Part of the delight of working for an agency is the variety of work. But I never expected to be tasked with learning about new international legislation, how it could impact our business and forming the basis of a framework for implementing it, both for Good and our clients.
I am, of course, talking about GDPR. It seems to have been everywhere in the past few months with most articles leading with the scare stories - failure to comply will see fines of €20 million or 4% of global turnover, whichever is higher! But we see GDPR as positive legislation. Currently, we don’t really know who is holding what information about us. And we don’t know where that information is or how that information is shared.
GDPR will be good. It’s designed to protect our rights. It’s going to ensure companies do more to protect our Personal Data and make them accountable. And it’s going to make it easier for us to know what Personal Data a company holds about us and - if we want - have it deleted.
So what is GDPR? The General Data Protection Regulations is European legislation focussed on user privacy. It becomes law on the 25th May 2018 and is being described as the biggest data protection shakeup in two decades.
And how do we ensure that we’re in full compliance come 25 May? Well, the approach we’re taking is straightforward and based on the advice from the Information Commissioner's Office (ICO).
Know what Personal Data we collect
We’re undergoing a thorough audit of all Personal Data we collect. Some places to start include data which is actively collected;
- Contact forms on your website
- Newsletter signups
- CRM systems like SalesForce
As well as information which is passively collected such as;
- Information for Analytics packages
- Shopping carts and related data
Know where we keep the Personal Data and who has access
The Personal Data we collect lives somewhere. It could be an online database. It could be an email server or it could be printed and stored in a filing cabinet. Some of the questions we'll be asking;
- Where are your online databases hosted? Does that host have GDRP compliance?
- Are your online databases are backed up? Where are the backups held?
In addition, we need to identify who potentially has access to the data at each stage and how it’s secured;
- Is that filing cabinet locked?
- Are the backup servers IP or password restricted?
- Is the Personal Data it encrypted?
This is also the time that we double-check that the server environment has all security patches installed and any platform tools are up to date.
Know why we have the Personal Data
The GDPR expects us to have a lawful basis for collecting and processing data. Again, we examine each piece of data we collect and process and using the ICO guidelines identify the lawful basis and document it. In the unlikely event that we identify a piece of Personal Data which is collected or processed that doesn’t fall into those guidelines, we would remove the collection point for it.
Data Privacy Impact Assessment
Once we’ve got that information we need to make sure that we have it thoroughly documented. We’ll put everything in a Data Privacy Impact Assessment (PIA) document to ensure that in the event of any enquiry from a user, client or even the ICO, we can quickly respond with accurate information.
Like many agencies (and companies), we send occasional email newsletters letting people know what we’ve been up to. We’re confident that we’ve got consent to send emails to everyone on our mailing list, but we’re not relying purely on our confidence. After all, people change their minds over time.
So we’re implementing a Permission Passing Campaign which means we’re going to ask everyone on our mailing list to opt-in to receive any further emails from us. Not only will this ensure we’ve got specific consent to send to those who opt-in, but it also cleanses the list of any email addresses which no longer monitored.
To ensure we continue to have guaranteed consent we’ll switch our website newsletter signup to a two-stage confirmation system to ensure that users are electing to hear from us.
Working with third parties and suppliers
As a multi-discipline agency, we do much of our own development. But sometimes we use third party tools for efficiency, security or budget reasons. So we need to apply our own process to them. We need to identify
- What Personal Data is collected and processed
- Where is it’s stored?
- Who has access?
Many third parties are already providing their own GDPR compliance documents which we’re collecting and adding to our repository of documents.
Updating internal procedures
To ensure that we will fully comply with all areas of GDPR we’re updating some of our internal procedures:
- From the end of May, we’ll have a procedure in place which will allow us to quickly identify all Personal Data we hold about an individual and be able to supply them with a copy of it in a timely manner with no charge.
- We will also have procedures in place allowing users to request their data be erased and where it’s legal. This isn’t always possible - for instance payment and tax information has to be held for six years, but where it is possible, it will happen within the month.
- In addition to the many procedures we have in place for monitoring the security and integrity of the Personal Data we hold, we will implement a new procedure for notifying the ICO in the event of any breach. This is obviously a procedure we hope to never need, but unfortunately in life, the unexpected and unwelcome can happen. Despite best intentions and security, there can be break-ins, phones or laptops can be stolen and servers can be compromised. Should this happen we’ll know what Personal Data is threatened and be able to inform the authorities within 72 hours.
Updating privacy documents
All of the changes we’re making won’t mean much if we don’t properly communicate them to our clients and users. We’ll ensure that our privacy documents - on our website, in our emails and in our contracts - reflect our new ways of working. The documents will be written in concise, easy to understand and clear language.
Privacy by design
This phrase is getting a lot of attention at the moment. Essentially it comes down to ensuring that privacy and data protection are considered at the start of everything we do and not bolted on at the end as an afterthought. It’s something that we agree with and will be the policy throughout the studio.
GDPR doesn’t have to be scary. I’ve seen articles designed to sell the services of lawyers and consultants which are designed to terrify companies. That’s not how we want to behave. We're helping our clients meet their GDPR obligations.
Don’t be scared by GDPR. Don’t be frightened by articles that threaten the existence of your company if you make a mistake. This is new for everyone. The ICO doesn’t want to punish or fine you. They’re not going looking for companies to attack. Especially companies who are trying to comply. As long as you’re aware and begin to take steps now, by the time the legislation is enacted you should be in a good place.