If you run almost any kind of serious business or organisation in the UK – particularly if you have a website and/or mailing list, or you work with social media and marketing – then you will almost certainly be affected in some way by the new General Data Protection Regulation (GDPR), which will kick in from May 2018.
It sounds boring, and I assure you it is utterly boring. But it’s one of those tedious things, like working out the wording of your Terms & Conditions, that you need to review because you don’t want an oversight to lead to unexpected extra cost. Understand now that you could be fined an astonishing 4% of your annual turnover if you breach the new data protection rules from May 2018.
Have I got your attention?
What counts as “personal data”?
Personal data includes your contacts’ names, email addresses, geographical addresses and phone numbers. Yes, the most basic form of contact information has to be protected! It also covers more seemingly anonymous forms of data, such as IP addresses and “pseudonymised data”, which are used by techies and web analytics software. It covers a person’s internet browsing habits, what foods they buy at the supermarket, where they fly to. And absolutely it covers sensitive information such as ethnicity, sexual orientation, medical records and financial data.
If you’re one of Thameside Media’s web clients then you are handling data every time you want a report about traffic on your website. If you manage a mailing list you are handling data and you are going to be facing the issue of consent to be on a mailing list. If you have a database with your customers’ business or personal details stored, not only do you need to protect that data, but you also need to write a GDPR-compliant policy. Using Facebook Ads or Google Adwords, MailChimp or an embedded Twitter feed? You bet you’re affected. If you work in a school or with patients, you will need to take great care with the personal data you handle on a daily basis. Even if you’re a sole trader or freelancer with a simple website and only a few dozen client contacts stored on your phone, you may still need to take action to be compliant.
What is GDPR in relation to other forms of Data Protection?
Data protection guidelines have been around for years. The Data Protection Act 1998 was a key piece of legislation in the UK. The USA has the United States Privacy Act and the Safe Harbor Act. The European Union has decided to go a step further to implement the European General Data Protection Regulation. This was agreed in Brussels in 2015 and it becomes enforceable on 25th May 2018.
Why, why, why?
It’s connected to citizens’ rights, to the notion that we can demand privacy, that snooping and piracy via the Internet need to be controlled. Blame Wikileaks. Blame the Russian hackers. Even blame human rights organisations. Do you believe people should have the right to be forgotten? GDPR helps to protect our rights in a democratic country in contrast to the situation in, say, the state-sponsored supremos of snooping in North Korea.
It could be argued the practical implementation of GDPR is an unnecessary burden on businesses without impacting the vagaries of hackers and the dark web. I would argue that.
But also blame the marketeers. They’ve been using cookies to track people’s usage of the web, to make those Mahabi slippers show up in my Facebook feed then follow me with ads around the web until I succumb to buying a pair. People complain about this kind of targeting. So blame the savvy marketers who are exploiting social media to sell, sell, sell.
Oh, that’s us, isn’t it? I’ve been helping clients to collect personal data from Google Analytics, web forms and social media, and use that data in marketing campaigns. I’d better blame myself then.
Hang on, GDPR is an EU thing? So we don’t need to bother with it after Brexit?
Sigh. That was my initial thought – that Brexit disavows ourselves from GDPR. Then I read up on the Information Commissioner’s Guidelines and rapidly learnt that GDPR affects us regardless of whether or not Brexit is implemented. There seem to be three reasons for this. One is that if you want to do any trade at all with the EU then you need to comply with GDPR. Another is that the UK is adopting GDPR verbatim anyway. Not only that, but the UK may even implement extra layers of data protection over and above GDPR! The UK is already leading the field in prosecuting companies and individuals for data breaches. Have a read through the article Government to strengthen UK data protection law if you’re struggling to believe this and want to know more.
How might I breach Data Protection rules?
You may be aware of some high-profile data breaches, such as the HIV clinic in Soho which accidentally exposed the email addresses of 700 users at its clinic. The mistake was to use the CC field instead of BCC field when sending out an email – an incredibly simple error with serious consequences.
All those times when companies have been hacked and data stolen, including customers’ addresses and payment details and passwords stolen and plastered over the internet – those are breaches. Not only may you be the unlucky target of a hacking, you can be fined by the Information Commissioner’s Office for being hacked. Your government won’t necessarily chase the thief who took the data, particularly not if it was someone overseas outside of the UK’s jurisdiction. Instead they will fine you because you didn’t take enough care to protect the data.
Individual employees or business owners can be fined as well as organisations.
Lost your laptop? Data breach, data breach! Copied a database with sensitive information to your home computer? Potentially a massive fine. Customers complaining that you sent letters with sensitive information to the wrong address? Bad publicity and another fine! Or that you put them on a mailing list they didn’t ask to be on? Everyday breach!
Copied emails from a secure email address to a non-secure email address and been hacked by the Kremlin as a result? “Lock her up, lock her up,” the crowd will chant.
It is your reputation and wallet that will suffer.
You can see all the action taken by the ICO here. The screen grab shows recent enforcements.
And these examples are all before the more far-reaching GDPR is implemented. The current maximum fine for a data breach is £500k. This will rise to about £17 million after 25 May 2018.
Can Thameside Media help you become GDPR compliant?
Last year, the Oxford University Hospitals asked Thameside Media to implement a number of security and data protection measures for websites that we manage for the Trust. It was at that point that we signed up to the Information Commissioner’s Office and created policies about taking the issues of data protection seriously. It is because of these policies that Ros at Thameside Media has since refused to take on a couple of web projects that she felt were going to breach the policies in a big way. We have also had three other clients enquire about the implementation of GDPR, which prompted Ros to research the issues in more detail and write this article.
GDPR is a complex area with the threat of prosecution if you get it wrong or miss something. Yes, Thameside Media can help implement elements that are necessary to comply with the new regulations. But we are not experts, and data control applies to more than just the digital systems that we help you manage. You need to understand that you, the client, are the Data Controller, whereas Thameside Media is a Data Processor. We both have responsibilities but your business or organisation is the ultimate entity in law. Research the subject for yourself. A good starting point is to take in these two things on the Information Commissioner’s Office:
- Preparing for GDPR: 12 steps to take now A basic intro
- Self-assessment toolkit This is a very tedious questionnaire, and it won’t tell you what you need to do, but it will alert you about taking responsibility to examine what data your business handles, and think about how you might protect that data.
The ICO information feels like it’s written for larger organisations where you can consult your legal department, but of course most SMEs don’t operate like that. The business owner needs to understand the issues and ensure that colleagues, staff and 3rd parties handle data responsibly.
There are companies springing up as specialists on the subject of GDPR, and I would urge anyone unsure of their responsibilities after looking at the information on the ICO to contact a specialist. Every business is different, and you really need to work out how data protection issues might affect your specific business.
MailChimp has also published guidelines about GDPR here.
For some of our clients, compliance may be as simple as adding a tick box to a newsletter signup form or a cookie consent policy to their website. We can implement elements such as these at our standard hourly rate for ad-hoc work. Please let us know if you want something.
DISCLAIMER: This article is intended as an introduction to GDPR and in no way constitutes a statement of me being particularly knowledgeable on the subject, nor being in a position to know if you are compliant, nor being able to say definitively if any action you want us to take makes you compliant. Clients are ultimately responsible for data protection in their business.