I'm sure you've heard the letters "GDPR" mentioned all over the place, you're sure it may affect you, but it isn't clear how, or what you can practically do about it. With the potential to be fined up to 4% of revenue or €20 million, you certainly can't afford to ignore it!
In this article, we will cover what the new GDPR data regulations are in plain English, the main things you need to be careful of, and practical steps that you can take to limit your risk exposure. Emphasis on the plain English, as the full GDPR regulations are a whopping 88 pages long!
Disclaimer: Scorchsoft and the author are not legal professionals, and this is not legal advice, you should consult your solicitor before taking action on, or not taking action on, anything mentioned in this article.
So, what is it all about?
The GDPR regulations are a set of European laws that govern how businesses can use and store personal data. If you store client data in any way, then these will almost certainly apply to you, this includes email marketing lists, customer databases, and web app or mobile app data. As of 25 May 2018 the GDPR is now in full effect.
The data you hold must be:
- Processed lawfully and fairly, and not in ways that are incompatible with the original purpose of collection.
Don't be sneaky; it should be clear to the user at the point you collect their data as to how you will use it. If how you are using it is complicated or unclear, then you should tell the user this before they submit their data. You can't use client data outside of the reasoning its collection without getting explicit approval from the user beforehand.
- Accurate and up to date.
Don't store excessively old data or incorrect data; this is a hard one to prove. So, in practice it means that you need have processes in place to protect against improper data storage, or that keep your data up to date.
- Permits identification of data subjects for no longer than is necessary
This regulation has been in place since the original data protection act. In short, you shouldn't store old personal data. Old data is fine as long as there is no personal data attached, i.e. there is no 'data subject'. This may seem obvious, but, if it's anonymous then it isn't personal data!
- Held and processed securely.
You need to take care to store the personal data in a secure way and process it securely too; This includes protecting against accidental loss, destruction or damage.
Consent is also a very big part of the regulations, which I'll get into more detail on shortly.
Some practical steps to stay protected:
Again, we are not solicitors or legal professionals, so if you implement any recommendations within these steps (or fail to do so) then you do so at your own risk.
- Update your privacy notices, and terms and conditions.
You need to be clear to your users on how you will use their data, explain how you protect their data, and let users know of their rights. Under the GDPR they have the right: to be informed; of access; to rectification; to erasure; to restrict processing; to data portability; to object; not to be subject to automated decision making (including profiling).
- Notify decision makers and key people about the new GDPR regulations.
Especially those individuals who are responsible for the storage and processing of personal information. Make sure they are aware of the requirements of the new rules and know what to do to check that they are compliant. Make sure individuals are aware of who is compliant, and of the consequences should the rules not be followed. Document the personal data that you hold, who it came from and who it is shared with.
Track the flow of data...
Try to spot where you may change your processes. Ensure that key stakeholders are aware of how to deal with personal data requests, including requests to remove personal data or have it updated. If you are processing large-scale data, then you may also have to assign someone the role of Data Protection Officer who will take responsibility for your data protection compliance.
- Give the user the option to opt-out and make gathering consent a granular process.
Users must explicitly give consent for you to record and process their personal data. If elements of your process aren't mandatory (such as sending users email marketing), then give them the option to opt-out. If all of your processes are necessary, then force the user to accept your full policy when they first sign up.
Let's take a look at how Facebook currently forces acceptance of their terms when users register:
It's easy to base your approach on what the big businesses are doing, but in this case, we think Facebook's approach may not be permitted under the new regulations...
We agree. Maybe Facebook has the legal team and budget to be able to take the risk. You aren't Facebook, so to be safe, we would recommend that you display a un-checked checkbox and force the user to accept upon registration. The goal here is to acquire explicit consent. It's fine to require the user to agree to all opt-in boxes to register, but you must have them. If you want more information on opt-in approaches, then we'd recommend that you read the ICO guidelines for opt-in consent.
- Identify which use cases require opt-in, and make opt-in reasonably granular.
With so many ways that a business can use personal data, it can be confusing to decide what to ask users to opt into?
Here's a simple technique.
Write a list of all of the ways that you use your customer's personal data, and group them by how important they are to the provision of your primary service. If you spot anything non-essential, then consider adding an opt-in option on registration for the user to give consent to these additional uses. For example, if someone registers to your online service then being sent marketing materials via a third party is probably not essential. Pre-ticked opt-in boxes are not allowed under the new regulations.
- Force acceptance of any changes to your terms and conditions.
If you make a significant change to your terms and conditions, business model, or algorithms, then you may be at risk of processing user data differently to how the user expected when they signed up. If you can't avoid these changes, then you should force the user to accept your new terms and conditions, or have their personal data removed. You could do this via a popup on first-login, or by imposing a time limit for accepting followed by automatic removal if they fail to do so.
- Make it easy for users to check and update their own data.
If you store it, and it's personal, then you must provide some way for the user to be able to see and download their data, or update it if it's incorrect. It's not just their personal data that you should allow them to update, but their preferences around consent too. If you don't store much personal data per user, then you may simply show the user this on their password protected profile or settings area.
Portability is a thing now.
With data portability being a requirement of the new regulations, if you store a lot of data then you should provide users with a mechanism to download a summary of the data you store in an easily accessible format. A CSV file download or a zip folder of assets is typically acceptable. If you store personal data manually, then you need to have a contact form where users can request that you send them their data.
- Provide a clear way for users to delete their data (be forgotten).
You don't necessarily need to build a bespoke data deletion feature, what's important is that you have some process. As a minimum create a new page on your website for data deletion requests and have a process within your business for manually deleting data upon user request. If a user does make a request, then you will have one-month at the latest to comply. Should you decline, then you must state why, again, within this one-month window.
- Keep logs, even if you don't need them.
In the case of a legal dispute, you may need to demonstrate that you were operating within the law. How can you do this without some form of audit trail? Give some thought as to what events within your systems could be logged and used as evidence should you be challenged. For example, you could log the date that each user last updated their profiles to prove that your data is fresh and up to date. But be careful! If you store personal data in your logs then you need to do so securely, and in a way where you can remove that data once it is no longer needed, is old, or if the user requests it to be deleted.
Logging is of particular importance around consent. Keep track of the date and time every time a user gives or revokes consent.
- Auto-delete old data.
If you no longer need data and never will then you may be required to remove it from your system. If you create logs, then you may want to automatically delete them after a period from when they were collected. However, be cautious when removing everything as other EU regulations require that you retain certain types of data for several years for audit purposes.
- Anonymise old data.
The regulations apply to personal data, so if you don't want to delete old data, then you may get away with anonymising it. You may want to store anonymous usage trends but remove any association to the users that this data was originally recorded against.
- Review all automated processes.
Most web and mobile software involve some form of automation, it's inevitable. Automated decision making and profiling based on personal data is not permitted and is only allowed under certain specific conditions. Look out for any process within your system whereby an automated action will have a consequence for the user, especially legal consequences. If you must have automated processes, then switch them off by default, and give the user the option to toggle them on and off.
This particular clause is risky and ambiguous, so here is an extract directly from the regulations:
"The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention." - the full clause (71) can be read on page 14 of the regulations.
- Have a process to get parental consent for users under 16 years old.
Explicitly restricting the signup of users under 16 is an easy solution to this if appropriate. However, if you must collect data from users under this age then you can only store and process it with the explicit consent of their verifiable parent or legal guardian. If you have a website or mobile app, then this means having clear facilities for managing parental consent.
- Enter into agreements with every service or company that you give personal data to, including cloud software.
If a customer gives you their personal data, and then you put this somewhere else, then this makes you an exporter of their data. For example, if a customer provides you with a spreadsheet of personal data, such as a list of email addresses, and you then host this on a cloud service such as Google Apps or Dropbox, then you've just exported their data.
You should review every company that you export data to double check whether you think they are safe, and enter into an agreement called a "Data Protection Addendum" (DPA) with those companies. In short, a DPA outlines your responsibilities as a data exporter and the responsibilities of the companies that you are exporting that data too (I.e. the responsibilities of the data importers).
If you are a customer of Scorchsoft or plan to be, then chances are that you need to enter into such an agreement with us too. You can request our Information Processing Agreement and Data Processing Addendum here.
This isn't an exhaustive list, so we would recommend that you read the ICO's 12 steps for preparing for GDPR, or if you have the time you may want to read the full 88-page GDPR regulations directly.