It’s been less than three months now since the GDPR came into force. We look at what has happened to organisations caught out by GDPR, what you can do to comply, and some surprising trends with businesses cashing in on its implementation across the EU.
The GDPR is actually good news, coming into being as a response to unscrupulous marketing and data analysis firms harvesting and selling user data and distributing and spamming EU citizens with unprompted emails, mail and phone calls, without explicit user consent.
- The General Data Protection Regulation came in 25th May 2018
- EU wide Data Protection Rules that streamline the way all personal data, of all types, is stored and handled across all EU member states
- In force in European Union (EU) & European Economic Area (EEA)
- Addresses the export of personal data outside the EU and EEA
Previous UK data laws, the Data Protection Act 1998 (DPA) and EU Data Protection Directive, didn’t really have much in the way of fines for infringement. In drafting the GDPR, the EU recognised that it needed much stronger legal ‘teeth’, and financial penalties for non-compliance have changed radically with the GDPR, now enshrined in the UK’s own Data Protection Act 2018.
“Fines can be invoked of up to 20 million Euros or 4% of organisation total global turnover, whichever is the greater.”
How does GDPR work to benefit EU citizens?
Let’s take an example. If Joe Bloggs opens an unsolicited email from you that he objects to and hasn’t opted in to receive, he could report you under GDPR regulations. That’s a similar situation as before, but the difference under the GDPR is that far more power now resides with each citizen inside the EU on how their personal data can be stored, handled and processed . The enterprise sending Joe the email is liable for a caution or a fine under GDPR legislation.
In another example, Joe hears in the news that the EU based online dating site he has signed up to has been hacked, and that his personal data may have been stolen. Under the GDPR this report likely hit the news because all enterprises must report any data breach of user data within 72 hours, if they are likely to have an adverse effect on user privacy. Again, the enterprise handling Joe’s data may be cautioned or fined.
What are the fines so far for GDPR breaches?
It was initially thought that the approach of authorities monitoring GDPR compliance would be as it has been in the past, which was to ensure you’re at least working on compliance, and to gently push you in the right direction, rather than impose big fines at the outset.
That’s why everyone is watching the Dixons Carphone data breach reported in June. Even though the breach happened before GDPR came into effect, the data breach was later discovered to have affected a lot more personal records than initially thought. Under previous data protection rules the maximum imposable fine would have been £500,000, whereas under the new GDPA Dixons Carphone could face fines of up to £17.6m (€20m).
The Information Commissioner’s Office, in charge in the UK of looking into GDPR compliance related to data breaches said:
“Dixons Carphone reported a data breach to the ICO in June. The company has now confirmed that the incident affected the personal data of 10 million records, which is significantly higher than initially stated. Our investigation into the incident is ongoing and we will take time to assess this new information. In the meantime, we would expect the company to alert all those affected in the UK as soon as possible and to take all steps necessary to reduce any potential harm to consumers. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”
The market reacted predictably to the news, with Dixon’s shares having fallen almost 8% since mid June.
But it’s not just about organisations directly hit by data breaches under GDPR regulations. Just ten days after the GDPR came into force, some companies felt the pinch of its effects on their future business. Publisher Johnston Press was one of the first media organisations to take a GDPR related hit, after the group at their June AGM cited the impact of more onerous European privacy restrictions as a contributory factor to a decline in their digital ad revenues. Their overall revenues fell 9% over the first half year.
Apart from the large potential fines, the requirement to disclose any user data breach is a key aspect for all organisations handling data, and where the GDPR is aided in ensuring it has a good chance of getting taken seriously and implemented right across the EU.
What’s ‘personal data’ and who needs to comply with GDPR?
Whilst GDPR requirements might appear onerous for many businesses, it conveniently provides just one set of regulations to comply with. Before GDPR, there were actually 28 sets of rules in place in different EU countries regarding personal data.
The GDPR contains provisions and requirements relating to processing of personally identifiable information (personal data) of individuals inside the European Union. It applies to the processing of the personal data of any person inside the EU by any enterprise established in the EU, regardless of the data subjects’ citizenship, and regardless of the enterprise’s location or even its size.
The GDPR applies as much to sole traders as it does to large corporates. Controllers of personal data within any enterprise must put in place appropriate technical and organisational measures to implement the GDPR data protection principles.
The GDPR assumes data protection by design and by default, which means each process handling personal data must be designed and built with consideration of GDPR principles, as well as providing safeguards to protect that data. For example, ideally all user data should be anonymised, as well as having the highest-possible privacy settings by default. This means that the user data is secure and not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately.
The GDPR also says no personal data may be processed unless it is done under a lawful basis specified by the regulation, or unless the enterprises’ data controller or processor has received an unambiguous and individualised affirmation of consent from the data subject. Any person in the UE or EEA (data subject) also has the right to revoke this consent at any time in the future.
Any processor of personal data must clearly disclose any data that has been collected, declare the lawful basis and purpose for the data processing, and state how long the data is being retained, and also if it is being shared with any third parties or outside of the EU.
Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. All public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO). The DPO is directly responsible for managing compliance with the GDPR. Matthew Lea, Data Protection Expert, Herrington Carmichael Solicitors, said:
“Where you collect personal data of an individual, you are required to provide information such as who you are, how you can be contacted, details of your organisation’s Data Protection Officer (DPO) if you have appointed one, why you are processing their personal data, who you are sending it to, and if you are transferring their data abroad. You also need to provide information on their rights as data subjects, and say how long you intend to keep their personal data for.”
The six legal grounds for data processing under GDPR
- Consent has been given by the data subject
- Processing is necessary for the performance of a contract with the data subject, or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of ‘legitimate interests’ pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Regarding point 6, you may be OK if you hold and process user data based on ‘legitimate interest’. To see whether this is the case with your data the best way is to assess this using ICO guidance – click here.
What do you need to do to get GDPR compliant?
There are many aspects of business that you need to look at. Most UK organisations have a website and user or customer specific data of some type stored somewhere, whether website or email newsletter registrations, or user data in financial, telephone, email, CRM, sales or marketing systems. Basically anything than can identify a user.
The simple first things you can do relate to your website and any user data you hold. Your website privacy notice can be amended to indicate how your organisation complies with GDPR requirements, as well as the text that goes with websites forms used to collect personal data, such as the ‘Contact us’ forms that many websites have. Another recommendation is to mention that you hold and manage user data in a GDPR compliant way.
You could do this by adding a link to your website privacy notice in your organisation’s standard email footer, which ensures all the people you communicate with directly have access to it.
Here’s a more detailed list of things to be fully GDPR compliant:
- Inform your organisation internally about GDPR
- Website privacy notice – create or update your page(s)
- Cookies – sort out your website cookie control and policy
- Forms – update client enquiry, email news and lead capture
- Records – record the user ‘opt-in’ process
- Campaign pages – GDPR compliant landing pages
- Improve your security around all your user data
- Consider GDPR compliance software and data insurance
Cashing in on GDPR
On the flip side, companies are also legitimately capitalising on the GDPR, sometimes in surprising and interesting areas.
Confidential waste specialist Russell Richardson has geared up to make life easier for businesses beefing up their data protection processes in line with GDPR. As shredding, archiving and recycling experts, they brought in a multi-tasking mobile shredding truck which they have taken out on the road. Their massive mobile shredder can deal with up to 2.5 tonnes of confidential paperwork an hour at a client’s premises, and can destroy data-packed computer hard drives, CDs and memory sticks in seconds.
“Some companies used to throw whole computers in a skip with the hard-drive still in place. Now GDPR has imposed tighter rules, we scaled up to help companies who have to take extra care of their data. We’re seeing an increase in customers who prefer to witness on-site the certified destruction of data stored on computers and tech devices.”
Most enterprises with big customer and partner email databases have sent out individual special ‘opt-in’ emails to all of their users, to make sure they are GDPR compliant. Other smaller companies have just ditched their email or CRM contact databases, deciding that filtering them all for GDPR compliance is just not worth the hassle, or that continuing to send emails out to their whole contact database is now just too risky.
One interesting aspect of GDPR relates to mail, which may have an advantage versus electronic communications in meet conditions for what the GDPR calls ‘legitimate interest’. In this case you don’t need specific user consent for future postal marketing. This means that, despite higher mail costs versus email and electronic communication, many enterprises are now seriously reconsidering the option to post selected information direct to their customers.
Direct mail and print companies are also beginning to benefit from GDPR for the same reason and, after decades of decline in mail volumes and as we don’t now get much mail, it is likely to become very attractive to marketers to use mail to gain awareness of company products and services to customers.
Conclusion
The bottom line is that the GDPR is here to stay, and isn’t going to go away. “What about Brexit?” you might ask. Well, even though the UK voted to leave the EU, the Government decided we would still comply with the GDPR, and you have to follow the regulations.
So, instead of hoping to get around it, if you really haven’t yet got to grips with your obligations under the GDPR, see it for what it is. An opportunity to tidy up all of your customer data and mailing lists, consolidate them all into one secure system or location, and to implement systems and processes to ensure that all of your data related to individuals is stored, managed and processed in line with GDPR requirements.
The good news is GDPR means a lot of the spam emails and unsolicited calls and mail you used to get will disappear. You’ll also likely start getting targeted mail through the letterbox too, that is better designed, more interesting and useful to its recipients. As this happens, consumer confidence in communications from organisations will steadily rise, email open rates and click rates will improve and mail response will increase, as people only receiving information and offers from the companies they like and trust.
That can only mean that being part of the GDPR solution, rather than against it, is good news for future business communication.