New General Data Protection Regulations (GDPR) are set to come into force on 25 May 2018. The new regulations will significantly change the way companies and public sector organisations handle their customer data. The changes made are wide ranging and cover over 99 different areas. So in this guide we are going to focus on one of the most challenging rule changes – those affecting information retained on current customers, including email lists.
The premise of the new regulations is to ensure that information held by companies and organisations is properly safeguarded and customer privacy is protected. Any company that holds information on customers inside the EU will have to comply with the regulations. Failure to do so can result in large fines up to €20 million or 4% of global revenue, so it is important to ensure that your organisation stays on the right side of the law.
The accountability principle
The new regulations introduce the Accountability Principle concept which requires firms to show how they are complying with the principles of the legislation. In effect this means keeping records of decisions taken with regards to customer data. This principle not only affects the collection of new data, but data already being held.
Article 5 of the legislation requires that all currently held personal data be:
• Collected for a specific purpose and that purpose is made clear to all those whose data you hold.
• Data must not be used for any other purpose than for which you have sought permission.
• You should only hold as much data as you need to complete the task for which you are holding the data. (Any other data should be deleted.)
• All data must be accurate and kept up to date at all times. Inaccuracies must be rectified immediately and any rectifications shared with third parties to whom you have sold the data.
• You should only keep data for as long as is necessary to complete the task for which you have sought permission.
• Data should be securely stored and protected against unauthorised access.
The role of the Data Controller
The accountability principle also stipulates that a data controller must be nominated. Their role is to take responsibility for and demonstrate compliance with the regulations. In a large business, this role will be taken by a data protection officer, and in a small business it will usually be the owner or managing director. Without having the ability to demonstrate that you are complying with the legislation you are leaving the door open for prosecution if you break the rules.
What you need to do
What actions do you need to take to ensure your current data is compliant with GDPR?
Make sure you have clear consent from existing customers to use their data for the purposes you have described. Note: pre-filling a form or check box with automatic consent is not considered clear consent.
If you cannot show you have received clear consent from the customer you must obtain their permission again or conduct a legitimate interest assessment (LIA) for each form of processing (i.e. marketing) you conduct for these people. Note: only send consent request emails to customers who have already agreed to receive information from you. Trying to achieve consent from customers who have already asked not to receive information from you is in breach of current data protection legislation.
Implement an information governance framework which records the changes made to customer data. You must keep a record of individual customer permissions so that you can prove you have permission to send marketing material to them.
Delete all information which is not required for the purposes of the permission you have received e.g. you do not need to know someone’s date of birth to send an email newsletter unless it contains information which is unsuitable for minors.
Ensure all data is held securely and cannot be accessed by unauthorised personnel.
To find out more about GDPR regulations and how to get your company ready for the legislation, the ICO has created a number of excellent guides and checklists. These are particularly useful for small businesses and cover all the major areas your business will need to address to ensure compliance. These guides are available for free on the ICO website.
