Written by Sam Marsden, DealTrak’s Compliance Manager.
Many people reading this post will own a car, or, know someone with a car or will have ridden in one at some point. Some people lavish time and attention on theirs; perhaps they meticulously wash it every Sunday morning whilst others add extras to theirs – alloys, tints, upgraded sound systems. For others their car is often referred to as ‘the shed’ and serviced once a year by the garage.
Irrespective of whether your car is your pride and joy or simply a means from getting from A – B, the one thing we must all do is keep our cars in roadworthy condition. The rules are very clear and we must all comply and that keep our vehicles satisfactorily roadworthy.
Just like making sure our car is roadworthy rather than risking a fine, we should all be thinking of compliance and how to comply with the new regulation known as GDPR, regardless of the size or age of our business.
GDPR, the General Data Protection Regulation is rapidly approaching and you’re all probably working through the requirements in anticipation for 25 May 2018. If you’ve not started though, it’s not too late.
A good place to start would be with the ICO; use their resources and guidance, starting with the checklists – see ICO – Getting Ready for GDPR. For those of you running micro-businesses (those employing fewer than 10 people) there’s some additional help from the ICO – see Making Data Protection Your Business. Unlike cars over 40 years old which are MOT exempt, there are no exemption clauses to GDPR, regardless of the size of a business. One customer or 100 million customers – the rules apply to your business.
You will undoubtedly now know that GDPR brings with it a series of important changes in the UK’s data protection laws and will have a significant impact on how organisations manage personal data. Yes, the penalties for non-conformance will increase (a maximum of 4% of global turnover/€20 million up from a maximum of £500,000).
However, we shouldn’t be thinking in terms of penalties.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.
GDPR will bring some change including:
- Strengthened and new rights:
- Greater rights are given to individuals over their personal information including the right to be provided with more information about how their personal data will be used when it is collected
- Changes to what constitutes “consent”:
- There is an increased focus on obtaining an individual’s explicit consent before their personal data is processed and allowing individuals to withdraw their consent at any time.
- Changes to data breach notification:
- Data controllers are required to notify the Information Commissioner, ICO, of a breach within 72 hours in certain circumstances. Notification may also be required to the individuals affected by a serious breach.
- New rights of access
- The time period for complying with a subject access request is reduced from 40 days to one month and a fee may no longer be charged
- Rights to be forgotten:
- Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure are outlined in Article 17, (page 43 of the Regulation) and include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent.
- New responsibilities for data processors:
- For the first time, data processors can be held liable for breaches in their own right, and obligations no longer fall solely on data controllers.
- Data Protection Impact Assessments:
- Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
- Record keeping:
- Article 30 (Page 51 of the Regulation) makes it clear that businesses must maintain a record of their processing activities, including the legal grounds for processing data, what data is held and for how long, and
- Changes to marketing laws (including e-mail marketing):
- Marketing under the GDPR (whether postal, phone, e-mail, SMS or any other form of marketing) is regulated exactly like any other data processing activity. This means that you have to show that you have a lawful basis under Article 6 (Page 37 of the Regulation) to conduct it.
- Marketing regulation under the GDPR is only half the story, however. Europe also has a separate law – the Privacy and Electronic Communications Directive (or e-Privacy Directive) that contains supplemental rules governing consent requirements for e-marketing, i.e. marketing sent over electronic communication channels such as phone, fax, e-mail and SMS, for example. When sending e-marketing, these supplemental consent rules apply in addition to the need for businesses to identify lawful processing grounds under the GDPR.
For me, GDPR is not too dissimilar to FCA Principle 2, Outcome 6 – A firm must pay due regard to the interests of its customers and treat them fairly. In other words, put the customer at the heart of what you do. Why are you collecting that data? Do you need it? Where is it stored? Who has access to it? In the same way we would want companies who process our own data to treat it with respect, keep our data secure and put our interests at the heart of what they do, so must we in businesses where we process the data of others. We must also be able to evidence that we do what we say. Those who know me have heard me trot out my little mantra so many times – document what you do and do what you document. This ability to evidence what we do is not new for those regulated by the FCA. SYSC 9.1.4 has some good simple summary on record keeping – the records required under the Handbook should be capable of being reproduced in the English language on paper.
So, back to my car analogy. As part of working through the requirements and likely enhancing or even remediating your processes and procedures, you’ve metaphorically got the car up on the remap inspecting it, or perhaps the bonnet up on your business, servicing and refining to make sure you will be compliant by 25 May 2018. You’ve had to slow down whilst the service is underway and think a little about where you are right now and where you want to go – at least in terms of how you process personal data.
It’s quite timely as I write this that the vernal equinox was on 20 March, or the Spring Equinox to give it its more colloquial name. This was the first day of the spring season and occurred when the sun passed the equator moving from the southern to the northern hemisphere, a day when day and night are of equal length. To many the heralding of spring makes us very proactive. We start the proverbial ‘spring clean’ – a thorough cleaning of the entire home – room by room and top to bottom. We search out those areas we do not clean on a regular basis, such as beneath carpets and furnishings, on top of bookshelves. We also declutter and throw away what we don’t need.
Whilst most everyone will be de-cluttering after relooking at personal data and asking if “it” is really needed, we can also seize the day and do some other work simultaneously. At the same time as you have the metaphorical car in for inspection and perhaps some remediation work, you might want to embark on some spring cleaning. For example, when looking at your website to see what changes need to be made to capturing marketing permissions or amending the privacy notice, go that little bit further. If you are FCA regulated, ask yourself if your website complies with the requirements of Statutory Status Disclosure GEN 4? GEN, or to give it the full title, General Provisions, is found within the High Level Standards of the FCA Handbook. There is prescriptive wording your website MUST contain which is detailed the Annex 1, Statutory Status Disclosure within GEN 4 and there are no exemptions.
At DealTrak we are presently engaged in assessing what data we hold, asking ourselves whether we are really required to hold it at all and what we need to do to put systems, processes, contracts and privacy notices in place to be ready for the GDPR by 25 May 2018. Are you?