Unlike the GDR, the GDPR is still with us

GDPR – 3 months on from enforcement

Do you remember the halcyon days before May 25th, 2018?  Those carefree times when you could scrape data without a care in the world, send emails to whomsoever you pleased, use Facebook to acquire petabytes of information that you could process or sell on, or both. You could even pretend to buy elections or referendums.

It was never really like that of course, unless you were willing to play fast and loose with the data protection legislation, but there is no doubt that awareness of data security, for individuals and companies, was dramatically focussed during the run up to the enforcement (note not the introduction, that was 2 years ago) of the General Data Protection Regulations (GDPR) on the 25th of May this year.  

Of course, now that it’s all done and dusted you can sink back in your comfy executive chair, put your feet up and relax.  Can’t you?  The problem with rhetorical questions, and half of the point of them, is that you know what the answer is before it’s delivered.  In this case that would be a resounding ‘No’, and we are going to take some time to clarify and explain why GDPR and data security in general is for life, not just for May 25th.

The purpose of the GDPR was to make the way we gather and use data fit for purpose, now and moving forward.  It follows therefore that it was never going to be a simple one-off process, like dealing with the Y2K bug, or Brexit...

GDPR is the gift that just keeps on giving, and because you haven't had the Information Commissioner's Office (ICO) knocking down your door yet doesn’t mean you’re home free.  Since May this year there has been a fivefold increase in the number of self-referred data breach notifications made to the ICO. Although the ICO had predicted such a rise, it is evidence that organisations are taking the new rules seriously.

Along with a few other organisations, we offered a little advice earlier this year to help you get to grips with the changes coming with GDPR, so what should have been done, and what do you still need to keep on top of.

Data Audit

Back at the start of January this year, we posted our guide to 20 things you need to know about GDPR and your website (if you missed it, now would be a good time for a quick refresher).  

First on the list was perform a personal data audit.  Did you?  If you haven’t, then you don’t really know what your exposure is. No one likes audits, equally no one likes paying fines or casting around desperately trying to resolve a problem after the fact, so if you have not performed your data audit yet, do so.  Without an audit you simply don’t know whether you have problems that need to be resolved, and as we pointed out in January, those problems may go as deep as the plugins your website uses.  This is detailed stuff and no, it’s nobody’s idea of fun, but it is necessary.  It may be that you cannot investigate or make necessary changes yourself, but you should seek written confirmation from your web company that your site is fully GDPR compliant if you haven’t already done so.  Identify whether your data is being processed in-house or by a third party with your agreement as this has a bearing on the actions you need to take.

Consent

Ah, consent.  To read some of the approximately 2,809,342,756,345,221 words written on GDPR you could be forgiven for thinking that GDPR was all about consent - sort that out and you’re done.  That is simply not the case, it wasn’t then, and it isn’t now.  Consent is important, and it has become more important post-GDPR, but it is not the be all and end all of compliance.  What then did the GDPR change with regards to consent and compliance?

Well the following is something you may hear often and repeated ad nauseam: 
"The fundamental change within the GDPR is that you must have explicit consent every time you collect a user’s data."

Well, listen to an expert:
"This is fundamentally incorrect. There are only a handful of identified times when you must be able to demonstrate 'explicit consent' - this is what most companies are getting wrong. There are other times when consent (not explicit) is enough to process and even more when consent is not even needed."
 - David Mills, Computer Law

I know it's common sense but what you must be clear about is exactly why you are collecting that data and to what purpose it will be put.  

There are a series of lawful bases for processing data which may apply but assume that you need consent from the outset.  Prior to the GDPR consent could be implied – you signed up to a newsletter, so we can use your data for statistical analysis – this is no longer the case.

The third way

Do you use third parties to process data?  If so you should by now have amended your contract(s) to confirm this in writing.  We created this as a simple means of receiving this form marketing consent, see here. This responsibility rests on your shoulders, you can’t plead ignorance and it still applies even if the third party is based outside the European Union (EU) as it’s the users data that needs respected.  That includes any Cloud services you may use, and you should have ensured that your service level agreements take into account the GDPR requirements regarding data security, retention and the need to delete if requested. We are strong advocates of dedicated web servers as they offer better security, resilience and manageability, however there may be occasions where you have to outsource certain functions.  Just remember that as far as the ICO is concerned, you, AND NOT the third party, are responsible for what happens with personal data you have collected or caused to be acquired.

If you don’t need it, delete it.

If you hold historical data which you have no further use for, delete it.  If you have determined that you do need it, and you do not have explicit consent (and cannot point to this) to continue holding and using that data, then obtain it.  You may choose to pseudonymise the data (remove and replace certain identifying characteristics) to increase its security, but that’s all you are doing and “pseudonymisation does not replace consent”.

Design for life

The EU put privacy by design at the core of the GDPR and your data audit should have highlighted areas where this applicable. Consequently, you should already have taken steps to achieve this.  The concept of Privacy by Design isn’t new, but the GDPR made it a mandatory requirement. 

In short, you need to consider the privacy and security requirements of a system from the outset, it is no longer enough to ‘bolt on’ security.  ‘System’ in this context doesn’t simply refer to a new application or web service, but to all the procedures and services that rely on processing personal data – treat ‘system’ in its widest sense here.  Where your organisation stands on this issue is something that should have been highlighted in your data audit.

Your private life drama baby leave me out

Apologies to The Pretenders and Grace Jones but privacy, and privacy notices are all the rage now, mainly because the GDPR has made them a necessary adjunct to informed consent, dictating that they be:

• Accurate; and 
• Explicit about what data is collected;
• Why it is collected;
• What happens to it; and 
• Your rights to have it deleted;  

This was covered earlier this year in detail so we won’t rehash it here, but privacy notices are a vital tool to ensure your compliance.  If you’re going to the nth degree, one interesting example that cropped up recently is the need for organisations to draft a restricted privacy notice to send to any job applicants – you are after all going to process their data to determine whether they are suitable – so you need to issue a notice to that effect.

Where now?

We always knew that the GDPR wasn’t going to be a simple or short-term affair and best practice means constantly monitoring and reviewing its requirements and how well you are meeting them.  

Inspire can take some of that load off you; starting with your personal data audit we can guide you through all the steps necessary to keep you, your data and your customers informed, safe and happy.  

If you are still finding GDPR a millstone, or just a bit scary, call us to arrange to discuss your requirements.