GDPR Compliance: An easy guide for people who just ain't got time
To quote Google the Almighty, 'The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive, strengthening the rights that EU individuals have over their data, seeking to unify data protection laws across Europe.'
The trouble is, it's painfully boring. It also feels like a lot of admin that's just sprung up suddenly and needs to slot into your calendar somehow. If you fancy reading the full GDPR report, you can do so here. It's a whopping 99 articles long and is disgustingly difficult to read. For the key points, however, keep on reading.
Just a note: I'm no lawyer. Please don't use this as legally binding advice.
General Principles of the GDPR
These make a lot of sense. If you abide by these, you'll probably do alright amidst the various data privacy changes. Here goes:
- Be lawful, fair and transparent.
- Only collect what you need for a specific purpose.
- Keep as little data as possible.
- Make sure all data are accurate. If they're not, update them ASAP.
- Only keep data for as long as you need it.
- Keep it confidential.
- Prove you’re doing points 1-6.
Lawful is a pretty vague keyword here. As in, 'What does lawful mean in this raging sea of changing data law?' Well, here's what I take it to mean when it comes to data protection:
- You’ve got consent to have it.
- You’ve got a practical reason to have it that involves the owner.
- You’ve got a legal obligation to use it.
- Processing the data would protect the owner or someone else.
- Processing the data is in the public interest.
- The data owner is an adult. If they’re younger than 16, you need parental consent.
- You’ve got a legitimate reason to use it (unless that reason conflicts with 1-5).
If you read nothing else of this article, read this: consent is your number one priority.
Assumed consent won't cut it anymore. Users need to physically say 'Count me in', otherwise you need to count them out. As such, you need to make sure that your opt-ins are super clear, and not hidden away in your Ts&Cs. That's why you've seen a lot of businesses asking people to re-opt in over email recently. You should probably do this too.
It's also worth noting that anybody can withdraw their consent whenever they like, so be prepared to pull the plug on a few email addresses.
Consent or no, there's some kinds of data you're not allowed to collect at all. The kind of data that concerns:
- Racial or ethnic origin,
- Political opinions,
- Religious or philosophical beliefs,
- Trade union membership,
- Genetic or biometric data for the purpose of uniquely identifying someone,
- Data concerning health
- Someone’s sex life or sexual orientation
Again, as with all legal stuff, there are exceptions:
- If the data owner has given specific consent for one or more of the above points
- If it’s related to employment or social security
- If processing the data would protect the data owner
- If you’re an organisation that directly relates to one of the above points, and the data owner is regularly involved with you
- If the data are for the public record, and the data owner knows this
- If the data are for use in court or another legal reason
- If the data would meaningfully impact public interest
- If the data would be used to help in medical research
- If the data would help to preserve freedom
- If the data would be used for historical purposes, e.g. in an archive
You know Bare: We're all about leanness and transparency. Now that transparency is becoming law. There's a bit of a process involved in doing so.
If ever someone requests to see their data, you must provide it to them in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’ (To quote the GDPR regulation directly).
UNLESS you’ve got reason to believe they’re not the person they say they are. If this is the case, you can request proof of identity.
You've got a month to provide this data, and if you don't the person who requested it can lodge a formal complaint against you. Unlike the data laws we're used to, you cannot charge to supply this information unless you think what they're asking for is excessive.
Your data peeps also have a right to know how their data is being used, how it's categorised, and who's using it (e.g. the marketing team).
Erasure: 'the right to be forgotten'
At any time, someone can request that you completely remove their data. As such, it's worth having a speedy process for doing this. There are some rules about how someone qualifies for erasure.
- Their data is no longer necessary
- They withdraw consent for you to use their data
- They object to how data are being used
- Their data has been processed unlawfully
- To comply with a relevant legal obligation
In some circumstances, rather than have it deleted, someone can request to restrict how you use their data:
- If they believe the data are inaccurate
- If it’s being processed unlawfully
- If they don’t want their data erased
- If you no longer need it, but they still require it for use in a legal context
When it comes to both erasure and restriction, you must let the owner know when their data has been erased or restricted.
Lastly, you need to make sure that everyone's data are adequately secure. Most of the time you'll keep data with third parties like Mailchimp or Shopify, who have their own security measures to help you safeguard data. As general rules of thumb go, data security goes a bit like this.
- Making sure nothing’s traceable to the person who owns the data (GDPR call this ‘pseudonymisation’)
- Everything stays confidential and accessible where appropriate
- Ensuring everything is quick to recover if something were to disrupt access
- You need to be able to somehow test your security measures
- You need to make sure anyone with access to the data is using it for the right reasons
In the event of a data breach, you need to report it to ICO within 72 hours of finding out about it. If you can’t communicate it this quickly, you’ll need to provide a good reason. You’ll need to include information like:
- The nature of the breach, including number of people affected, and the kind of data compromised
- The name and contact details of the data officer
- A description of the consequences of the breach
- A description of proposed measures in fixing the breach
You also need to declare the breach to any affected people as soon as possible, describing clearly the nature of the breach and what the implications are. There are a few exceptions to this however:
- The affected data has since been re-encrypted
- You’ve taken measures to make sure that any personal risk associated with the breach is not likely to materialise
- It requires disproportionate effort. If this is the case, it may be handled by ICO.
This is a sticky one. The regulation states that you could be fined up to €10,000,000 in the event of a breach. So, make sure you do your due diligence! It's really not worth getting caught out.
If you need a hand bringing your business in-line with all this GDPR stuff, feel free to drop me an email at firstname.lastname@example.org and I'll happily talk you through the process.
Thanks for reading!