What is GDPR? Is It Important? Should You Even Care?
I’m guessing by now your inboxes are creaking at the seams with emails from all those lists you have previously joined asking, and in some cases begging and pleading, to stay in touch by re-consenting to those very same lists.
Ironically all this spam has been generated by the European Communities anti-spam legislation the General Data Protection Regulation.
Yep, that’s what GDPR stands for, but what does it actually mean to you?
(Other than early onset of repetitive strain injury caused by responding to all those emails…)
My view is there has been a huge amount of scaremongering.
Ridiculous figures quoted for how many millions of pounds you will be fined if you get it wrong.
These fines will be decided upon by the Information Commissioner, Liz Denham’s, office and the GDPR states smaller offences could result in fines of up to €10 million or two per cent of a firm’s global turnover (whichever is greater).
Those with more serious consequences can have fines of up to €20 million or four per cent of a firm’s global turnover (whichever is greater).
However, before you start packing your suitcase for Panama…
Liz Denham says speculation that her office will try to make examples of companies by issuing large business-crippling fines isn’t correct.
“We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways,” she says. “But we’ve always preferred the carrot to the stick”.
Denham also says there is “no intention” for overhauling how her office hands out fines and regulates data protection across the UK. She adds that the ICO prefers to work with organisations to improve their practices and sometimes a “stern letter” can be enough for this to happen.
Having larger fines is useful but I think fundamentally what I’m saying is it’s scaremongering to suggest that we’re going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm.”
She adds that her office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven’t made any effort.”
Recent research from IBM has found that only 36% of their surveyed companies will fully meet the deadline so if you haven’t yet addressed this my advice is…
But don’t ‘Do Nothing’
Start by raising awareness of what you may need to do.
(this post is a good start)
I can guarantee you that Liz Denham will not be knocking on your door on Monday morning with a €20 million bill just because you sent your newsletter out the previous Sunday night!
Remember, whilst this is an EU directive (which in itself is a vast catchment area) it applies to every country who holds any personal data of any EU national.
That’s pretty much every country in the world.
I honestly don’t know how this can be effectively policed or enforced given its magnitude and scope.
According to a recent study by Reuters, of the 24 national authorities that responded to the survey, 17 said that they did not have the funding or powers in place that would allow them to enforce the new data privacy law properly.
The UK Information Commissioners Office seems very well prepared and is offering some fantastic guidance material…….but the website had crashed and was unavailable for a large part of this afternoon!
(assume because of the volume of site visits?)
So to reiterate my earlier points – Don’t panic, but don’t do nothing.
Anyway, these new regulations come into force on May 25th and if your business is either a ‘Controller’ or ‘Processor’ of personal data then they will apply to you.
Am I a data controller or a data processor?
The GDPR will apply to data ‘controllers’ and ‘processors’ – the chances are you are going to be one or both.
In general, processing is defined as any operation performed on personal data, such as storing, collecting, recording, organising, sharing, erasure, consulting, etc.
A controller is a data processor too, but they will also decide the purpose of the data processing activities.
For example, if you’re a small business offering a service and your customer details are managed using a third party hosted accounting system, a third party email system (like MailChimp) or a contacts management app on your phone, hosted by a third party, this would generally make you the controller and the third party the processor.
If on the other hand, you manage all of your data on a spreadsheet you’ve built yourself, you’re both controller and processor.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
Both personal data and sensitive personal data are covered by GDPR. Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person.
This can be a name, address, IP address… you name it.
Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
These definitions are largely the same as those within current data protection laws and can relate to information that is collected through automated processes.
Where GDPR differentiates from current data protection laws is that pseudonymised personal data can fall under the law – if it’s possible that a person could be identified by a pseudonym.
What do I need to do?
This is a bit of a case study as to the actions I took on another one of my websites which has an Opt-In form to subscribe to an e-newsletter.
If you haven’t got one, or you haven’t got a new GDPR friendly one, this should be the first job on your To Do list!
This was the one I put together: http://thehershamhub.co.uk/our-privacy-policy/
Feel free to take a look and borrow any of the text if you feel it would apply to your specific circumstances.
The key points it covers are
(ignore the bit about ‘Legal Basis’ for now, ill cover that later!):
Who am I and what type of data I collect.
Remember GDPR isn’t about email marketing (You’ve got PECR for that!) – its about data protection and security of personal data so this should cover more than just your newsletter.
I’ve chosen to include a wide variety of things like:
Geo-tags in any user uploaded media.
Email data stored in MailChimp and the tracking functions that MailChimp provide
(I will cover mailing lists in a later point as there is a LOT of disinformation and scaremongering out there about lists!)
Embedded Content – Such as YouTube videos, etc
Google Analytics – If you use Remarketing and/or Segmentation these can be used as personal identifiers.
(Read more about Google Analytics Data Retention Controls.)
Who we share data with – Of course the answer here is noone! Or is it? There are legal considerations where it may be required. What would your policy be if you sold your business? We’ve also mentioned sharing aggregated data which would not include personally identifying information.
Data Retention details – How long you keep personal data online
What rights users have over their data –
Where we send data – Such as running comments through a Spam detection service
If you’re website is running on WordPress then you absolutely, definitely have to get version 4.9.6 which has a number of Privacy related functions added.
Another useful plugin if you are a larger business and handle quite a lot of personal data is the GDRP Plugin (with a name like that it has to be relevant right!):
This is more for businesses at the level where they need a Data Protection Officer (DPO).
Do I need Data Protection Officer?
You must designate a DPO if you are:
- a public authority (except for courts acting in their judicial capacity);
- an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
- an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.
You can find out more about DPO’s at the resources section at the bottom of this page.
Limited Free SEO and Social Media Beta Training Places Available
If you are a local business our partners at the SEO and Social Media Training Centre have some FREE beta phase places available on their forthcoming SEO, Social Media and Website Design Training Courses.
If you are interested in applying for a place they have a very short, 8 point, questionnaire right here which asks what areas you would be interested in learning about:
Re-Consent – the Great Myth
As previously referenced, you’ve probably heard all the scare stories about having to email every single person on your mailing list, so called re-consenting, asking them to re opt-in to your email list.
Its. Not. True.
First of all, Consent is only one of the 6 available ‘Lawful Basis for processing‘
The basis we chose for The Hersham Hub was ‘Legitimate Interest’ which has a different set of tests to Consent.
The others are:
- Legal Obligation
- Vital Interests
- Public Interests
- Legitimate Interests
Check the ICO’s Lawful Basis guidance tool below to see which one most closely applies to you:
Once you have completed this, remember to download the guidance outcome document and save it somewhere so that you can present it if you are ever challenged about the Legal Basis that you self-determined.
For the purposes of this posts, lets pursue the options relating to Consent and why you don’t need to re-consent everyone on your list…or maybe you do…or maybe you shouldn’t email them at all and remove them.
The Information Commissioners Office have published a ‘handy’ 39 page reference document to do with the ‘Consent’ Legal Basis but let me try to summarise.
The first thing to check is:
Did my original consent meet the current GDPR standard?
- For GDPR Consent requires a positive Opt In – don’t use pre-ticked boxes – If you use MailChimp and have double Opt-In enabled which means the ‘subscriber’ has to positively respond to a confirmation email you’ve got this covered and re-consent is not required.
- Keep Consent separate from your T’s and C’s
- Make it clear what the consent applies to
- Make it easy for people to withdraw consent and clearly explain how
- Keep evidence of consent
- Avoid making consent a precondition of service
Scenario 1 – Re-Consent is NOT required
If you use a provider like MailChimp, have made clear at the time of Op In that they will be joining a mailing list, have double Opt-In enabled and have a clear link to unsubscribe then we don’t believe re-consent is required.
Scenario 2 – Re-Consent MAY be required
If you have a list built using ‘Lead Magnets’ where there was no specific consent to join a list for marketing purposes this would put you in a grey area and I would advise obtaining re-consent.
But you could argue that if this led to a contractual relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent.
But maybe Legitimate Interest would be the more appropriate Legal Basis in this situation?
I believe that if you act in good faith, can demonstrate how you came to your decision, and show that you gave due consideration to the GDPR implications you will not be penalised should you come under the microscope of the ICO.
Scenario 3 – Re-Consent would not be appropriate
It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place.
If you added someone to your list without them originally opting in then the correct action here would be to remove them as consent wasn’t obtained in the first place.
We’ve all probably experienced email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them.
So think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily – and if you do choose to re-consent, make it clear and easy to read.
The link to the detailed guidance document on Consent can be found at the bottom of this page.
What should you do if you get a ‘Subject Access Request’?
You should update your procedures and plan how you will handle requests to take account of the new rules:
In most cases you will not be able to charge for complying with a request.
You will have a month to comply, rather than the current 40 days.
You can refuse or charge for requests that are manifestly unfounded or excessive.
If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.
If your organisation handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly.
You could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online.
My conclusion is as I stated at the beginning.
Don’t Panic, Don’t Do Nothing!
I really hope you found this useful, I tried to make it concise, practical and case study driven without just re-mastering the plethora of information available on the ICO website
– if it helped you then it may help a friend, relative or colleague, please help us by sharing this post!
As always, if you’ve got any questions feel free to ask me anything, always happy to help out email@example.com; Look me up on Facebook or join our SEO and Social Media community:
Please do take a look at the 12 Steps document below for a bit more detail around some of the points I’ve covered here, there are also links to much more detailed guidance documents.
Please do note that the information contained in this post is based on a case study and our own interpretation of the GDPR guidelines as published by the Information Commissioners Office, it does not constitute legal advice and if you are unsure about how GDPR affects your specific business or industry you should seek professional advice.
GDPR compliance checklist, helpful links and resources
Hi, I’m Nigel, Founder of Devon Media a Devon based digital media agency.
With over 20 years consultancy experience working with blue chip companies I’m a natural problem solver – a perfect character trait for the ever changing landscape of SEO.
Feel free to ask me anything, always happy to help out firstname.lastname@example.org
And if you’re on Facebook why not swing by our group and say Hi…