A Client Guide To GDPR

What is the General Data Protection Regulation (GDPR)?

The European Parliament, the Council of the European Union, and the European Commission combined forces in April 2016 to protect the data of EU residents. Details can be found on the EU GDPR website.

This law extends to international companies who handle EU individuals’ data. Protected information includes names, physical addresses, email addresses, bank information, photos, medical data, computer IP addresses, and even social media posts. As of May 25, 2018, the binding regulation will be enforced, and your company could face legal liability for failing to comply.*

Privacy Policy

Most small businesses store data in multiple places. Trying to come up with a single GDPR solution to cover all situations is going to be very difficult. If this is the case, we suggest you deal with each storage issue in its own right. Then produce a Privacy Policy that links them all together.

Update your Privacy Policy Statement to include details of GDPR. Keep it separate from your Terms & Conditions. Note that if any of the following list does not apply to your business leave them out. Many small businesses do not use automatic decision making, (such as loan agreements or credit checks). The ICO has some recommendations for sections to include in a Privacy Statement. You can find more detail on the ICO website:

  • Who we are
  • What personal data we collect and why we collect it
  • Cookies
  • Embedded content from other websites
  • Analytics
  • Who we share your data with
  • How long we retain your data
  • What rights you have over your data
  • Where we send your data
  • Your contact information
  • How we protect your data
  • What data breach procedures we have in place
  • What third parties we receive data from
  • What automated decision making and/or profiling we do with user data
  • Industry regulatory disclosure requirements

Cookies

Under the UK’s Data Protection Act 1998 all website should include a Cookie Statement that provides details of how cookies may collect data about a visitor. Most of our client already have Cookie Statements included in the Privacy Statements that Integralvision would have created for them. Any previous Cookie Statement needs to be rolled in to your updated Privacy Statement.

You will notice that websites often demand that you agree to accept the use of cookies before you can even access the website. This is often in the form of a pop-up or a bar at the top or bottom of the page.

Integralvision can provide this option to our client’s websites on request. There may be a small charge for doing this, dependent on how the website is built.

Newsletters/Mailing Lists

Do you have an online mailing list of some sort (i.e. a newsletter). Have your customers given consent to be included on it? Can you prove they gave consent? This may not be 100% necessary as it depends on what sort of relationship you have with your customers. Below we deal with the different types of Newsletters/Mailing Lists with how they may be affected by GDPR.

This may be an in house system built in to your website in the form of a custom developed newsletter system or a third party plugin. Alternatively you may be using an out of house mailing list service provider where the subscribers and mail outs are stored on their systems.

Built in Mailing System

A built in Mailing System is likely to be part of your WordPress Admin Area or website CMS. If you are using WordPress, this may be something like MailPoet, or a custom developed website may use a self contained newsletter system. The contact data will normally be stored in your web servers database so your need to check with your hosting provider what steps they take to protect their servers. You might want to include a brief description of hosting security in your Privacy Statement. You need to check that if you collect subscribers data on your website that this uses a secure sign-up form and a secure method of sending the data over the Internet. For help with some of the above issues see: Securing Your Website.

Make sure you provide help with unsubscribing from your mailing list on your website, as well as in any emails you send out.

Third Party Mailing System

There are many dedicated mailing list service provider (such as MailChimp). These will provide their own GDPR statements. I would recommend you study these and consider incorporating any relevant sections into your own Privacy Statement.

Some business mat collect subscribers across several systems so you need to consider this.

In house Contacts Database

Many small companies rely on storing data off line in various forms dependent on their business. These are often legacy systems such as Filemaker Databases or Access for Windows. Things you need to consider with regard to protecting this off line data:

  • Is the database password protected? If not set one up.
  • Are any database backups encrypted?
  • Who has access to the database?
  • Does the database record how the contact gave permission to store their data.
  • How easy is it for the public to check their data? Consider a Layout in your database that makes it easy for you to view an individuals data in one go and is easy to print out to satisfy any request.

Why do you keep the Data?

In your privacy policy explain the reason you collect and store data about your customers.  For example, a hotel may collect information to enable room bookings and to provide follow up marketing. Or a customer may be interested in future products or deals. Small businesses often benefit from providing products or services to people who share similar interests or lifestyles. Being part of a “community” can be a good selling point when obtaining consent.

Who has access to the Data?

Ideally designate who is allowed access in advance and only allow that group to have password access to a computer containing data. Print out the basics of data protection and pin them in a visible place. List the staff who are responsible for data protection. Considers training staff and even get them to sign a short letter of agreement to protect data.

How long can you keep data?

The General Data Protection Regulation states that personal data must be kept “no longer than is necessary for the purposes for which the personal data are processed” [Art.5(1)(e)].

A retention policy helps reduce the risk of losing sensitive personal information that could potentially cause harm to the people involved.

For example, you have a customer list that dates back 10 years. This list has sensitive information such as their home address, email and phone number. If this list is compromised, a number of these people could suffer from issues such as identity fraud, potentially costing them money or various other issues.

Consent

Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR.1 When initiating activities that involve processing of personal data, a business must always take time to consider whether consent is the appropriate lawful ground for the envisaged processing or whether another ground should be chosen instead.

Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment. When asking for consent, a business has the duty to assess whether it will meet all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful.

The above is primarily copied from the ICO website.

There is a very useful Consent check-list for business on the ICO website.

So does my small business need to contact all my customers to ask them to give consent to be on my companies systems?

According the Deputy Information Commissioner when interview on Radio 5 Live:

“if you already have an existing relationship with a customer selling them services or goods they have already purchased things from the business, then the law really allows that relationship to continue.”

If those on your mailing list are not customers with a previous relationship with your business, and you cannot prove that they gave clear consent to join, then you must again ask them for permission to include them on your list. This is known as repermissioning.  You will also need a way to keep a record of their consent. However, there is a catch 22. If you do not have consent in the first place, you risk breaking the law by contacting them to ask for consent.

How do you renew consent?

Small business may have data going back many years. The question many are asking is what do they do with legacy data. you obtained an individual’s personal data in the course of a sale or negotiations for a sale of a product or service. This is known as “repermissioning”.

The draft ICO guidance (PDF download) provides some help, stating that:

  • The draft document states “You are not required to automatically refresh permission in preparation for the GDPR”.
  • But it is important to check your processes and your data in detail to be sure that your existing permission meets the higher GDPR standard.
  • Where existing permission doesn’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR-compliant permission, or identify a different lawful basis for your processing, or stop the processing and delete the data.

When sending repermissioning emails make sure you mention the benefits of staying on your mailing list or allowing you to store their data. For example, future sales and bookings may be quicker and easier; they may be entitled to receive special offers and discounts, be informed of new products in advance or attend special events.

Legitimate interests

While consent has been the most widely publicised, it is not the only basis for lawful data processing under GDPR. In fact, there are six bases. Legitimate interests is the most flexible of the six lawful bases. It is not focused on a particular purpose and therefore gives you more scope to potentially rely on it in many different circumstances.

Recital 171 of the GDPR reads: “Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation”.

 Furthermore, Recital 47 of the GDPR actually says that:

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

This could be taken to mean, for example, that if a business wishes to email marketing about a new product or service to its clients, it can often do so in reliance on its ‘legitimate interests’ – it generally does not need its customers’ consent to this mailing. It will, however, always need to offer them an opt-out (Art 21(2).

Obviously, don’t send re-permission emails to anyone who has opted-out of email marketing or where you have no evidence of your legal basis for email marketing.

Confused? So am I. What ever route you take, remember you may be required to backup your reasons with proper documentation or proof.

The whole issue of Legitimate interests, is a bit of a minefield but we do not recommend seeing it as a loophole. Read up on Legitimate interests on the ICO website and decide for yourself.

Is the data protected?

Its all very well protecting the data online, but what of your off-line data storage is affected?

The obvious scenario to be concerned about is if your office is broken into and a computer or hard drive containing data is stolen. Besides good office security, any computers should be password protected. It is a good idea to require a password after a fixed period of time of no activity. A strong password is essential. Preferably at least 10 character, a mixture of letter and numbers and a symbol. The computer should also be encrypted.

How to Encrypt Mac OS X Startup Disk

OS X offers a choice of regaining control of encrypted disks, you can either use a Recovery Key or from your Account by logging into the iCloud.com website. If you are the type to not remember passwords, iCloud may be a safer option. However, log in to your iCloud account first to make sure you know the password.

How to turn on device encryption on windows 10

You also have a duty to protect the data from being lost. Make sure you have daily backups kept separately and that it too is protected.

Misc. Security

If anyone does gain access to your computer, if you store passwords in a Password Manager in your browser, then they might have easy access to data stored on servers and third party websites. This is because your browser may remember the password and insert it automatically in the log in window. Always set a Master Password for your Browser Password Manager (if it allows it – might require a browser extension).

NEVER use email to distribute sensitive information of any kind.

Securing your website

Most people know that the Internet is one of the most common places where data is stolen. You need to ensure that your website is as secure as possible. If you reply on a third party for hosting and managing your website, check with them the resources they have in place to protect it. If you manage your own website, I recommend you seek advice from experts.

Make sure your website is hosted with a reliable provider. The big hosting companies go to a lot of trouble to ensure their systems are secure as their reputations depend on it.

Talk to your web developer about what precautions they take to protect your website against hacking attempts.

Note that WordPress websites are particularly vulnerable due 1. to their popularity worldwide and 2. they use multiple third party plugins. Special measures must be taken to protect WordPress sites including regular updating and installing dedicated security software.

There is support among much of the industry for adding SSL security certificates (HTTPS instead of HTTP) to all websites. For example, Google sees HTTPS as a basic security step that websites must take in order to protect users, and in some browsers, websites not on HTTPS will be flagged as not secure by standard. From June 2018 site without SSL certificates may perform worse in Google results.

Though GDPR does not contain any specific section on the use of SSL certificates, it states that regulated information must be protected with “appropriate technical and organisational measures,” including encryption of personal data and the ability to ensure the ongoing confidentiality of systems and services”.

Installing a SSL Security Certificate will encrypt data where possible. It will add a green security padlock to the address bar of a browser and HTTPS to your URL. While SSL don’t wholly secure a website, they do secure user data as it travels between the user’s browser and the website server (for example, contact details sent via a form). The green padlock is particularly important if you’re running an e-commerce website.

Note that there may be annual costs associated with an SSL certificate.

Who you share data with

if you are selling online, you may be using a third party payment portal, the customer details may be passed to them to fulfil the order. Include this in your privacy policy. Make it clear that contact details and payment information is sent over a secure network directly to the payment processor. Link to the payment processor privacy policy as well.

Is GDPR only about my Customers Privacy?

Under the new GDPR legislation all personal data processing will be affected. This includes customers as well as employees and supplier data.

The GDPR won’t apply after BREXIT?

This is incorrect. Post Brexit the GDPR still applies to the UK. Additionally, the UK plans to take on board EU regulations after Brexit. However, there is no guarantee that the UK government will not tinker with the regulations when they transfer it into UK law.

What Are the Risks if I get it Wrong?

Paul Jordan, the Europe managing director of the International Association of Privacy Professionals, offered one silver lining. “I think it’s quite clear that a number of companies won’t be ready [for GDPR], but if they can demonstrate they have been planning appropriately [then regulators will give them] a certain leeway.”

Elizabeth Denham, the Information Commissioner, told BBC Radio 4’s Today programme that small businesses which did not make extensive use of customer data would not come under close scrutiny. Instead, the focus would be on big companies – particularly those in the technology sector – that “deliberately, persistently or negligently misuse data”, she said.

“The law isn’t about fines, its about incentives to get businesses to step up and take responsibility for the data that is a part of our digital world. The UK advocated with other EU members for higher fines and I believe these are important to get companies to take their responsibilities seriously.” Elizabeth Denham, the Information Commissioner

Our thoughts on this are, if your list include previous customers and just ordinary subscribers, consider the risk of emailing subscribers asking for consent and compare this will your list of previous customers. Is it really a loss to remove ordinary subscribers who have never used your business?