The requirements for businesses under GDPR have been set out for two years. So why the last-minute panic? In this comment piece, Ci’s Director of Policy and Advocacy, Maeve Walsh, looks at the preparations that businesses should by now have completed to comply with GDPR and the incentives for getting it right – for all of us.
The introduction of the EU General Data Protection Regulation (GDPR) in a few days’ time is a once-in-a-generation update to the existing and somewhat dated data protection framework dating from 1998. Twenty years on, much of our business, financial and social interactions traverse the internet, and as a result our valuable personal data is now being processed by, and shared with, more organisations than we are probably aware of.
GDPR is a complex framework of requirements. But, having been available two years ahead of its introduction, many businesses are only now coming to terms with the changes that they will need to make. What’s taken them so long? At its heart is the principle of “data privacy by design and default”, which requires that considerations for the safe and secure processing of personal data are understood before those activities can take place. It introduces a greater set of rights for data subjects, allowing each citizen more visibility and control over why, how and where their personal data is processed. With potential fines as high as £17m/€20m if companies don’t comply or there is a breach, there is a huge incentive to take GDPR seriously.
Let’s take a look at one specific sector. Over the last 20 years, online retail has boomed, whether for the weekly grocery shop or for a new car. Supply businesses are now regularly processing the personal data of millions of customers as a matter of routine. That personal data is probably being processed by many different parts of their business: the back-office IT function, the staff who prepare and dispatch the order, those who take payment information, delivery staff and, in some situations, returns handling teams. It’s essential that data processing activities are properly mapped out and adjusted to ensure “data minimisation” – but do all staff need to see every component of the customer’s transaction data? How can this be reduced to lower the risks to that personal data? Is automated processing of personal data any more secure than manual intervention by staff?
Under GDPR, customers will rightly expect to have a clear and unambiguous understanding of why they are submitting their personal data, who will have access to it (both people and IT systems), and how it will be kept securely. This requires a review of Privacy Notices, and the clauses within the standard terms and conditions that communicate information about the need to process personal data. GDPR specifies six possible reasons why personal data may need to be processed, and at least one of these needs to be valid for the processing to be lawful. In our earlier example, the supply of goods or services to a customer is likely to be based upon “a contract with the data subject” (where the data-processing activities have been detailed in the contract), or alternatively “the explicit consent of the data subject” (where their approval for the processing of their personal data for specific purposes has been obtained).
For other data-processing activities, such as direct marketing to an existing customer base, the basis of “legitimate interests of the business” will probably be most appropriate, but care needs to be exercised to ensure that the interests of the business do not exceed the rights of the data subjects. Continuing the retail theme, with a growing number of businesses providing customer loyalty schemes, and the consequential gathering of larger volumes of personal data on customers’ behaviour, there is a clear need to understand:
Almost every business employs people. A further consideration for businesses under GDPR is to be able to demonstrate that the processing of their employees’ personal data can be securely managed too, whether for payroll and benefits administration, performance management, training, etc; or for the “legitimate interests” of the business (e.g. time keeping, productivity etc). These requirements can (and should, by now) be clearly defined and communicated within an updated employment contract.
Finally, let’s not overlook the financial penalties for non-compliance or personal data breaches. The latter requires that businesses’ personal data processing systems and activities (both manual and IT-based) can identify when something has gone wrong. Education and awareness programmes are needed to communicate the importance of identifying and reporting errors promptly. And, of course, financial penalties may not just be limited to statutory fines but can potentially arise from any civil claims which may be brought by an affected data subject.
So, it’s an understatement to say that GDPR is requiring significant focus and effort from all businesses. But it is entirely appropriate for the level of personal data processing in today’s world. Each one of us is a data subject, and we should all have a reasonable expectation that our personal data is being kept securely, processed only for purposes we understand, and promptly deleted when no longer needed.
That’s not too much to ask, is it?
This article originally appeared on the Observatory for a Connected Society, powered by Corsham Institute and RAND Europe.