I was recently checking an online dictionary for a definition of a “natural person” – a phrase used to describe those affected by the new data protection legislation due to come into force in May 2018 – when I also got a pop-up advert for a newspaper subscription offer.
My guess is that the advert for the newspaper was offered because I’ve subscribed to a daily briefing from the publication in question. When I signed up I went through the terms and conditions and ticked various boxes. In return, I get a number of free articles each month. What does the paper get? Well, data about me. Obviously.
How it uses that data is regulated by the agreement I ticked. I realised it meant being sent emails about offers, but did I also realise I would be fed targeted adverts elsewhere in my online life? Probably not. I’ve just looked at my profile page and nowhere is there an option covering that. I could be wrong, and the advert is merely a coincidence, or based on the fact I’ve looked at that paper online, but I doubt it.
From next Spring, the General Data Protection Regulation (GDPR) will make it unlawful for organisations to profile “natural persons” without their knowledge or consent.
The GDPR tightens up what companies and others can do with the information they have about you and me. It is, at heart, a European Union initiative, designed to provide uniform protection for individuals across the EU. It comes into force on May 25 next year. We’ll likely still be in the EU then, so we need to work on the basis that it will apply to the UK.
The rules differ slightly depending on who’s holding and processing the information, which is fair enough if you think about why it’s okay for the government to have a record of your National Insurance number, but not okay for your mobile phone provider to have it.
Here I’m looking at what the new regulations mean for companies and charities, particularly those who like to keep in touch with customers and supporters by email.
Where the GDPR really tightens up on the existing rules in the Data Protection Act is in ensuring people truly understand why their information is being held, and that there are robust records detailing their positive consent. It’s about being open and transparent with people, about what’s called “fair processing” information.
Now, if your databases – because that’s mostly what GDPR is about – have all been gathered and kept up to date in accordance with the rules as they will stand on May 25, 2018, all well and good.
If you’ve explained to each individual (by which I mean a “natural person”) whose data you have what legal basis you’re using to hold their information, how long you intend to hold that information, and how they can complain to the UK’s Information Commissioner’s Office if they think you are mishandling their data – and have records to back that all up – congratulations, you can probably relax and go make a cup of tea.
But you’ll have to wait a bit longer for a fresh brew if the data you hold wasn’t provided in a direct one-to-one exchange such as a newsletter sign-up form. If your databases have information gathered by tracking people’s online behaviour, or from a social media algorithm, or from some other database, then the Information Commissioner admits it may be “challenging” to be open and transparent as required by law. Tread carefully here.
Don’t panic. We all have whole year to check our databases, make sure people are OK with the data we hold and why, and get our records up-to-date. Ring people, write to them, email them, letting them know what you’re doing with their data, and keep clear records of their consent.
Make sure that consent is positive, and not implied or assumed in any way. Make sure individuals can have access to details held about them, have the right to correct inaccuracies and have details erased, and can prevent direct marketing and profiling.
Make sure your privacy notices incorporate GDPR-compliant information, that if you are holding data about anyone under 13 you have parental consent, that you have procedures in place to make sure that databases are kept up-to-date – and that everyone in your organisation understands about the new rules.
In the meantime, if you’re working on any new projects, give any new databases a healthy lifespan by setting them up to comply with the GDPR guidelines from the get-go.
We’re going to be setting aside time to double-check the data we hold on behalf of our clients so we’re ready for GDPR on May 25, 2018 – what we’ve dubbed Data Day.
Liked this blog? Why not read ‘One month to go until Data Day – Practical steps for compliance‘ or ‘Email is still one of the best ways to communicate with your audiences‘.
Want to read more on GDPR? Take a look at the Information Commissioner’s Office website or this article by European Commission on protection of personal data.