Communicating GDPR within your business

In another guest blog from our friend and associate Paul Laughlin, we turn our attention towards the looming General Data Protection Regulation (GDPR) reforms of data protection rules. This blog is an extract from Paul’s full article on the subject.

Those of you who have read Paul’s other posts on GDPR will know that there are many impacts to consider. Avoiding a nasty surprise means thinking broader than just the “opt-in consent verses legitimate interest” debate.

How to summarise GDPR for your business

Talking with data leaders recently, it seems many have been set the challenge of educating their business on GDPR. The wording of GDPR also expects the accountability of Data Controllers to include the culture of the organisation. Akin to the FCA fines on firms not embedding Conduct Risk into their culture, I would expect to see the ICO also looking for such systemic evidence.

So, if you, as a leader, need to educate your business, I hope this post gives you some pointers on how to condense so much information, into a digestible and memorable presentation.

Why people should care

Firstly, it’s important to ensure that everyone understands what GDPR is and why it matters. From a history of how we got this regulation, to understanding the goals of the EU in creating it.

Given some negative press and scaremongering around GDPR, some people are surprised to discover we have been here before. Both our existing DPA and the Privacy & Electronic Communications Regulation (PECR), followed EU versions.

But, more important than the history, or explaining the contents of GDPR, the key point is impact. Why should businesses care?

The popular answer to that question is, of course, the scale of the potential fines. However, there are other considerations. Given Elizabeth Denham has been at pains to point out that fines will be proportionate, it’s worth thinking about other powers. Under GDPR, the ICO will also have the power to turn up at your premises, audit your data and even revoke your right to use personal data.

But given the growing visibility of ICO fines and the expected media focus on GDPR next year, also consider your reputation. Like the FCA, the ICO is showing signs of going for the ‘naming & shaming‘ way of proving they have ‘teeth‘. Failing to appropriately manage people’s data, could just be your biggest reputational risk.

So, in short, it really matters. To your brand and your bottom line.

Communicating GDPR: 7 principles & 13 concepts

Following establishing the importance of this topic, we need to ensure that we also capture its spirit. What I mean is the intention & themes of this legislation. If, as I advise, firms are to avoid a ‘tick box compliance‘ exercise – it’s important to understand the aim of these new rules.

To help with that we must consider the 7 overall principles of GDPR. These will replace the 8 principles of our current Data Protection Act (DPA). They include a list of 6 principles, plus one overarching new principle. Together these are very similar to the DPA principles; supporting the argument that GDPR is ‘evolution‘ not ‘revolution‘.

The principles are:

  1. Lawfulness, Fairness & Transparency (3 for the price of 1)
  2. Purpose limitation (only use data for the purpose it was given)
  3. Data minimization (only hold the data needed to do as promised)
  4. Accuracy (you have responsibility to keep data accurate)
  5. Storage limitation (don’t store data for longer than needed)
  6. Integrity & Confidentiality (ensure the security of data held)
  7. Accountability (the data controller is accountable for, and must demonstrate compliance with these 6 principles)

Number 7 is the overarching principle, the one that has added more teeth to GDPR, compared to the current DPA Act.

Almost every question I am asked, about specific situations, comes back to applying these principles.

But, in order to understand ‘what good looks like‘ and the evidence the ICO will expect to see, people also need to grasp 13 concepts. These are a purely subjective collection of aspects of GDPR rules that I find are important & relevant for businesses. Simplifying all the content you could cover down to, at most 13, concepts – helps people digest it all. They are:

  1. Personal Data (understanding the broader definition, as well as who is the data subject and the role of pseudonymisation).
  2. Consent (the “higher bar” of positive opt-in, with specific informed consent, evidenced by unambiguous action).
  3. Legitimate interests (the hope this gives for marketing existing customers, but the caveats that need to be considered).
  4. Right to object to profiling (a misleading name, when focus is really on automated decisioning with high-risk impacts).
  5. Right to object to marketing (including the importance of making clear and explicit how to opt-out whenever they wish).
  6. Right to be forgotten (covering both the responsibility to inform other controllers/processors & potential solutions).
  7. Right to data portability (discussing the examples already in utility sector and the model coming from Open Banking).
  8. Subject Access Requests (why businesses need to prepared for many more, now they are free & should only take 1 month).
  9. Privacy by Design & Data Protection Impact Assessments (what both expect & how to start changing project processes).
  10. Data Protection Officer (who needs one & their protected role, on behalf of both organisations & data subjects).
  11. Record Keeping & 3rd party Contracts (yes paperwork, not only does GDPR cover paper ‘data’ but also requires more records).
  12. Data Processor liability (no more of the buck sitting only with data controllers, both have responsibility & need due diligence).
  13. Data Breaches (your responsibility to mitigate risks & notify data subjects, within 72 hours, in plain language, for high-risk cases).

Other topics always arise, including the other bases for storing & using personal data. However, I find that talking your audience through these concepts prompts most relevant examples. This is especially true if you can represent each of the above with a photo, a memorable image.

When talking or training about this, I also see leaders pause for thought when I remind them we are not just talking about customers. We are talking about personal data held on any person. For instance, too few employers are thinking about the data they hold on their employees. Are you GDPR compliant in data held & your monitoring of staff/colleagues?

You may wish to consider Customer Attuned’s GDPR Readiness Assessment?

Paul Laughlin