Come forth business owners, put down your iPhone, stop winding up Alexa, turn off those Cryptocurrency live prices and let me share with you the story of good data management, data protection, and why it needs to be at the top of your considerations in 2018.
This is not to say it shouldn’t have been in your considerations before, as it should have been. In many ways the shake up of Data Protection in the UK through new legislation in 2018 will ensure it will feature in your plans forever more. My intention over this article is to break through the jargon and give you manageable actions you can begin implementing today, so that you are in the best position both now and in the future to meet your obligations in data management. I will also do my very best to entertain you along the way, a feat so rarely achieved by a mere mortal seeking to discuss data. No sleeping at the back.
Let’s cast our minds back to 1998. Armageddon and Private Ryan were smashing the box offices, I remember catching a glance of you dancing to Britney Spears (no judgement here.) and talking about how exciting the new millenium was going to be, particularly if Y2K wiped out your credit card bills at the banks! Look at you now, crippled by indecision when deciding on your next NetFlix binge show, gossiping over that posh coffee about why guitar bands have disappeared and ready on a moments notice to self-destruct in the event you mistakenly catch a glimpse of another Theresa May speech on Brexit.
If you were able to remove yourself from a game of Snake on your Nokia 5110 in 1998, you may have noticed the Data Protection Act (DPA) was implemented, replacing the 1984 version and a 1987 personal files act in the UK, off the back of the EU data protection directive of 1995. Something similar is happening this year, the DPA is being replaced with a Data Protection Bill to bring good ol’ blighty in line with the the EU General Data Protection Regulation (2016). You have until the 25 May 2018 to be compliant otherwise the Information Commissioners Office (ICO) have the authority and powers to investigate and penalise you, with the most flagrant attracting fines of up-to 20 Million Euros or 4% of annual global turnover, whichever is highest.
Ah I see I have your full attention now. Good.
With the rapid pace of digital innovation and just how different our lives were just twenty years ago, we can all agree that data protection is an area of legislation that is rightly reviewed and revised inline with advancement in technology and civilisation. The general public’s opinion on topics such as data security and how businesses use their data also changes over time, as do the views of legislators.
A key point I wish to put to you that has been lost in chatter and scaremongering about GDPR is that strong data protection laws are preserves of a democratic state that recognises the rights of an individual, and a much needed defence in an increasingly data-driven world. It is a safety net that should be celebrated and lauded. It isn’t in my view, and as some like to characterise it, an overwhelmingly onerous set of stipulations preventing business from doing business. That, my friend, is simply not the truth.
The reality is that personal data should have been treated with more respect from when everyone was digitising their customer databases, and now we have the opportunity, you my learned article reader have the opportunity to rectify that at your business. So enough of me warming you up before the bullet points, let’s get down to brass tacks, to business, to making you a data enlightened business with no foreseeable ICO penalties.
Are you confident that if you mention GDPR at the water cooler to a colleague they will know what you are talking about? Will they think it’s a new perfume, or a fancy cocktail bar that’s opened on the high street? It’s time for you to send this article to them so they can be brought up to speed as well. If I came down there today (and I will) and asked your business to tell me how you have changed your data collection / processing / management and controls in order to be compliant with GDPR, can you articulate this to me?
Have you recently documented what personal data you hold as a business, where it came from, when it was given to you and who has access to it? If not, do that now. By doing this you will become compliant with the GDPR’s responsibility principle, and will have evidence of it.
Do you have a privacy notice on your website and other relevant materials to inform a customer of what information you collect about them? This will need to be updated before the GDPR deadline. You are already obliged to tell the customer of your identity and how you intend to use any information that you gather, you will now have to give the lawful basis upon which you will be processing their data, when that will expire and that they have the right to complain to the ICO should they become suspicious that you are not handling their data in a compliant way. Lawful basis under GDPR is broadly reflective of the processing of data in compliance with the current DPA.
Get familiar with enhanced rights
Protection of an individuals rights have been extended by the GDPR, most notably in the case of data portability. These include:
the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability;
the right to object;
the right not to be subject to automated decision-making including profiling.
Subject access requests
SARs have been around for a while now. It enables an individual to request what data you have about them. GDPR changes the established rules a little. The most important to be aware of is:
You now have a month to comply, as opposed to 40 days
In very few cases will you be able to charge for the costs that may be incurred on you in providing that data to an individual.
Do you have strong consent from an individual to have their data?
Anything other than ‘absolute’ is not good enough anymore, as it shouldn’t be or ever have been. Consent must be given freely, specifically and also be informed and unambiguous. Let me give you a quick example off the top of my head.
If your website opts a user in to an e-mail newsletter with the promise of a tombola ticket entry and with a pre-ticked agreement to your terms, that is not a freely given, specific, informed or unambigious consent to send your marketing to them, no matter how great and useful you think your communications are.
Now, if your website opts a user in to your e-mail newsletter which specifically talks about red shoes, lets them choose the frequency they receive it, gives some indication of what great content it will contain, when you will store their data until and ensures they tick a box to consent to receiving it, then you are in a great position in terms of GDPR.
I would recommend you date/time stamp it as well which most email marketing software comes with as default.
GDPR brings in specific protection for children’s data. If you offer services to children, you may need a parents consent to lawfully process their data.
Ensure you have sufficient prevention, protection and detection procedures in place to remain complaint at all times. In certain serious cases, you will need to report the breach to the ICO, and in other circumstances to the individual concerned.
Privacy Impact Assessments (PIAs)
You should be prepared to regularly assess how changes you make within your business may affect the data you hold on individuals. When implementing a new technological solution for example such as a CRM or e-mail marketing software, you should review how you can ensure compliance with the GDPR. You are obliged under GDPR to incorporate ‘data protection by design and by default’ into your thinking. Doing a PIA on all measures that may directly or indirectly impact on the data you store should become a good business habit for you to adopt.
Data Protection Officers (DPOs)
If you are a large organisation, you should designate a formal DPO. Certain public authorities require a DPO as a mandatory position, but in the case of a small private business, you are not required by law to have one.
And there you have it, the FeedbackFans.com need to know tips on how your small business can put a best foot forward to be on the right side of the data protection law changes come 25 May 2018. This is by no means an exhaustive exploration of the subject, and my thoughts are offered freely and in good faith to help the many who have come to me asking for guidance. There are many conflicting views even amongst the most ardent legislative bookworms in this field, so don’t feel down if it all sounds rather confusing, once it is in effect things will become clearer and we will pull out some good examples of compliance at that time to guide you further. All you can do until then is the above, and keep an eye on guidance issued by the ICO on their website in the meantime.
If you have questions please do send them in and i’ll answer them to the best of my knowledge, or if I don’t know the answer, i’ll put you in touch with someone who does.
Go now, protect that data, and invite me in end of May to show off how good you’ve got at protecting it :).
I look forward to you trying to get my consent to your marketing in the near future.
Chris Barnard is Managing Director of FeedbackFans.com. Feedback Fans is part of a collective of global technology companies working towards a common goal of improving experiences that include: retail, leisure, finance, education, gaming and business services. By developing unique state of the art solutions and environments, and combining this with strategic execution, we ensure our clients and users prosper in the digital age.