GDPR guidelines & considerations

The new General Data Protection Regulation came into effect on 25th May 2018

Last updated: 30th May 2018

Disclaimer first

These GDPR guidelines are for informational purposes only; they do not constitute nor should they be relied upon as legal or any other advice. The Privacy Notice ‘template’ offered for your use is my own creation, based on common sense and a lot of research; it has not been approved by an appropriate lawyer. I encourage you to work with legal or other professional counsel to determine precisely how the GDPR affects you and your business, and whether the Privacy Notice suits your businesses particular needs. 

About GDPR

Effective from 25th May 2018 compliance with the new GDPR requires changes in the way consumer data is used and stored by businesses and other organisations. 

With the goal of giving the power back to the consumer in terms of their private information and how it is managed, the new regulations focus on the consent protocols that companies need to implement for collecting personal data, and the ways in which companies deal with personal data once collected.

Where an organisation relies on consent in order to process personal data, they now need to ensure that this is freely given, informed, specific, unambiguous and documented. Businesses will not be able to rely on implied consent (such as “unless you tell us otherwise we will assume that you are happy for us to …”).

This is privacy by default and for many businesses it has required organisational change, a different and far more transparent way of thinking about the personal data you hold on anyone and how secure (and possibly misused) it really is. As a consumer it’s all good news, as a business owner it requires a little work!

The Scope

Data protection applies to:

  • website visitors, customers, your emailing list, employees and suppliers, among others
  • “… the processing* of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system” GDPR Art. 2 Material Scope.
  • The collection and storing of IP addresses and other online identifiers.

*Processing covers a wide range of activities, both manual and automated, and includes (but is not limited to) the collection, recording, organisation, structuring, storage, alteration, retrieval, use, disclosure/dissemination, erasure or destruction of personal data.

Examples of processing include access to a contacts database, sending promotional emails, posting/putting a photo of a person on a website, storing IP addresses, CCTV recordings, staff management & payroll administration, shredding documents containing personal data.

GDPR does not eclipse other laws. e.g. the need to keep certain personal data for accounting purposes or tax compliance. The rule in the UK is 7 years, that does not change.

Useful Definitions

Personal data

Information relating to an identified or identifiable natural, living person i.e. information which could, alone or together with other information, personally identify that person. A real name, business name, real, address, email address, IP address and photographs are examples of “Personal data”. Even customer information stored by a reference number or code can be classed as personal data.

Determining what is personal data (ICO document, pdf download)

Special categories of personal data

Specific types of personal data that require additional protection, including data relating to racial / ethnic origin, trade union membership or physical / mental health or condition. Previously known as sensitive personal data.

Data subject The individual to whom the personal data relates (including customers, employees, suppliers and individuals who are caught on CCTV cameras).
Data controller An organisation that determines the way in which personal data is processed.
Data processor An organisation that processes personal data, but only in accordance with the instructions of the data controller. This can include subcontractors and agents.
Data Processing

Collecting, recording, storing, updating, sharing or any other operation performed upon personal data. If you use personal data in any way you will be “processing” it.

Electronic Processing includes using computers or any system that can process the information automatically, including CCTV systems, digital cameras, smartphones, credit card machines, call logging and recording systems, clocking machines and audio-visual capture and storage systems.

Article 6.1 of the GDPR defines the lawful grounds for data processing as follows:

  • With the consent of the data subject – consent is a biggie, the GDPR sets a very high standard which offers individuals real choice and control, details here
  • Where it is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • Where it is necessary for compliance with a legal obligation
  • Where it is necessary to protect the vital interests of a data subject or another person
  • Where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Where it is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. (Note that this condition is not available to processing carried out by public authorities in the performance of their tasks.) 

ICO Data Protection Fee

Organisations that determine the purpose for which personal data is processed (Data controllers) will need to pay the ICO a data protection fee. But there are exemptions, for instance if you are processing personal data only for one or more of the following:

  • Staff Administration
  • Advertising, marketing and PR
  • Accounts and records
  • Not-for-profit purposes
  • Personal, family or household affairs
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system such as a computer

Annual fees range from £40 to £2,900; the former for a Tier 1 micro organisation (max turnover £632,000 or no more than 10 members of staff). There is a £5 discount for payment by Direct Debit. The fees fund the ICO’s work; any money they receive in fines is paid directly to the Government.

Please check the information contained within the ICO’s The data protection fee: A guide for controllers

Clarification for Small Business Owners

Firstly, YES, it applies to you too, whether you are a sole trader or employ hundreds, run a business part-time, as a hobby, work from an office or run a mobile business, whether you keep information on a computer or on a piece of paper. If you collect and ‘process’ people’s personal data (such as names, telephone numbers and email addresses) then you need to comply with the new Regulations.

If you are new to the GDPR I would strongly recommend you visit the quick-reference infographic at  http://ec.europa.eu/justice/smedataprotect which puts things in perspective.

Self Assessment

The ICO provides a self-assessment toolkit for small organisations, available at https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/ – it may help clarify how the GDPR relates to you. 

Documenting your Processing Activities

The GDPR states “For small and medium-sized organisations (i.e. fewer than 250 employees), documentation requirements are limited to certain types of processing activities” and goes on to explain that you only need to document Processing activities that:

  • are not occasional; or
  • could result in a risk to the rights and freedoms of individuals; or
  • involve the processing of special categories of data or criminal conviction and offence data.

Further information on documenting your processing activities is available here

I have listed useful Resources below, including a must-watch video from Suzanne Dibble, an award winning business lawyer and data protection expert who sets out clearly what you really need to know and shows you the simple steps you need to take for compliance.

Your Website

As your Website designer & a 3rd Party Data processor I need to: 

  • Create a ‘plain English’ Privacy Notice – using information provided by you – that explains who you are, how you collect personal data through your website, why you need that data, what you plan to do with it, how long you’ll be keeping it and who on your team or externally has access to it; and
  • Where I host your website and email, explain how personal data is collected, stored and secured by this website and/or my server; and
  • Remove any automatic email marketing opt-ins, and ensure you get explicit and clear consent to collect personal data through any contact forms, marketing opt-ins or other interactive feature, at the point of collection. Similarly, give clear options to opt-out at any time; and
  • Provide website visitors with a Cookie Declaration and allow them to consent to (and change or withdraw consent to) cookies used on the website – as can be seen here; ***this will require you to set up a Cookiebot account (in the majority of cases it is free) and allow me access to it***; and
  • Advise users – based on information provided by you – how they can quickly and easily access their own data from you, or otherwise exercise their Rights regarding it; and
  • Inform you and (if necessary) the appropriate authorities within 72 hours of any data breach* that involve your website or my server, for instance in the event of personal information leaked as a result of a hack. 

*You have a similar responsibility to inform, within 72 hours, should data breaches happen at your end – for instance, should personal data be passed or come into the possession of an unauthorised data processor or controller; passing of personal data to a non-GDPR compliant country, passing personal data to a third party without the knowledge of the data subject.

Every Vivid Websites client will require a Privacy Notice tailored to the client’s specific needs and processes; although I can suggest the wording for a Privacy Notice (similar to the one that I use and offer you as a ‘template’) it will need personalising with your organisational & systems information.

The Privacy Notice will cover what I believe is necessary for the purposes of your website, based on information you provide me; you should always consider having a lawyer or other qualified professional look at it and suggest any appropriate changes or additions.

Please note, I am responsible only for making the information available on your website; I am not responsible for any other aspect of the GDPR as it relates to your business, nor am I qualified to advise on any aspect of it.

Email marketing

Email marketing is likely to be a main consideration of Vivid clients. In terms of the GDPR it arises from the fact that over time companies will have collected personal data records without adequate consent to satisfy the new data protection requirements.

Permission based marketing is getting tougher to get right. The GDPR and ePrivacy reforms mean that marketers need to review any existing data and permission processes to make them easier to understand and easier to use.

Basically, you can send email marketing with consent, or where there is a customer relationship. This is the law now and it isn’t changing. Where email marketing is on the basis of that customer relationship it can be on an opt-out basis, but the marketing must be limited to goods and services relating to that customer relationship.

Most important is the quality of the data you hold on your database / mailing list so you will need to consider the following:

Your existing marketing databases

Silence, pre-ticked boxes or inactivity does not constitute consent.

The GDPR requires you to provide people with privacy information at the time you obtain personal data from them. If you collected customer data prior to 25 May 2018, you should ensure that they were provided with a privacy notice meeting the requirements of the Data Protection Act at the time. If they weren’t given this, you’ll need to provide them with the privacy information required under the GDPR. 

You may need to remove or re-permission customers whose consent you cannot demonstrate explicity opted-in to your customer database completely (e.g. if you use an automated system or have manually and without explicit permission added records to your database or mailing list). 

Even if those on your database are active & engaged prospects, and/or if you have been emailing them, on a regular basis with the option to opt-out/unsubscribe and they haven’t – even then if you are unable to prove that they explicitly opted-in to your marketing emails you really need to re-permission them.

You have no legal basis for storing the Personal Data of lapsed customers or inactive email subscribers without recent consent, customer engagement or email activity; their data should be deleted.

You have no legal basis to collect ‘extra’ information just in case you want to use it in the future. If you have more data than you need for your immediate purposes, it should be deleted.

If you are using 3rd party data, i.e. if you have never had a direct relationship with the people whose data you hold, then you will need to investigate the quality of that data, and the type of consent given for its use – and be prepared to delete those records. 

Or you may want to go the whole hog like Wetherspoon’s and just delete the lot!

Re-permissioning

  • The ICO’s GDPR consent guidance suggests that you are not required to automatically refresh (or re-permission) all existing consents sought under the current Data Protection Act. However, your existing consents need to meet the GDPR standard. To be fair, in the majority of cases it’s unlikely that they do.
  • I believe a risk management approach is best; if someone on your list were to complain to the ICO that you are emailing them without their consent how confident are you that you could prove them wrong? Do you have the time to deal with an investigation? 
  • If you do decide to re-permission you need to be careful how you go about it (try to make it a positive experience), and who the email is actually sent to – ensure you don’t breach any GDPR rules from the outset! 
  • Make sure you have detailed (and easily accessible) records of the consent being given. 

If in doubt, delete!

It’s better to delete a record you cannot prove consent for than be fined for holding on to it. Only keep the data that you really need – fewer records means less chance for trouble!

‘Your Data Matters’ launches 25th May

The general public are becoming increasingly aware of the GDPR through articles in the media (mainly the scaremongering type that lead with the massive fines!) but on 25th May, the same day that the GDPR comes into effect, the UK’s Supervisory Authority, the Information Commissioners Office (ICO) will be launching a ‘Your Data Matters‘ awareness campaign that aims to build the public’s trust in businesses and the way they handle personal data.

If a customer, prospect, employee or anyone else should come to you with a Subject Access Request (SAR) you have 30 days to respond so it would be a good idea to ensure you have done a Data Audit by then, to familiarise and remind yourself what Personal data you hold.  

Audit the Personal Data You Hold

I recommend that you prepare yourself for the GDPR and any Data Subject Access Requests with an audit of the personal data you hold; you may well find you can comply much easier if you delete a lot of it; for my own audit I found this list to be useful:

Data You May have Collected Historically 

  • who do you hold data on?
  • what data has been collected? Is any of it sensitive?
  • what file types are used?
  • where is it stored – locally, on a web server, in the cloud? And how secure is it?
  • do any third parties handle the data? Which ones? Where in the world are they based?
  • has the data ever been transferred outside the EU at any time? (Non-EU transfer is permitted only if personal data has adequate safeguards; in the USA the relevant framework for data transfers is the Privacy Shield)
  • how long has the data been stored?

Where it might be hiding

  • on a blog’s comments section
  • within an eCommerce solution such as Shopify or WooCommerce
  • in files (documents, spreadsheets, databases, etc)
  • in storage accounts or on computer backup discs (Dropbox, Google Drive, Amazon S3, etc)
  • on an intranet or other private network
  • in a CRM system
  • on email marketing software (MailChimp and others)
  • on productivity apps (e.g. Zapier, Trello)
  • on Booking software (e.g. Eventbrite)
  • handwritten in a notepad, or a piece of paper in a filing cabinet

You will need to decide whether you really need this data, and whether it is stored securely enough; if you don’t  use it perhaps it’s time to destroy it?

Remember, you have no legal basis for storing the Personal Data of lapsed customers or inactive email subscribers without recent consent, customer engagement or email activity.

Penalties for non-compliance

As has been widely reported, organisations could be fined up to 4% of annual global turnover or a maximum of €20 million, whichever is the greater, for the most serious infringements. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a data breach, or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors.

Essentially if you don’t follow the basic principles for processing data, such as consent; if you ignore individuals’ rights over their data; or transfer data to another country; you could incur significant financial penalties. However the ICO do not plan on wielding their heavy hammer when it comes to most businesses; they would rather work with you to help you comply than put you out of business.

Nevertheless, however low the risk of a €20 million fine, the increased sanctions reflect the seriousness of compliance and it’s important that you can demonstrate that you are working towards that goal.

Resources

GDPR will be an important transition for you to one extent or another. The most relevant source of information in the UK is the Information Commissioner’s Office (ICO), the body responsible for overseeing GDPR implementation:

GDPR for online entrepreneurs – busting the myths, the sensible approach

Below is a 2-hour video replay of a recent GDPR Webinar from Suzanne Dibble, multi-award winning business lawyer & data protection expert. I really recommend you find the time to watch it. You may want to fast forward to 06:00 where the actual content starts.

  • If you are interested in Suzanne’s GDPR Compliance Pack (£197 incl VAT) it is available here
  • Suzanne runs a very useful Facebook Group with a lot more (shorter) videos covering many aspects of the GDPR in more detail GDPR for Online Entrepreneurs

Disclaimer Reminder

These GDPR guidelines are for informational purposes only; they do not constitute nor should they be relied upon as legal or any other advice. The Privacy Notice ‘template’ offered for your use is my own creation, based on common sense and a lot of research; it has not been approved by an appropriate lawyer. I encourage you to work with legal or other professional counsel to determine precisely how the GDPR affects you and your business, and whether the Privacy Notice suits your businesses particular needs. 

This form collects & stores personal data that allows me to respond to your message. Rest assured I won't misuse it, but you'll find details at my Privacy Notice if you have any doubts.

Sarah Austin
T: 01202 251168
M: 07798 862205
E: sarah@vividwebsites.co.uk


Vivid Websites
43 Ashton Road
Bournemouth BH9 2TP