While the UK may be beginning the process of disentangling itself from aspects of EU law, the Information Commissioner’s Office (ICO) has made it clear that if we are to trade with the Single Market on equal terms, the UK will require data protection standards equivalent to the EU’s GDPR framework.
Although GDPR has many similarities to the Data Processing Act it will supersede, the new regulations and go significantly further. Companies must build data protection into their system design and infrastructure or risk penalties much higher than is currently the case.
The Strategic Mailing Partnership (SMP), the largest group of mail and print suppliers and service providers in the country, recently conducted research among its members which found that the vast majority feel unprepared for the forthcoming changes. Its study, published on 31 May 2107, indicated that although nearly two thirds of respondents know they will be jointly legally liable, 96% admit to not feeling fully prepared.
All of the respondents believe GDPR will have an impact on the sector, with a third anticipating that impact will be significant and 91% taking the view that implementation will have a direct financial impact on their business. While one in five expect that impact to be significant.
DMA PR and content manager Ed Owen says: “After the UK leaves the EU we will need to demonstrate equivalency. If our data protection rules are considered not strong enough we will be prevented from sharing data with EU countries.
“At the moment, we’re adopting the GDPR in full. It’s possible that this might change but we simply don’t know yet. If this does change we will need equivalent legislation to the GDPR but what this might be is unknown at the moment.”
Romax operations and technology director Wesley Dowding adds: “It is important to note that GDPR comes into effect on 25 May 2018 and the current date for leaving the EU is 29 March 2019. Therefore, GDPR will still become law until at least the exit date.”
As the regulation will be copied into local law it will not be watered down. That said, there will be some local differences. Opt-4 director Rosemary Smith points to “50-plus areas in the text” which allow for local law to prevail, for example concerning the definition of a child and whether or not organisations must appoint a data protection officer.
Some printers may find the cost of compliance difficult if they are operating systems that have not been designed with security inbuilt. This lack of data security experience may mean they become an easy target for liability, says Colin Tankard, managing director at data security specialists Digital Pathways.
However, there is a potential upside for those businesses that are on top of the changes. Tankard thinks there may be an opportunity for some to be ahead of the market with compliance and take business from other printers, i.e. by marketing themselves as ‘GDPR ready’.
However, Tankard warns that no one should take readiness for granted. “Some printers have had to go through the PCI [Payment Card Industry Data Security Standard] compliance approvals and so they probably will think they tick the GDPR box,” he says. “But this is a big mistake and they should be cautious. We have seen some other businesses fail a GDPR audit even though they are a Level 1 merchant in PCI.”
Printers handling personal data will start to see GDPR compliance requirements as a procurement hurdle. Consequently, it is an issue that cannot be ignored.
GDPR puts greater emphasis on transparency about processing and accountability for data controllers and processors. As Opt-4’s Smith makes clear, the proposed scale of the penalties for falling foul of the regulations are frightening. “The accountability principle means both controllers and processors, including printers, are on the hook for potentially massive fines: up to €20m (£18m) or 4% of global turnover.”
Tough new requirements for consent mean opt-in will prevail. However postal communications may be possible under a ‘legitimate interests’ clause. This is conditional on the individual being told what processing will be taking place and offered the chance to object.
Some industry figures, including Marc Michaels, director of strategy and insight at Paragon Customer Communications, take the view that this legitimate interest element may even drive an increase in direct mail and that door drops may also rise as the new regulations curtail the availability of third-party lists.
Consent is a key issue to consider, adds Michaels. Existing consumer consent may not be sufficient for GDPR, so organisations need to review it. Not only must consent be freely given but it should be specific and relate to an unambiguous purpose.
It is also important to note that consent is not permanent. “The shelf life of consent is shortening,” says Michaels. “Guidance from the ICO is two years but it could be less, or it could be more depending on what industry you are in. Guidance from the DMA and some research we did suggested that consumers want about six months. Some of them even wanted it every time you contact them. This means you need a central view of all your data exchange.”
Profiling will be restricted, although there is currently a lack of clarity in this area. And there are new rights for individuals, such as the right to erasure and right of portability – namely the right of consumers to access their data and take it elsewhere. Overall, GDPR is a much more iterative, ongoing process than under the old DPA rules.
What then must printers do to ensure compliance? As processors that store personal data, printers will have the same liability as controllers. This needs to be addressed in contracts and other business agreements.
“They will need well-defined contracts with data controllers and subcontractors outlining each party’s GDPR stance,” says Tankard. “If the printer is a smaller company than the data owner then a statement of compliance is sufficient. But if it is the other way around then the printer might need to conduct their own audit of GDPR compliance on the data owner. Internal systems will need to be able to track data through the company and clearly separate the duties so only the correct people can see the content. Part of the tracking will be audit and log management.”
GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. Breach notification needs to occur within 72 hours. With this in mind, organisations must have some form of network monitoring in place to detect any changes which might indicate a breach. Waiting for the systems to go down will not be seen as adequate notice, says Tankard.
Although GDPR is all about personal information, the only way to really comply with it is to use technology to mark/tag data. Above all other technology, the data must be encrypted to protect personal information in the event of a security breach. Printers should also be aware that GDPR applies to “structured” data on paper as well, so may need to review physical as well as cyber security.
“Remember,” adds Tankard, “it is not only about third-party data held. Most companies have their own personal data stores such as CVs, HR records, visitor books. All this must be considered with a GDPR review.”
The print industry needs to take IT and data requirements seriously. As well as investing in hardware and software it is crucial to understand what is required of your own business and of your clients. The subject should be addressed with clients to make sure everyone is on board.
“There is a real possibility that this could improve the use of print and take back volumes from the digital sector,” says Romax’s Dowding. “However, we would be cautious as to exactly how much impact, mainly due to the amount of time the digital industry has had to enact changes to their systems so they comply to the new regulations.”
With less than a year to go, companies need to be on top of the impending changes. Those who have done little so far and have limited expertise in-house may need to seek external advice from specialists in the field. The sooner the better.
“Record keeping is massive,” says Michaels. “One of the big differences between the DPA and the GDPR is literally the amount of recording of evidence and decisions: the steps you have taken toward data minimisation and recording of all your data journeys, data protection impact assessments. You need to have all that sort of stuff properly documented for audit purposes, to provide evidence for the accountability principle. Getting going on that can be pretty onerous, to be honest.”
GDPR and how it compares with DPA
Awareness & preparation
Make sure decision-makers and key people in your organisation are aware that the law is changing to GDPR.
Identify areas that could cause compliance problems under GDPR.
Start by looking at your organisation’s risk register, if you have one.
Be clear on the lawful basis for your processing activity in GDPR, document it and update your privacy notice to explain it.
The larger and more complex the organisation, the harder achieving compliance will be. Do not leave your preparations to the last minute.
Information you hold
Document what personal information you hold, where it came from and who you share it with. You may need to organise an information audit across the company or within particular business areas.
GDPR requires you to maintain records of your processing activities and updates rights for a networked world. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with.
Taking steps to document this data will also help you to comply with GDPR’s accountability principle. This requires organisations to be able to show how they comply with the data protection principles by having effective policies and procedures in place.
For the first time, GDPR will bring in special protection for children’s personal data.
Communicating privacy information
Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
At present, when you collect personal data you must give those individuals concerned certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the Information Commissioner’s Office (ICO) if they think there is a problem with the way you are handling their data.
GDPR requires information to be provided in concise, easy to understand language.
On the whole, the rights individuals will enjoy under GDPR are the same as those under the Data Protection Act (DPA) but with some significant enhancements
Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
GDPR includes the following rights for individuals: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the right not to be subject to automated decision-making including profiling.
The right to data portability is new. It only applies: to personal data an individual has provided to a controller; where the processing is based on the individual’s consent or for the performance of a contract; and when processing is automated.
Consider whether you need to revise your procedures. You will need to provide the personal data in a structured, commonly used and machine-readable form and provide the information free of charge.
Subject access requests
In most cases you will not be able to charge for complying with a request.
You will have a month to comply, rather than the current 40 days.
You can refuse or charge for requests that are manifestly unfounded or excessive. But if you refuse a request, you must tell the individual why.
Review how you seek, record and manage consent and whether you need to make any changes.
Refresh existing consents now if they don’t meet the GDPR standard.
Read the detailed guidance the ICO has published on consent and use its consent checklist.
Consent must be freely given, specific, informed and unambiguous.
There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.
Data protection & breaches
Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
Consider whether you are required to formally designate a data protection officer (DPO).
Some organisations are already required to notify the ICO (and possibly some other bodies) when they suffer a personal data breach. GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals.
You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most cases.
Put procedures in place to effectively detect, report and investigate a personal data breach. You may wish to assess the types of personal data you hold and document where you would be required to notify the ICO or affected individuals if a breach occurred. Larger organisations will need to develop policies and procedures for managing data breaches. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.