GDPR is on everyone’s mind at the moment and rightly so as the deadline of 25th May 2018 is going to be upon us before we know it.
“The General Data Protection Regulation ( GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).”
As head of marketing for eShare, I have GDPR responsibilities for our department and marketing activities. As a member of the leadership team and part of the GDPR taskforce, I am also concerned with ensuring our client’s data is protected within our SaaS software products which eShare is responsible for hosting – including personal information for their board members.
GDPR in principle
The GDPR demands, amongst other things, that the personal data that you hold on staff, suppliers and customers is[1]:
Secure
Fairly sourced
Accurate
Kept for no longer than is necessary
Only transferred to other countries with adequate protection
Processed lawfully
Understanding and having the principle of the GDPR always at the back of your mind is, for me, the key to understanding a regulation that is still ambiguous in some parts. However, there are some areas that are unequivocal.
Firstly, a definition: What is consumer data[2]?
There are multiple definitions about what is consumer data, however the GDPR sees this as any kind of data that can be used to identify a particular individual. This is the traditional information that we would easily recognise like, email, phone number, address which has always been in the UK’s 1998 Data Protection Act, but now it also includes information like Twitter and Instagram handles, photographs, IP addresses and the information gathered through cookies and tracking codes. Basically if the data could be used to identify someone, its personal data.
At the end of May 2017, the Information Commissioner’s Office (ICO) said that:
“If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance” [3]
The ICO has produced a 12 step preparation document which is a useful first port of call to make sure you have all the details in a more manageable format.
At eShare, we are not panicking though. As Elizabeth Denham, the UK’s information commissioner in charge of data protection enforcement says, “It’s still an evolution, not a revolution”.
The main changes to note are that there are new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of fines.
GDPR roles determine the appropriate response
Any company that is a “controller” or “processer” needs to review their practices in preparation for GDPR coming into force. If anyone on behalf of your company obtains, records or holds information or data including organising that data, adapting it, using it, moving it, aligning it, combining it and destroying it, then your company has a processor role. The controller’s role is when a person in your company determines the purpose and manner in which data is processed. There is an official definition here. For us, we are a processor when it comes to our client’s data. They put data in our system and our system helps them manage and process it, however, they are the controller of that data. For our marketing activities we determine the manner in which we use and process prospect and customer data.
A process driven approach
At eShare, we are starting from a strong base though, as have already achieved ISO 27001 and we have some high profile and conscientious clients who have helped us evolve an extremely robust set of systems and processes around data management. ISO 27001 certification means that we have the security measures around our office environment as well as our data centres and also the documentation around them. That is not to say we are perfect because there are some areas where GDPR differs from security considerations, for example, we need the ability to ‘forget’ someone who requests this, or have a very good reason why we can’t.
There are instances where you can justifiably say you can’t delete data for an individual – you may need it for tax purposes or if it is business critical e.g. taking that data out will break the system for the client. Our clients are major decision makers for their organisations and much of the information they store needs to be kept on record so it can be audited in the future. For example our software needs to maintain the record of votes placed within decisions and this data needs to remain so the client can demonstrate a history of the decisions they took and what they based their decision on. In other places this will be quite easy but only by knowing exactly where all the data is, can you ensure an individual can be completely deleted from your records.
GDPR also ensures that we document certain information that we weren’t previously under the original DPA. In most cases we had the information. In order to document everything correctly, we created a list of all the data types we manage and for each we record our role in controlling or processing the data, the hosting location, data transfer information and details of third parties, security information, how long we hold it, the purpose we hold that data, whether we need permission to hold it and how we get that permission.
Where we process data we need to define the lawfulness of processing conditions from the list of GDPR definitions:
6(1)(a) – Consent of the data subject
6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
6(1)(c) – Processing is necessary for compliance with a legal obligation
6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
This documentation of data types forms the main thrust of our approach. Against each item we have an actions column and an owner. In this way we maintain accountability and momentum. At each meeting we report on the actions we have taken to make progress on the items within our responsibility.
In the last few years, there have been scores of huge data breaches. These scandals hopefully raise the profile of data security for companies. Under GDPR the “destruction, loss, alteration, unauthorised disclosure of, or access to” individual’s data must be reported to the data protection regulator for that country within 72 hours of the organisation finding out. In the UK this is the ICO. Hopefully this means there will be no more scandals where companies like DropBox don’t announce their data breach until 4 years after the event, putting millions of customers’ data in jeopardy on the dark web, where hackers can have a field day. The GDPR would put a stop to this, which can only be a good thing.
A step change in marketing
Back at eShare, in the marketing department, we have more work to do as a controller of the data compared to our processer role for our software development processes and security. Our software has already had to withstand scrutiny from auditors on a frequent basis. The GDPR has given me cause to review and tweak our marketing processes at the same time as adding the necessary documentation required by the regulation. Having already presided over ensuring our data is DPA compliant, I see the GDPR as just a step change in our approach to data, taking our standards up a notch.
Firstly, I reviewed all the places where we collect personal data – the website, at events, via email – and how we can improve clarity and transparency as our role processing that data. Making it really clear as to how and why we will be processing those individual’s data and achieving unambiguous consent. I considered the third party systems we use to process that data and how these are secured.
In the case of our website we have not only reviewed and updated our privacy policy, and statements that clarify our role at the point of collecting data such as online forms, we have also taken a deep dive to improve the security of our website. Our new eshare.net website already uses SSL encryption between the website and the browser. However, this is really just a minimum – when we reviewed the security of our site with our technical team using security headers to provide yet another layer of security to help mitigate attacks and plug any security vulnerabilities. Our site is now ‘A’ rated for its security, which is something I’m extremely proud of.
Another requirement is to ensure that data is only kept for as long as necessary. Elsewhere in the business there are requirements for data to be kept for a certain length of time e.g. 6 years for HMRC. For us we needed to create a process that will remove data across all our systems regularly. We have used our marketing automation to do this, ensuring that for those who want to be informed about our services will continue to receive our information as long as they need or want to, while those who don’t will be removed.
Finally, what about the existing data we hold? Rather than taking a slash and burn approach like Wetherspoons who completely started again, we had already been logging where our data was collected and the permissions obtained. Our department took a similar approach to our business approach to data types, categorising the data in our CRM system according to the kind of data, where/how it was collected and activity history. From here we could work out the gap where we needed to obtain permission. While this may significantly reduces the number of contacts held, these are likely to be much more productive contacts.
eShare has less than 250 employees so there is no obligation to employ a Data Protection Officer, but any company big or small will need to take the GDPR deadline of 25th May 2018 very seriously. A fine can be up to 4% of annual turnover and while this makes it proportionate, smaller businesses are likely to have a more lean business model and find that a much tougher penalty relatively speaking. At eShare, our task force has used a process driven approach to ensure that we comply with our responsibilities as a processor and controller of data.
If you are looking for inspiration on how to approach GDPR in your organisation and found some of this useful, or if you took a different approach, then we’d love to hear from you.
References
[1] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/05/businesses-warned-to-prepare-with-one-year-until-data-protection-law-change/
[2] https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/introduction/
[3] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/05/businesses-warned-to-prepare-with-one-year-until-data-protection-law-change/
