What should your board be doing about GDPR?
28 May, 2018 : What should your board be doing about GDPR?
The General Data Protection Regulation (GDPR) came into force on May 25th, with thousands of SME businesses still wondering what the new Data Protection law is all about – and many in some doubt as to whether GDPR affects them.
Hopefully, this post will bring some clarity for firms that have missed the boat and are still standing on the dock of confusion!
A common area of misunderstanding is in regard to marketing and compliance practices; why they need to be updated and what role your board of directors should play.
Clarity on the GDPR requirements
Perhaps one of the main challenges of the new regulation was a lack of clarity on what it means, for SMEs and large corporations alike. And more importantly, what firms need to do in order to comply.
The Information Commissioner’s Office is the UK’s official representative for the EU GDPR Working Party and has been very proactive in its efforts to deliver some clarify of the requirements. This was quite a tall order, as much of the detail was not released until fairly recently, therefore making this a difficult task to achieve. However, the ICO has published a great deal of content which explains the GDPR requirements in plain English, providing a helpful resource for all who are affected by the new regulation.
Is GDPR really such as big a deal?
It is evident that the new regulation has focused the attention of large numbers of law firms, business consultants and others, scrambling to offer professional advice and implementation support. In many ways, this hive of activity is reminiscent of to that of PPI claims. Some commentators have even suggested that complaints of non-compliance and data breaches are likely to become the next 'PPI scandal' – so it's hardly surprising that so many businesses are not taking the GDPR any more seriously than they did with the former Data Protection Act.
Penalties for non-compliance are frighteningly significant. Fines of up to £18m, or 4% of the firm’s worldwide turnover can be imposed by the ICO for firms that have deliberately failed to comply, or continually fail to address data protection shortcomings. Surely this is a sufficiently compelling reason for any board to sit up and pay attention and is therefore fundamental when considering what should your board be doing about GDPR.
How to make the consent processes more robust?
First, some clarity on the definition of the term 'processing'. If you are storing data on a living person, you are processing their data. You will not win an argument with the ICO by trying to claim otherwise. Obtaining compliant consent from individuals to ‘process’ i.e. 'use' their data has been a huge focus of GDPR discussions. During the run up to May 25th the ICO published its final guidance on consent, setting out how consent differs under the new regulation. This guidance compares the former Data Protection Directive definition of consent with the new GDPR definition as follows:
The GDPR definition of 'consent':
“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
The previous DP Directive definition of 'consent':
“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
It also notes that whilst ‘the key elements of the consent definition remain.... the GDPR is clearer that the indication must be unambiguous and involve a clear affirmative action’ and that ‘this definition is only the starting point for the GDPR standard of consent. Several new provisions on consent contain more detailed requirements…In essence, there is a greater emphasis in the GDPR on individuals having clear distinct (‘granular’) choices upfront and ongoing control over their consent.’
Basically this means your contacts have a greater degree of choice when they initially give their consent and, in future, they can expect to command greater control over precisely how their data is managed.
So, is GDPR just about consent?
More robust methods of managing consent is certainly a major factor of the new regulation. However, it would be incorrect to assume that GDPR compliance is purely about obtaining compliant consent. There are actually 5 other legal requirements for processing personal data. During the run-up to what many referred to as the “GDPR deadline” millions of email in-boxes were flooded with emails encouraging recipients to read senders' new privacy policies – instead of seeking compliant consent.
If your firm is still engaged in seeking compliant consent from individuals, it would be worth considering whether one of the other bases is more appropriate. Again, the Information Commissioner's Office offers guidance on this.
The 'Privacy Panic'
The danger with this particular consent approach, he says, is that while larger organisations may be acting on ‘expensive legal advice that this was the safest route to take’, smaller businesses may follow their lead, and ‘risk losing contact with customers who could be vital to their future’.
May 25th was not a 'deadline'
In a TV interview on May 25th 2018, the Information Commissioner, Elizabeth Denham, said “Today is not a deadline”. May 25th does not mark the end of work on the GDPR and enhanced data protection. Instead it is the start of a new era in communication and data.
So, exactly what should your board be doing about GDPR?
At a recent two-day 'GDPR Awareness' training, orchestrated by Peter Borner, managing director of The GDPR Guys, we asked the delegates to consider how their company's marketing activities may need to change under the new regulation. With social media marketing on the increase, the GDPR will certainly create new challenges around meeting FCA standards for social media content. Firms who plan to engage in more social media marketing will need to know how to minimise the risks of non-compliance.
The responsible approach to Personal Data
Businesses that are subject to GDPR regulation would do well to foster a customer focused culture in the workplace. By creating a culture of respect and care over Personal Data will improve the customer experience and help to protect the firm's reputation and brand.
But it is imperative that this culture starts at the top and permeates down through the ranks. This is why the board's direct involvement and participation is so vital. By demonstrating the attitudes and behaviours you want your management and staff to display are more likely to be delivered when it becomes a cultural shift within the enterprise. If this is something your firm struggles with, the GDPR Guys can provide guidance with improving your corporate culture and help to steer your firm in the right direction.