon as they pass the personal data of the data subject to this supplier, the supplier becomes what the GDPR calls a Data Processor.
All good so far?
We already have the Data Protection Act 1998. Why do we need more laws?
The 1998 Act was created out of something called the EU Data Protection Directive 1995. Let’s just think about that for a second. I didn’t have a mobile phone in 1995. Amazon.com launched in July 1995. Facebook and Twitter were still a decade away. That speaks volumes as to the need for the law to catch-up. Currently, we are relying on laws that pre-date social media and online shopping to ensure businesses use personal data in the correct way.
And in 2017, personal data is like gold dust. Every piece of personal data is a potential customer. Relying on a law that is nearly twenty years old has resulted in the wild west. Significant numbers of companies are treating personal data with a flagrant disregard for the rights of the data subjects involved. They are selling it for profit or using it in order to provide you with your favourite calls about PPI insurance claims and that accident you never had.
A clue for another big reason for updating the law is in the title – General Data Protection Regulation. Unlike the Directive of 1995, a Regulation has a direct effect in all EU countries. That means that unlike the patchwork of similar laws created as a result of the 1995 Directive, the law should be harmonised across Europe from May next year. And with the ever-increasing volumes of online shopping and cross-jurisdictional commerce, there is a need for consistent rules on how personal data is treated in different EU countries. From May 2018, your data should be treated in the same way if you bought something in Portugal as if you bought it in Poland.
Sorry. That’s all interesting background, but the reason you are reading this article is not to become an expert on the jurisprudential reason for GDPR, you want to know what practical (and ideally inexpensive) steps you can take to ensure your business is GDPR compliant come 25 May 2018.
At high-level, the GDPR covers the following areas.
I summarise each of these in turn below.
Right at the heart of the GDPR lies the principle that data subjects (you remember the individuals whose data is held by companies) have greater control over what happens to their data. Under the GDPR, data subjects have the following rights.
A data subject has the right to request that a company that holds personal data about them must provide them with a copy of that data. This is not a new right and was included under the 1998 Act. However, under the 1998 Act a company could charge you £10 for the privilege and could take up to 40 days to respond to your request. Under the GDPR, the copy of the personal data must be provided free of charge and within 30 days.
A data subject has the right to request that any personal data a company holds about them is rectified if it is inaccurate or incomplete. Again, the company must process this request free of charge and within 30 days.
A data subject can request that a company that holds personal data about them must delete it. The right to erasure existed under the 1998 Act, but it was conditioned to where the data subject may suffer unwarranted and substantial damage or distress. There is no such threshold under the GDPR so the grounds for refusing a request for erasure are pretty slim.
The right to restrict processing and the right to object are set out as separate rights in the GDPR, but in practice, they amount to a similar right. They are like a halfway house to the right of erasure. A data subject can request that a company that holds its personal data must stop processing it in a specific way, but still keep it for other purposes. A good example is where a customer may want to be removed from a marketing email list as they feel they are getting bombarded with offers of no interest to them, but still want to remain in the company’s database as they still use the company’s products or services.
A data subject can now request that a company that holds personal data about them must transfer the data to another company. Many companies already offer this, for example, price comparison sites. This right is essentially formalising in law something that is already offered.
As more and more companies use automated tools and artificial intelligence to support their operations, data subjects now have a right to object to their personal data being processed using such software.
In order to cater for all these new data subject rights, you need to come up with internal governance procedures to ensure your business responds to these requests in the correct manner and within the deadlines. I suggest you set this out in a Data Protection Policy (plenty more to come on that) and train your staff who are to deal with these requests.
The obvious result of increasing the rights of data subjects is to increase the obligations on data controllers and data processors (you remember, the company that you gave your data to and the one that then does something with it on the receiving company’s behalf). However, not all new obligations on data controllers and data processors stem from the new data subject rights list above – many are in addition to these.
The GDPR requires businesses to ensure they have a lawful basis for processing personal data. In order to demonstrate that, the GDPR requires businesses to record its processing activities.
So, what you need to do is set up a data processing record. You may already have databases relating to your customers that already achieves part of this requirement.
The processing record must include at least:
That seems like quite an obligation on a start-up or an SME, right? Well, it is. Fortunately, if your business has less than 250 employees, you only need to keep records of high-risk processing activities. To date, neither the ICO nor the Article 29 Working Party (the curators of the GDPR) have provided any clear guidance as to what “high-risk processing” really means, but it is expected that they will in the coming months. I suggest you err on the side of caution.
Great, you’ve built your processing record which contains details of the (high-risk) processing of personal data. A good start. Whilst you’ve identified and recorded the personal data that you process, it is now time to demonstrate that you process this data in compliance with the GDPR. That is done by drafting a Data Protection Policy.
A Data Protection Policy should cover a number of areas. Of course, the first area is reflecting all those new data subject request rights we discussed above. These all need to be actioned appropriately and responded to within 30 days. Your Data Protection Policy should set out clearly which employees will deal with these subject access requests and include a process and templates for how to deal with them.
In addition to dealing with the data subject requests, we suggest including at least the following in your exciting new Data Protection Policy.
OK, you’ve got your record of the personal data you process and you’ve got a policy that determines how you are going to look after it. Looking good. But who is going to make sure the list is updated and the policy is enforced? That’s where your data protection officer comes in.
Now don’t panic. You do not need to go out and hire an expensive person in a suit, crippling your staffing budget for the next two years. Your data protection officer can be an existing member of staff. You can even outsource the role entirely if you wish.
What I would recommend though is that you find a keen, bright employee who has some understanding of data protection and let them know that the GDPR requires that a data protection officer has to report into the highest level of management within a company, i.e. the Board. That keen employee will be delighted to have received a quasi-promotion.
You should then ensure that employee gets some additional training and has some external support from an expert. This should mean you make a saving against a new employee or outsourcing the entire role, but more importantly you have someone that understands your business who is responsible for GDPR compliance. If there is a data breach within your organisation, you don’t want some outsourced Data Protection Officer phoning you at the weekend asking who the right person to speak to is or who your suppliers are.
You might read other articles stating you may not need to appoint a Data Protection Officer. And strictly speaking under the GDPR many businesses may not need to. But your business has to comply with the GDPR irrespective so why not ensure that one person is responsible for it? If you leave it to your employees as a group, I think you can guess what is going to happen.
An obvious point, but if you have gone to the trouble of putting in place a Data Protection Policy, it makes sense to ensure your staff are trained on it and understand it. Probably the most effective way to do this is to get your Data Protection Officer up to speed and ask him/her to train the rest of the staff who regularly process personal data as part of their job.
Where your business engages a supplier to process personal data on its behalf, you need to make sure that the supplier processes this data in accordance with the high standards you have now set yourself. The way to do this is with a solid contract. You probably already have contracts in place with your suppliers, but these need to include GDPR compliant data protection clauses to protect your business if the supplier gets it wrong. If your business is the supplier processing personal data on behalf of a data controller, you need to make sure the protections in place are appropriate and not too onerous on you.
The GDPR requires businesses to ensure that the personal data they process is protected by a level of security appropriate to the risk. In today’s world of hacking and data leaks, there is little point creating the clearest and most user-friendly processing record and drafting the best Data Protection Policy if the IT systems holding the data are not secure. Whilst many businesses already put security high on the priority list, it is worthwhile carrying out an audit of the operational and technical measures in place to check for any weaknesses or vulnerabilities. That does not mean increasing your security systems and firewalls to investment-bank standards, but ensuring that for the personal data you process, appropriate protections are in place.
Have you ever read online terms of service when confronted with them? I thought not. I have and, even as a lawyer, I often find them indigestible. Even if you open them, you invariably get bored after a matter of seconds and hit “agree”. But hidden away somewhere in there, probably at Clause 17.2(b), you will find a key clause that you should not have agreed to. It will look like the wording in the left column, but what it will means what is set out in the right column.
by agreeing to use our service, you are consenting to us processing your data…
if you give us your data, we will have total free rein over what we do with it…
we may provide it to selected third parties…
we will sell it to the highest bidder including ambulance chasers and PPI hounds…
This kind of behaviour is totally banned under the GDPR. You cannot hide such consent statements. The GDPR requires that consent must be:
“freely given, specific, informed and unambiguous”.
And it goes even further than that. You may recall the pre-ticked box at the bottom of a sign-up form that stated something like “if you do not select this box, we will not use your details for the marketing purposes”. A pre-ticked box is again totally banned under the GDPR. The GDPR requires that consent must be given by:
“a statement or clear affirmative action”.
So a tick-box (not pre-ticked!) with a clear statement about what your business will do with that data must be set out in order to obtain valid consent under the GDPR. Your marketing guys aren’t going to like it.
And sadly that’s not the end of it for your marketing guys. If your business has been using, shall we say, questionable consent mechanisms for years, the GDPR requires you to review the personal data you hold and audit whether that data was received with GDPR valid consent. Wow. That is a difficult task. I doubt many companies will be able to carry out this reverse engineering. So what do you do? Just delete your entire database?
Of course not. If many of your customers provided their personal data to your business based on questionable consent, that doesn’t mean they don’t want to receive any further contact from you. All you need to do is seek re-consent via a valid GDPR mechanism. And there is nothing wrong with having an incentive to re-consenting providing you give the individuals an opportunity to unsubscribe at a later date.
You may recall above that one of the reasons for the GDPR was to harmonise the way personal data is processed across all countries in the EU. Yes? Anyway, what then happens if you transfer that data outside of the EU?
Well, the GDPR has covered this and its default position is that you cannot transfer personal data outside of the EU. “Er, what?!” I sense you are saying. Too right. Many companies operate global businesses and who doesn’t use at least one supplier who operates in the US? Fortunately, there are exceptions to the default position. If your business can put in place a guarantee that the personal data transferred outside of the EU will be treated in the same way as if it remained in the EU under the GDPR, you can perform the transfer. And once you have a valid guarantee in place, you can transfer personal data in and out of the EU without fear of the ICO or another European regulator getting on your case. Such guarantees exist in the form of model contractual clauses between your business and the transferee outside of the EU, privacy schemes such as the EU-US Privacy Shield and inter-company transfer guarantees.
It sounds horribly complicated, but it is not really. The key is identifying where you are transferring personal data outside of the EU and working out what is the most efficient guarantee you can put in place. Check the privacy policies of some of your favourite US suppliers. I guarantee many of them will already have signed up to the EU-US Privacy Shield.
So there it is. The GDPR summarised and you now know what to do…
If you would like some help implementing it, please feel free to contact us at Humphreys Law (firstname.lastname@example.org). We would be delighted to help… or discuss the chair covers for the royal wedding in May next year.
This blog post contains the opinions of a third party and not those of LoyaltyLion. It does not constitute legal advice. As a result, LoyaltyLion is not responsible for any reliance you may put on its contents.
By signing up, you agree to our terms and conditions.