Journal

GDPR principles and your web site

PC Pro logo Posted: 17th April 2018 | Filed under: Business, GDPR, Misc/Other, Press Articles, Technical
Author: Paul Ockenden
First Appeared in PC Pro 2018

There’s a large amount of scaremongering about GDPR doing the rounds, especially by companies trying to sell expensive compliance ‘solutions’

Do you know what GDPR is? I’m pretty sure that many visitors to the CST website will at least have a vague idea. But I’m also pretty sure that if I asked a hundred of you exactly what GDPR entails I’d end up with a hundred different answers. I’d see responses such as “companies will have to ensure data is held securely”, “firms can’t automatically opt you in to receiving marketing emails, or use pre-ticked boxes on contact forms”, “there will be bigger fines for companies when data breaches happen”. All of these are true, but there’s much more to GDPR than these things, as we’ll see. But first please accept our apologies that this is a much longer journal entry than usual, with lots of text. It needs to be, because this is an important subject. Don't despair, we've tried our best to keep the text light hearted and easy to understand.

As you look around the Internet you'll find there’s also a large amount of crap and scaremongering about GDPR doing the rounds, especially by companies trying to sell you their expensive compliance ‘solutions’. We recently saw a claim that after GDPR all email attachments would, by law, need to be encrypted so that they couldn’t be read by someone doing a man-in-the-middle interception. Naturally, it was said by someone representing a firm selling email encryption software. It’s nonsense of course, and all email attachments won’t, by law, need to be encrypted. That’s complete and utter tosh. If I email you a photo of my cat why on earth should I have to encrypt it?

For those who’ve been living under a stone for the past couple of years, GDPR stands for General Data Protection Regulation (no s, even though it’s often printed as such). It comes from the EU, and despite Brexit we’ll need to start abiding by the rules on 25h May 2018 (you may be reading this after that date). They are being formally adopted into UK law via the Data Protection Bill, which is a much bigger thing than just GDPR. It will result in a new Data Protection Act, replacing the existing 1998 act, which is seen as no longer being fit for purpose.

But the backbone of the new bill will be GDPR so let’s look at what this is and what it isn’t. The best way to tackle it is by considering in turn each one of the six key principles that it enshrines into law.

1 - Lawfulness, fairness and transparency

The first principle is actually split into three parts, lawfulness, fairness and transparency. Lawfulness is one of those horrible terms that often isn’t properly defined, but in this particular instance it’s relatively nailed down, and means that any processing of personal data can only happen for one of six reasons: Consent; Contract; Legal obligation; Vital interests; Public task; or Legitimate interest. The first three are pretty obvious, and don’t need explaining. Vital interest means that the processing is needed in order to protect someone’s life – perhaps the transfer of their medical records to a hospital following an emergency admission. Public tasks are those where the data processing is needed for judicial purposes, or for exercising statutory, governmental, or other public functions – it’s the ‘Powers that be’ opt-out, and one which many people think hands the authorities too many sweeping powers. Finally, there’s what’s called legitimate interest, and that’s potentially the most woolly of the six lawful basis tests. It is, for example, the one that’ll be used by most direct marketers, because GDPR states, ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’ Essentially, to pass the legitimate interest test you have to think about what that interest is (it can either be your own interest, or the interest of the person whose data this is), show that your data processing is needed to achieve this interest, and, most importantly, balance all of this against the person’s interests, rights and freedoms.

Best practice when using the Legitimate Interests test is to include full details in any privacy notices, and also to record details of any legitimate interest assessments so that you can show them if called on to demonstrate compliance. But consent will always be a better option, as we’ll see when we look at the third principle.

Fairness is again something of a woolly word, but in terms of GDPR it essentially means that you can only process someone’s data in the way that you’ve told them you’ll be doing it. You can’t, for example, collect personal data for one task and then use it for something completely different. And that leads us neatly on to the last part of the first principle, transparency. Lawfulness and fairness were both part of the existing Data Protection Act, but transparency is a new one. It means that you have to clearly tell the person how their data is going to be processed, and – importantly – why. On a website this would normally be via a privacy notice but GDPR insists that this is done in clear and concise language and definitely without the use of any lawyer-speak!

2 - Purpose limitations

There’s a bit of common ground between this principle and the lawfulness and fairness test that I just described. In a nutshell the purpose limitation principle specifies that personal data collected for one purpose should not be used for any new, incompatible, purpose. There’s a bit of a caveat to that, though, as GDPR also allows for three future forms of processing of personal data: for archiving purposes in the public interest; for scientific and historical research purposes; or for statistical purposes. This is subject to safeguards implemented on a country by country basis, and is only allowed when there is no risk of breaching anybody’s privacy. What many people seem to miss, though, because it’s buried deep in the text is that this also allows countries to restrict someone’s right to access, correct, restrict and most importantly their right to object when it comes to the processing of their personal data for these scientific, historical or statistical purposes. People tend to think that GDPR is always on the side of the little guy, but in this particular area the lack of a legal opt-out flies in the face of conventional wisdom.

The best way to ensure that you’re using someone’s data properly is for them to give you their consent. This usually means having them read and agree to your policies (remember, simple and concise, no legal jargon) before they provide you with their data. You can then store the fact that the person gave their consent to have their data stored and processed. I always advise that you store the way in which they consented (e.g. which online or paper form) and also the date and time that it was given. As with many business regulations, being able to demonstrate that you’re doing the right thing is just as important as actually doing it.

3 - Data minimisation

I’m sure we’ve all filled in forms where an organisation seems to ask far too many questions, many of which aren’t appropriate to your enquiry. Even before GDPR that wasn’t supposed to happen, as the existing Data Protection Act limited data that’s collected (and, importantly, stored) by saying that it shouldn’t be excessive in relation to the purpose for which it’s being processed. GDPR tightens this up even further by saying that you can only process data which is necessary.

Given this, it’s really important that you minimise the amount of data that you collect and store. And reduce the number of compulsory fields on forms to a bare minimum. It’s a good thing, though. There are huge advantages to this ‘less is more’ approach – it actually improves overall data quality! Smaller forms significantly reduce the drop-off rate, particularly for things like online surveys. Also, data usually needs to be saved somewhere, so if you halve the number of questions you’re asking you’ll also halve your storage costs!

Do bear in mind that data minimisation also applies to processing, not just acquisition and storage. So you shouldn’t, for example, run a report which compares the ethnic backgrounds of your customers unless there’s some genuine purpose for doing this. There continues to be a degree of argument, however, on whether ‘data fishing’ exercises (running various semi-random stats analysis until a potential correlation is spotted) are a valid purpose. On the one hand it goes against much of what’s at the core of this principle (and indeed some of the others). But on the other hand, it’s often a valuable business tool. I once had a client which was a major football sponsor in the UK, but when we ran some of these data fishing stats (using Target Group Index, or TGI) we discovered that their customers were more likely to be anglers than footie supporters, so their budget wasn’t being used efficiently. And yes, the irony of a fishing expedition discovering fishing wasn’t lost on anyone!

4 - Accuracy

Data accuracy is always good sense, so this principle shouldn’t be seen as particularly onerous. GDPR states that personal data needs to be accurate and, where necessary, kept up to date. Also, that every reasonable step should be taken to ensure that any inaccurate personal data is either erased or rectified without delay.

What’s important here is that you need to be able to demonstrate that you have procedures or systems in place to amend or delete any outdated personal data.

Of course, unless you are notified then you probably won’t know whether the data that you hold is accurate or not. That’s why a data retention period is important, and it’s something that we’ll come on to with the 5th principle.

Although the regulation states that you should erase or rectify any inaccurate data, there is actually a third option, and that is to anonymise any data which you believe to be suspect, or which is past its use-by date. That way you’re still able to perform top level statistical analysis on the data (e.g. how many people drive a particular make of car), you just won’t be able to tie it down to individuals.

Do be careful here though, as “make of car” or even “model of car” probably isn’t enough to identify a person, but if you start to include things like mileage, year or colour then, with lesser selling cars, we might end up with a unique set of data, and so can pin it on an individual. So try to keep the anonymization as broad-brush as possible.

5 - Storage limitation

There’s a fair bit to think about here, and it’s an ongoing thing rather than just a one-off task. You need to consider how long you’ll need to retain personal data for (and because of the 4th principle’s concern for accuracy, the time period obviously can’t be for ever). You’ll need to review all of the data that you hold on a regular basis, and delete anything that isn’t necessary.

There’s no minimum data retention period actually specified in the regulation, so you’ll need to make a call on this yourself. One-off data (perhaps people attending an event, or buying a train ticket) should only be held for a short period, whereas if there’s an ongoing customer relationship then it makes sense to hold the data for longer.

There’s obviously a balance to be made here when it comes to e-commerce. Experience has shown that ‘guest checkout’ facilities will massively increase the trade done by an online retailer. But if the data has to be thrown away fairly quickly then it reduces the opportunity for further promotional activity.

The regulation actually requires companies to create a data retention policy that explains what types of data will be deleted and the criteria for removal – if you have a website you should include this policy (or a link to it) in the privacy notice.

Customer interaction is an important part of deciding when to remove personal data. Let’s imagine two online retailers, one selling coffee beans, the other selling shoes. Coffee is likely to be a regular purchase, with orders placed every month or two. But shoes, unless you have Imelda Marcos tendencies, are probably only bought once or twice a year. With the coffee vendor you should probably delete customer data if they don’t return within a couple of years, but the shoe seller would be wise to wait a little longer.

Also, remember the tip that I gave you in principle four – you don’t always have to delete data, you can often just anonymise it, allowing you to run high level analysis.

6 - Integrity and confidentiality

This last principle is the one that often makes the headlines when companies are faced with large fines and bad publicity over sloppy data security. This sixth principle requires data processors to handle data “in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

But notice the word ‘appropriate’ buried in there. What constitutes appropriate security? It’s all down to the nature of the data. You’re going to get into much deeper water if you leak things such as sexual health information of details about a person’s criminal convictions as opposed to divulging what type of car they drive or where they do their weekly shop. Don’t get me wrong – the latter things still need protecting, but the word ‘appropriate’ introduces a scale.

The size of your company and your cybersecurity budget won’t be seen as a defence here – if you’re handing very sensitive data then a one-man-band company needs to take just as much care of it as a big PLC would.

Also, integrity and confidentiality goes way beyond cybersecurity. It’s not just about keeping the hackers out – it also covers things like accidental loss or data, or unauthorised use. So you need both policies and systems which ensure that only authorised staff have access to personal data, and you should also be able to demonstrate that you review these on a regular basis.

Of all of the GDPR principles this is the one that’s most worrying for many companies as the fines for any breach are up to EUR 20,000,000, or 4% of your turnover. Ouch!

As I mentioned at the start of the article, GDPR is a big and complex subject, and one that can easily make your head spin. But if you take these six principles that form the backbone of the regulation as a starting point, and really try to understand what they are trying to achieve, then you’ll be most of the way there.

If you'd like more help and advice from an agency that really understands GDPR, and its practical implications, then please contact us.

One final note of caution is to beware of training courses appearing to offer some kind of official GDPR certification. In the UK only the Information Commissioner’s Office (ICO) can create the necessary certifying bodies, and at the time of writing they haven’t done so. So none of these so-called certified qualifications have any official standing. Don’t get me wrong – there is good training out there – it just doesn’t pretend to be something that it isn’t.