You may have heard about ‘GDPR’ and its importance, so TJS has teamed up with IT & Security Consultant, Kyle Heath, to bring you a simple 7-day plan on how GDPR might affect your business and what you need to do to minimise risk. We take a look at what GDPR is, what it covers, and the seven steps you can take to ensure compliance.
Along with Kyle, an IT professional who can provide GDPR advice and consultancy from a data/IT/security perspective, we have also partnered with Chatterton’s Solicitors, who can provide guidance from a legal standpoint with regards to GDPR. If you would like to be introduced to Kyle or Chatterton’s, please get in touch.
Introduction to GDPR
Simply put, the GDPR or General Data Protection Regulation is a UK law that controls how businesses and organisations look after individuals’ data. It will take effect on May 28th 2018, and it will affect your business.
There has been a lot of hype surrounding the GDPR. You may have seen news stories of massive fines for non-compliance and that everything will change on the 29th May. Below are some of the most common myths about GDPR.
All of the above myths are unfounded. The regulation is being introduced to make sure every business collects personal information for the right reasons and that each individual understands why their data is being stored.
You should see the GDPR as an opportunity to streamline your operation and to deliver an even higher standard of service to your customers.
In this blog post, you will learn how to prepare for GDPR in 7 simple steps. Let’s get started with the first and most important step.
What is Personal Data?
This has been one of the most debated questions in recent months with regards to the GDPR. The answer to this is any information that your business holds that can be used to identify an individual. What this means for the owner of a website is that the GDPR will apply to all the information you have collected about your customers, whether this is through a website or offline.
Often this will be stored in several places. If you capture email addresses for marketing, then the data is probably being stored your email marketing (or CRM) database. If you take orders online, then the data will be in your ecommerce system, and if you have a customer login section on your site, then the data will be in your backend database.
Back at your office, you will have customer data in your accounts system, in your documents, spreadsheets and your email.
Controllers and Processors
The GDPR defines anyone who handles personal data in one of two ways. You are either a Controller or a Processor. You can be both, in which case the requirements of each will apply. So what do these somewhat analytical names mean?
A Controller of data is anyone who owns or is responsible for personal data. What this means is that if you have an ecommerce website and your customers place orders with you, then you are a Controller of that data because that data is stored by you. You control the information because you are the one who has requested it from the customer.
A Processor is anyone who manages or handles personal data on behalf of another organisation or person. For example, if you use the MailChimp service for your email marketing, then MailChimp is the processor for your customer email addresses, but you are the controller because you are responsible for collecting and storing the data.
It is possible to be both a Controller and a Processor, and this is more common than you might think. If you are running an ecommerce website, then you are a Controller. However, you can be a Processor too if, for example, you run a business that handles services on behalf of another company. You are a Controller when you manage the data of your direct customers, and you are a Processor when you handle data on behalf of the 3rd party.
For example, if you sell products online via your website, then you are a Controller for that data. If you sell your products online via Amazon Marketplace, then you are a processor for data provided to you via Amazon. Amazon is the controller, and they will instruct you on how you should manage that data on their behalf.
GDPR Plan: Day 1 Action
List all the locations in your business where you store personal data. This only needs to be a bullet point list for now. For example, you might list
Do not go into detail yet, just compile a list. Do not forget to include your employees, so that means Payroll and HR too.
Create two columns in a spreadsheet and head one ‘Controller’ and the other ‘Processor’. Then under each column list down each area of the business in which you control data and where you process data. Focus on all the areas where your company handles personal data for the Controller role and where your business handles 3rd party personal data for the Processor role.
Principles for Holding Personal Data
One of the biggest myths of the GDPR is that it intends to stop you holding any personal data on anyone at anytime. This would, of course, put all of us out of business. For the record, this is a complete myth, and the GDPR was not designed to stop you from trading your business and from serving your customers. In fact, it is intended to protect and manage personal information in a methodical, accountable way, to ensure security and safety for individuals.
There are six critical principles regarding how you must manage personal data. The table below outlines each principle, with a relevant example:
|Processed lawfully, fairly and in a transparent manner||Acceptance of terms of business when placing an order on your ecommerce site|
|Collected for specified, explicit and legitimate reasons||Collecting customer name and addresses for shipping is used for that purpose only, and if you did not obtain this you could not provide the service|
|Adequate, relevant and limited to what is necessary||Collect only the data needed for the job. To ship an order, you would not need to know their gender, date of birth or personal interests.|
|Accurate and, where necessary, kept up to date||Keeping a customer’s address up to date – if they moved house you need to know this and not assume that their current address is for life|
|Retained and, where necessary, kept up to date||You cannot keep data for longer than is required to serve the purpose for which you collected the data. You may save a customer’s address for one year if you provide a product/service warranty, but for no longer if you have no reason to hold it. Data may be retained for legal and regulatory purposes, such as accounts, for seven years.|
|Processed and stored in an appropriate manner||Paper records should be stored in locked cabinets. Online data should be encrypted and secured so that it cannot be stolen or compromised by a cyber attack, hack incident or malware.|
Your business must be able to demonstrate the above six principles to ensure your compliance. If you cannot show that you have policies and procedures in place to address each of the six principles, you could be deemed not to be handling personal data responsibly, and you could be breaking UK law.
GDPR Plan: Day 2 Action
Go through each of the six principles and list down the policies and processes you have in your business that address each principle. For example, do you have a customer retention data policy? How long after a customer has ordered from you do you keep their data? Three months, one year, three years? Do not worry about the details now, just look at each principle and list the policy you have in place to address this. If you have none, that’s fine for now.
Obligations: Subject Access Request and Right to be Forgotten
The GDPR introduces two new requirements for any business that holds personal data. These are known as the Subject Access Request (SAR) and Right to be Forgotten (RTF). The good news is that they sound much more draconian than they are.
The SAR is merely an official process in which a person can request from your business what personal information you hold on them. Every EU citizen has the right to make this request from an organisation or company. What you need to do is set up a policy in your business for this process, but you have the right to control how this process is undertaken, and you have the right to charge for the service.
What this means is that you can charge a maximum of £10 for each SAR to cover the administration of the request and you have up to 40 days from the request being received to complete it.
Let’s look at an example. I call your business and say “tell me about all the data you hold on me, please”. What you need to do next is take the appropriate steps to make sure the person calling is who they say they are. You will have to ask for identification from them to make sure you do not give personal data to the wrong person.
Then you ask the person to follow your SAR process. This might be a Google Form online that they complete before you accept the request and forward the data. The choice of how you deliver the information is yours.
When you have a SAR policy in place, you will have a simple and easy way to locate personal data on any person. This then makes the next requirement so much more comfortable.
The Right to be Forgotten (RTF) is a part of the GDPR. This means that a person can request to know what data you hold on them and then once they know this they can ask for this to be deleted or removed from your database. If you have a stable SAR policy in place, then you will know where all the data is stored, and you can plan how you would delete it.
For example, if you store data in your website’s backend database, you can have a process that deletes the record for the customer and any associated sub-records. You can have a process that removes the customer from the Accounts system. You can have a process that shreds any paper records that you have for that customer.
A key point to note here is that if you have a legal or regulatory requirement to hold data, then this cannot be removed by an RTF request. This means you can keep Accounts data for seven years, as per UK HMRC requirements. If you are a dentist, you must retain records of patient work for 11 years, and if you are a solicitor, you will have to keep Will and Probate records for up to 20 years.
The GDPR is not here to stop you doing business, and it cannot override the existing legal and regulatory requirements of your industry.
GDPR Plan: Day 3 Action
Take the list of each place your store personal data in your business and write a process for how you can collect that information for a SAR. Document this into a business policy that you can delegate to employees to complete. Systemise this policy so that it is repeatable and streamlined.
Do this again for RTF requests. Work out how you can delete the personal data for any customer from each system you have in your business. Note down the legal and regulatory requirements you have to adhere to so you can inform your customers that you hold their data for that reason.
Data Audit and DPIA
One of the biggest worries I have heard voiced is the question of “where is all my data?” The task of discovering this can seem overwhelming and it is easy not to start this process because it seems too daunting. What you need to do is start this process now, and you will soon realise that finding where all your data sits is nowhere as difficult as it might seem.
So what is a DPIA? It is a Data Protection Impact Assessment. What that means is ‘where is the personal data and how do I protect it for my customers”.
Let’s go through a typical DPIA.
Identify the need. Refer to the list from day one that contains all the parts of the business that contain personal data
Describe the information flow. For each part of the company, note how data is collected, stored, used and deleted. Understand why you collect data, where it is stored, how it is used and when it should be removed.
Identify privacy risks. Note the possible threats and vulnerabilities to the rights and freedoms of the individuals whose data you collect. Examples could be, can your website be hacked? Have you tested your website for security vulnerabilities? Do you require secure access to your customer’s data on the website? How could data leave your business without your knowledge?
Evaluate the privacy solution. For each risk to your data, identify a solution that can address the threat or make a decision to ‘accept’ the risk and work to mitigate it as much as is possible. For example, with an RTF it is not possible to erase personal data from your website backups. In this example, you accept the risk and would notify any customer requesting an RTF that you would not access the backups for anything other than recovery and if their data were recovered it would then be erased from the recovered live system.
Sign off the DPIA and record the outcomes. When you have assessed each risk and determined what actions are to be taken, or what risks are to be accepted, formally document this. This then forms the basis of your GDPR compliance documentation.
Start implementing the DPIA outcomes in a project. Use the DPIA to build a project plan to implement each action and mitigation. Work on the plan until all steps are complete. Revisit the plan once a quarter to maintain the standards set.
GDPR Plan: Day 4 Action
Decide who will undertake your DPIA. This can be completed internally, or you can work with one of our recommended partners who will manage the whole process for you.
Complete the DPIA process. Assess the outcomes. Build the project plan. Deliver on the project plan.
Security Audit, Firewalls and Vulnerability scans
Cyber security has been in the news so much in the last few years. We all have an image of what a ‘hacker’ looks like, but in reality, hackers look like you and me because they are simply people. They are people who choose to use cyber crime to make money.
Cyber crime is widely under-reported. Why? Because many companies do not want to admit to having had money stolen or having lost customer data. The negative PR associated with a cyber attack on a company can have far-reaching effects. The Sony PlayStation Network breach is a prime example. This has led to security being way down on the list of priorities in many businesses.
If you have an online business, security should be right at the top of your list. Not only do your customers expect it, but Google does too. The reason is that your reputation is everything. You will get hacked. That’s right, you will get hacked one day, and if you work to this belief, then you be starting with the right mindset.
The principal focus is how to minimise the impact when it does happen and how you will talk to your customers during the resolution process.
Have you asked these questions about your business?
Do you have an agreed schedule for updating your website security?
Do you have regular security scans done on your website to discover vulnerabilities
Do you require your customers use Two Factor Authentication like a text message to login into your website?
Do you store customer data on a server in your office?
Do you internally email attachments that contain customer data?
Do you allow employees to access your systems from their own personal devices
Do you backup your customer data and where is that backup stored?
Is your website hosted behind a Firewall?
Is that Firewall updated automatically to detect threats and attack vectors
Do you have a Firewall in your office protecting your network?
Is that Firewall updated automatically to detect threats and attack vectors?
Are all your employees trained in your security processes and understand the risks associated with working online?
As you can see, undertaking a security audit is a serious matter. It is for this reason that we strongly recommend that if you do not have the skills in-house to complete this audit, you should talk to one of our recommended partners who can help you with this.
One great way to work towards making your business as secure as possible is to gain the Cyber Essentials and then the Cyber Essentials Plus accreditation. This government-supported accreditation will enable you to show your customers you are secure and following industry best practices by displaying the logo on your website and marketing materials.
GDPR Plan: Day 5 Action
Decide if you have the skills to undertake a security audit of your business and website. If you require assistance, then talk to a security partner who can help you.
Complete the security audit as you are right now. Assess the results and build a project plan to address each risk. For each risk, decide to either to take action or to accept the risk.
Take action on the security project plan.
The leading web Content Management System in the world is WordPress, which has over 60% market share as of March 13th 2018.
What this means is that if your website is hosted using WordPress, then you are going to be the single most significant target for cyber criminals. Criminals play the numbers game, and they will look to attack the platform that gives them the most return. This is WordPress.
WordPress is an open source system, this means you can use it for free, how it works is shared with everyone, and everyone can update and improve the product. Because of this model you can add features to WordPress by using what are called Plugins. Anyone can write a Plugin and then sell it or make it available for free to other WordPress users.
It is highly likely that you will have Plugins installed on your WordPress site to provide services like analytics, commenting and social media sharing etc. You need to ensure that each one of these plugins is updated on a regular, scheduled basis, every time a security update is released.
If you are not familiar with how to update your WordPress installation, then we recommend you talk to TJS about how we can help.
Ensuring that WordPress and all Plugins are kept up to date with the latest security updates will be critical to maintaining GDPR compliance. Cyber criminals will be looking to compromise your website to steal your customer data. It is your responsibility to protect against this as much as possible.
The GDPR stipulates that those who have a data breach may be fined between 2-4% of turnover. This may be a significant sum of money. The fines are based on turnover and not profits. As a result, lower margin businesses run the considerable risk of losing all their profits if fined.
We expect to see criminals try to steal data so that you can be blackmailed into paying them a ransom for the data. In the last few years, the most popular cyber crime has been ‘ransomware’. This is where criminals gain access to your data, encrypt it so you can’t access it, and demand a ransom in return for giving it back. If you do not pay the ransom, you do not get your data back.
Now that people are aware of this threat, most businesses have a solid backup plan so that should this happen, they can restore their data and avoid paying the ransom to the criminals.
The single biggest threat coming is that cyber criminals will now want to steal your data instead of encrypting it. Once they have your data, they can tell you to pay them, or they will release the data as a breach and report your business to the Information Commissioner’s Office (ICO).
Then you will be faced with the awful decision of whether to pay the ransom or to risk being reported for a breach. If you pay the ransom can you trust that the criminals will not report you anyway? If you do not report the violation, can you afford the fine if you are found to be negligent?
I do not mean to use scare tactics. This is real life and is one of the possible outcomes post-May 25th 2018. What you need to do now is understand the risk, take action and show that you have done everything you can to protect your customers’ data.
The ICO has stated that they have no intention to fine businesses who have made explicit efforts to become GDPR-compliant. They will, however, take a very dim view of those companies that have done nothing to protect personal data and have just carried on with ‘business as usual’.
GDPR Plan: Day 6 Action
Complete a security audit of your website. This must include checking that your website is running the latest version and updates for the Content Management System. Complete a vulnerability scan against your website to confirm you have accepted or mitigated any vulnerabilities discovered.
Confirm that you have a backup plan in place for your website and that this has been tested as working correctly once a quarter.
Produce a schedule for vulnerability testing your website and updating the CMS with version upgrades and security updates.
Privacy and Breach Policy
What information is being collected?
Who is collecting it?
How is it collected?
Why is it being collected?
How will it be used?
With whom will it be shared?
What will be the effect of this on the individuals concerned?
Is the intended use likely to cause individuals to object or complain?
Take time to look at all the forms and capture methods you use on your website and how they will be affected when you are answering the above questions.
If you do this by just having a link next to the form that says ‘Learn More’, for example, and this links to where the privacy notice is stored, this is not adequate, and it could be claimed that you are deliberately obfuscating information.
The key to the GDPR is to be as open and clear about why you are collecting personal data as possible. This is what your customers will be looking for and what the ICO will expect to see. The most important currency right now in business is reputation, and this is built when you are open and transparent.
You will be required to have a breach policy that explains what you will do in the event of a breach. The ICO defines a breach of personal data as:
‘A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.’
What this means, in reality, is that you must be able to account for the control of personal data at all times. For example, if you take a backup of your website, and then you lose access to this backup, this is technically a breach. What you have to decide is if this breach will impact a person’s rights and freedoms. There is no rule for this. You have to make the decision and then stand by this if challenged. Remember that the breach must impact the rights and freedoms of the individual. If this is not the case, then you do not have to report the violation.
However, you should always document the breach internally for the record.
Below is an example from the ICO of how to act on a data breach:
‘The theft of a customer database, the data of which may be used to commit identity fraud, would need to be notified, given the impact this is likely to have on those individuals who could suffer financial loss or other consequences. On the other hand, you would not normally need to notify the ICO, for example, about the loss or inappropriate alteration of a staff telephone list.’
The GDPR states that you must report a breach without ‘undue delay’.
This is not a defined period, but it must be less than 72 hours.
Your breach policy should state how you will report what data has been breached, who has been impacted, what the expected impact will be, the contacts details of your business and the actions that will be taken or have been proposed to deal with the breach.
If you do not have all the information to hand within 72 hours (in the case of a detailed forensic investigation this may very well be the case), you will be expected to notify the ICO and update them as information is gathered.
If you experience a breach, you have to decide how to inform those who have been affected. If the rights and freedoms of those concerned are at high risk, you must again notify without undue delay. Make sure you include in your breach policy how you will inform those affected in the event of a breach. If you intend to use mass communication tools like Twitter, then be aware of the consequences of using these tools.
It will be how you handle a breach that is remembered, not the fact that you had one.
GDPR Plan: Day 7 Action
Visit the ICO website and make yourself familiar with their guide to the GDPR
Create a Breach Policy for your business
Educate your employees on understanding the two policies and practice a test run through of assessing a data breach scenario.
Remember, this regulation is here to protect all of us
Despite the media hype, email marketing is not going to be killed off by the GDPR. What you are going to have to do is make sure that every person on your email list has completed what is called a double opt-in.
You will have seen double opt-in before, this is where you complete a form on a website, and then you get an email to confirm you want to subscribe. When you click on the link in the email, you are added to the email list.
All of the major players in the email marketing business have this feature including Mail Chimp, Aweber, OntraPort and InfusionSoft. If you do not use the double opt-in now then don’t panic, you have plenty of time to fix this problem.
Here is what you need to do
Setup your email marketing software to use the double opt-in feature. If your service does not support this, then take the time to ask when it will or better still move to a new service now.
Write a new email to all of your list that explains in a friendly conversational tone that you take their privacy seriously and that you are asking them to confirm they are still friends with your business. This email to your list must ask individuals to subscribe again. Include a URL to the opt-in page. Stress that if they do not opt-in again, they will miss out on all the great information and help that your business offers.
Reiterate to your list that if they want to stay off the list, that’s cool with you and you are happy for them to be removed on May 24th 2018 automatically.
Get the email out to your list and monitor the open rates. You want this email to be read by as many recipients as possible before May 25th because after that date you cannot send an email of this type to ask for the opt-in.
You have until the 25th May to email your list without the double opt-in so make haste on this and get this take completed as quickly as possible. The longer you leave this, the less time you have to reach the most people on your list.
Webinars and Lead Magnets
Many online businesses offer Webinars and other lead magnets to attract customers, part of this process is capturing email addresses for your email list. After May 25th you will no longer be able to email to those without you having a reason for that contact. If you had a person sign up for a webinar six months ago, that was about “How to Clean your Mountain Bike” then the GDPR states that you can only email that person about that topic specifically.
The GDPR requires that there is a legitimate interest for communication. When someone signs up for a webinar, they are giving you consent to send them the details for the webinar, and you have a legitimate interest in communicating with them regarding Mountain Bike Cleaning services or products. The critical difference is that they have NOT given consent for you to email them about the latest offers on Mountain Bikes you have for sale. They did not consent to that, and that is not in the legitimate interests of the individual because buying a new bike is not related to the cleaning of an existing bike.
This is a crucial concept of the GDPR; you can only market to individuals or businesses when they have agreed to one of the six principles of the GDPR that we explained earlier in the article.
Remember, the principles of processing data are:
Specific consent is given, e.g. double opt-in.
Consent forms part of a contract, e.g. employment or purchase.
Legal regulation or obligation, e.g. storage of financial accounts.
Vital interests, e.g. health records for a blood transfusion when you are unable to provide this because of injury.
Public interests, e.g. a census record.
Legitimate interests, i.e. further relevant information that benefits the individual regarding the topic of their original enquiry
Children and the GDPR
The GDPR has particular rules about the processing of personal data for children. This has been divided into two groups:
Children 13 and over
Children under 13
If a child is 13 or over they are deemed by the GDPR to be responsible for the management of their own personal data. This means that you have to gain THEIR consent or principle for processing their data. You cannot rely on the granted permission of their parent or legal guardian.
This tenant is significant. The UK has stipulated that children over 13 must be treated as individuals. Therefore, if you have any online club or group for children 13 and over, and you have used parental consent to process their data or to communicate digitally with them, you will need to stop processing this data after May 25th. Unless, of course, you have met at least one of the six principles of data processing.
Children under 13 require the consent of their parent or legal guardian. Once again you will need to apply for the right to process their data under one of the six principles of data processing before the 25th May.
The GDPR is the first significant legislation regarding personal data in twenty years. For this reason, it can seem a bit of a shock when you are now being asked to comply with so many new rules and processes. It is important to remember that this regulation will benefit all of us. It is there to protect our rights and freedoms from being abused.
If you take a pragmatic approach to the GDPR and if you work through the requirements slowly and with clarity, you will find that the regulation poses little problem to your business. In fact, I predict that you will discover new efficiencies in your processes, while at the same time delivering an improved service to your customers.
For more information on the GDPR, please visit the ICO (Information Commissioner’s Office) website – https://ico.org.uk/
Get in touch with us to see how TJS and our partners can help you get compliant ready for May 25th 2018.