Having come into effect on the 25th of May 2018, General Data Protection Regulation (GDPR) has been a hot topic over the last year.
This guide will help you understand everything you need to know about GDPR, from consent to data protection, gathering and use. You can also download our handy checklist to ensure your business remains GDPR compliant.
Introduction to GDPR
Exactly what does GDPR stand for, however?
Created by the European Parliament, the Council of the European Union and the European Commission, GDPR aims to strengthen and unify data protection for all residents of the EU. Ultimately, it gives consumers more control of their personal data.
The reforms are designed to reflect the online world we’re living in so that people can continue to protect their privacy and personal data when using the internet.
Speaking about GDPR, Vice-President for the Digital Single Market Project in the European Commission, Andrus Ansip commented:
The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information.
Throughout this article we’ll be referring to personal data. Personal data is any information which can be used directly or indirectly to identify a person. This can include anything from a name, photo, email address, bank details and medical information to a computer IP address, cookies or posts on social networking sites.
Does GDPR apply to me?
If you operate within the EU or offer goods or services to customers or businesses in the EU and process personal data, then GDPR applies to you.
It’s not just the larger corporations that need to consider GDPR compliance either. Small businesses are still responsible for protecting their customers’ personal data so you should have a compliance strategy.
You must work out who in your business is responsible for data protection. You may want to also consider appointing this person as a Data Protection Officer (DPO), it might even be a case of taking on this role yourself. For most small businesses this isn’t a legal requirement. Legally, you only need a DPO if you’re a public authority or handle lots of data. More in-depth information can be found in Article 4 of the General Data Protection Regulation. Alternatively, you can head to our jargon buster section for further information.
As well as defining the roles required for GDPR compliance, below we cover the areas of your business this is likely to affect, what consent is and how to acquire it, key GDPR laws, and some of the most frequently asked questions about data protection, gathering and use.
Many people think that GDPR is an IT issue. This simply isn’t the case – it has implications for your whole company, including the way that sales and marketing activities are carried out.
While this might make GDPR seem extreme (especially for smaller businesses or solo-practitioners), understanding the key areas will really help you with your GDPR journey and enable you to identify where to start.
Marketing is by far one of the biggest areas which has been impacted by GDPR. Because of this, the majority of the best practices we refer to in this guide will be related to your marketing communications.
Perhaps one of the most important things to take away from GDPR is that you’re no longer allowed to contact prospects or even existing customers unless they’ve given you express permission to do so. This is however only the case if you’re using someone’s personal data.
For example, if you’re sending out marketing emails then everyone on your database needs to have given clear consent to receive them. GDPR rules state that subscribers need to express consent:
In a freely given, specific, informed, and unambiguous way, which is reinforced by a clear affirmative action.
You cannot automatically subscribe someone to your list or assume they want to receive marketing communications from you simply because they’ve dealt with you in the past.
The best way to acquire consent is through an opt-in form. This is where you ask customers for their permission to store and use their data. It must be asked for in a clear, unambiguous way and what you will be using this information for needs to be explained. Opt-in options must not be pre-ticked, the customer must actively and expressly give consent by ticking the box themselves.
While double opt-in isn’t compulsory, it’s good practice and can be an effective way to demonstrate your subscribers’ consent. An example of double opt-in could be someone signing up for your email marketing list and then receiving an email to confirm they wish to subscribe. Until the person has clicked on the confirmation button, they won’t be added to your email database.
For more information about consent, please head to ‘what the law says about consent.’
Another area of marketing you need to be aware of is automation. While it can be an extremely powerful tool, GDPR rules still apply and should you commit any offences you may receive a fine.
If, for example, your marketing automation system sends out emails on behalf of your CRM system, you could receive a penalty from the ICO if an email is automatically sent to someone who has opted out.
It’s vital to ensure that every name and email address in your CRM database has given you permission to market to them. If someone opts out of receiving your communications, you need to ensure that no further emails are sent, and they are removed from any automated communications.
You’re also going to have to start thinking about the kind of data you’re collecting about your customers. Businesses like to know as much as they can about their customers, after all, it’s much easier to sell to people when you know everything about them.
GDPR does however require you to have a legitimate reason for processing the personal data you collect. This means you have to focus on the data you need and forget about the “nice to haves.”
If you really need to know someone’s favourite movie before they subscribe to your newsletter, and can prove why you need it, then you can continue asking for it. Otherwise, try to avoid collecting any unnecessary data and stick with the basics.
To ensure your marketing activities follow GDPR compliance:
- Ensure users have opted-in to receive your marketing communications.
- Make sure you have evidence of how your recipients gave consent.
- Allow your subject to withdraw consent at any time. It should be made easy and clear how someone would unsubscribe from receiving emails from you.
- Remember that if you’re acquiring someone’s data for multiple reasons, consent must be given for all purposes. If someone has opted-in to receive emails for example, this doesn’t automatically give you permission to contact them in other ways.
- Have a read of ‘How does GDPR affect email?’ There’s plenty of helpful information about everything from email security to spamming.
- If you’re still confused, watch the video ‘GDPR compliance requirements for marketing and business.’ It’s also great for companies who aren’t based in the EU but are worried about how GDPR might affect them in the near future.
- Automatically add people to your email list thinking they’ll opt out if they don’t want to hear from you.
- Buy or scrape lists. Under the new GDPR rules this is strictly forbidden. This means you can’t get someone’s email address off LinkedIn or a company’s website for example.
- Use pre-ticked boxes – this does not constitute consent.
- Ask subscribers to provide you with unnecessary personal information.
- Neglect your GDPR responsibilities. It’s a good idea to stay informed about changes and updates on an ongoing basis. Marketing Week has a section dedicated entirely to GDPR where you can find all the latest information and you can keep an eye on our ‘Keeping it legal’ section for the latest in business compliance too.
As we discussed earlier, GDPR gives people more control over how their data is collected and used. This includes the ability to access or remove personal information – known as ‘the right to be forgotten’.
The right to be forgotten has become one of the most talked about rulings in EU Justice Court history. It gives people the right to have outdated or inaccurate personal data removed. Google for example, has been forced to remove pages from its search engine results pages in order to comply.
As a business owner, you have a responsibility to ensure that your users can easily access their data and remove consent for its use.
This can be as straightforward as including an unsubscribe link at the bottom of your email marketing communications or adding a link to a user’s profile where they can manage their email preferences.
This right is not absolute however and only applies in certain circumstances. Individuals have the right to have their personal data erased for reasons including:
- It’s no longer necessary for the purpose you originally collected or processed it for
- An individual withdraws their consent
- You have processed the personal data unlawfully
- The request relates to a child
Companies often hold a lot of information about their customers. This can be their name, postal address, email address, interests, the products they buy and what they look at when they visit your website. Sometimes, this can even include sensitive details such as passport information, other forms of ID, photos, National Insurance number and information about their health.
Because it’s important that this information doesn’t fall into the wrong hands (hackers for example), GDPR is forcing businesses to think about where they’re keeping this data. You’re no longer allowed to store customer details across multiple devices and programmes (unless the data is stored securely). It’s also important to check that only authorised personnel can access this information.
In order to ensure your business follows GDPR compliance:
- Give people the option to unsubscribe or edit their preferences every single time you contact them.
- Have a comprehensive system in place where you can store consent, partner agreements, privacy agreements and customer data.
- Protect the personal customer data that you collect and store during the entire lifecycle. This starts from being a prospect to becoming a customer, right through to ending relationships with a company.
- Ensure that all of your employees know what’s required of them and how they can help you stay GDPR compliant.
- Have a read of ‘The guide to GDPR for small businesses’.
- Make sure you understand your GDPR data protection responsibilities.
- Assume that you’ll be able to achieve compliance with technology alone. What’s required on top of any technology you implement is internal policy and processes.
- Miss out any part of the process. Have a read of these six key steps to ensure GDPR compliance to ensure you’re covered.
What the law says about consent
GDPR requirements state that consent must be freely given, specific, informed and unambiguous. Consent must also be given on a voluntary basis. As mentioned above, you cannot for example automatically opt someone in to receive communications from you.
If there is any element of inappropriate pressure or influence which could affect the outcome of that choice, the consent is rendered invalid.
Last but not least, consent must be unambiguous. This means it requires either a statement or a clear affirmative act – you should for example send a follow-up email so the subject can confirm it was them who chose to opt in to receive communications from you.
Consent cannot be implied and must always be given through an opt-in, a declaration or an active motion. This ensures that there’s no misunderstanding that the data subject has consented to that particular processing.
The example below from the BBC Good Food website clearly states that cookies are used and why. It also gives people the option to find out more information as well as choose whether to accept cookies or change their settings. It’s not enough to have this information hidden somewhere on your website – people need to be informed straight away, which is why most websites have a pop-up as soon as people land on the site.
When getting consent to gather and use people’s personal data:
- Remember that everyone has the right to withdraw consent at any time. If someone wants you to delete them from their database, you must do so immediately. There are however sometimes other reasons for processing data (such as for sending out confirmation notices) so this may not always apply. You can find out more about this here.
- Ensure you can prove that the individual agreed to a certain action, such as to receive your newsletter. You’re not allowed to assume consent by adding a disclaimer or providing an opt-out option.
- Ensure you can prove that consent was given in case an individual disputes that they ever agreed to receive your communications. This means that any data you hold must have an audit trail which is time-stamped and contains reporting information which details what the individual opted into and how they did so.
- Assume that consent is generic. Consent isn’t valid unless separate consents are obtained for different processing activities. For example, just because someone submitted their details so they could download a form off your website, this doesn’t mean you can use this information to send them your monthly newsletter.
The key laws around data gathering, protection and use
Under the terms of GDPR, organisations have to ensure that personal data is gathered legally and under strict conditions (please refer to ‘what the law says about consent’).
As well as this, those who collect and manage data are obliged to protect it from misuse and exploitation, as well as respect the rights of the people whose data it is. Failure to comply with this can result in hefty penalties.
As a reminder, personal data is any information which can be used directly or indirectly to identify a person.
When gathering data, please remember to consider consent and how you obtain this. As well as this,
- Only collect personal data you actually need for your specified purpose.
- Periodically review the data you hold and delete anything you don’t need.
- Ensure you can demonstrate that you have the appropriate processes in place for this.
- Make sure you know what information must be given to individuals when you’re collecting their data.
- Keep personal data longer than you need it.
- Hold personal data about customers that you don’t need. If you can’t justify a need for it, you need to delete it.
- Collect personal data on the off-chance that you might need it in the future.
Sadly, things can and do go wrong when it comes to data storage. Information can get lost, stolen or released into the hands of people who were never supposed to see it – and those people often have malicious intent.
While this happens to even huge organisations who can afford to spend millions of pounds trying to prevent it, it’s absolutely vital that you have appropriate security measures in place to protect the personal data you hold.
This is referred to as the ‘integrity and confidentiality’ principle of the GDPR – also known as the security principle. This states that you must:
- Consider factors such as risk analysis, organisational policies and physical and technical measures.
- Ensure that any security measures you take are appropriate to both your circumstances and the risk your processing poses.
- Look to use measures such as pseudonymisation and encryption where appropriate. Pseudonymisation enhances privacy by replacing most identifying fields within a data record by one or more artificial identifiers. Encryption is the process of converting information or data into a code. This is usually done to prevent unauthorised access by anyone who doesn’t have the decryption key.
- Ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them.
- Be able to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
- Ensure that you have appropriate processes in place to test the effectiveness of your measures as well as undertake any improvements if needed.
What happens if you suffer a data breach?
GDPR compliance requires you to report serious data breaches to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is at high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
You should also ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
You must also keep a record of any personal data breaches, regardless of whether you’re required to notify.
- Undertake an analysis of the risks your company faces and use this to assess the appropriate level of security needed to prevent a breach.
- Have an information security policy (or equivalent) and take steps to ensure the policy is implemented. You can find out more about this here.
- Regularly review your security policies and where necessary, improve them.
- Ensure you can restore access to personal data in the event of an incident – such as by establishing an appropriate backup process.
- Conduct regular testing and reviews of your security measures to ensure they remain effective.
- Learn to recognise when you’ve suffered a data breach.
- Prepare a response plan for addressing any personal data breaches that occur. Experian has plenty of information about this on their website as well as documents you can download which act as a handy guide to preparing the relevant documents you need.
- Think that your business is too small. New research shows that UK small businesses are targeted with 65,000 attempted cyber attacks every single day.
- Underestimate the consequences of failing to comply with GDPR security legislation. Whilst small businesses are very unlikely to be fined for minor breaches or first offences, your data protection authority could issue a penalty of 4% of your global annual turnover or €20 million, whichever is greater.
- Ignore a breach. Here you can find everything you need to know about reporting a breach.
We’ve covered a lot about data use in ‘what areas of my business does GDPR affect?’ Once you’ve acquired the appropriate consent for collecting personal data and are using it appropriately, you must also ensure that individuals have:
1. The right to access: Individuals have the right to request access to their personal data and to ask how their data is being used. You must provide a copy of the personal data, free of charge and in electronic format if requested.
2. The right to be forgotten: If consumers are no longer customers or if they withdraw consent for you to use their personal data, they have the right to have their data deleted.
3. The right to data portability: Individuals have a right to transfer their data from one service provider to another. This must happen in a commonly used and machine-readable format.
4. The right to be informed: This covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
5. The right to have information corrected: This ensures that individuals can have their data updated if it’s out of date, incomplete or incorrect.
6. The right to restrict processing: Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
7. The right to object: This includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
8. The right to be notified: If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of you first having become aware of the breach.
GDPR jargon busters
There’s a lot to learn about GDPR compliance. That, combined with how much jargon there is, can make the whole thing feel a little overwhelming. Below we decode all the GDPR jargon busters you need to know.
Data protection officer
A Data Protection Officer (or DPO) is an enterprise security leadership role. It’s compulsory for your organisation to appoint a DPO if you’re a public authority or body or if you carry out certain types of processing activities.
They assist you with monitoring internal compliance, informing and advising on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
The person you appoint can be a member of staff or an external service provider.
They must however be an expert in data protection, have adequate resources and report to the highest management level.
Most small businesses are exempt from hiring a DPO. If your company’s core activities involve regularly monitoring data subjects on a large scale or you process large volumes of sensitive data however, you will need to employ a DPO.
Supervisory authority (SA)
Every EU member state is required to appoint an independent supervisory authority. It’s the job of the SA to investigate complaints that relate to GDPR and approve administrative offences.
The Data Protection Act 1998 (the DPA) states that a data controller is ‘a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.’
In simple terms, a data controller determines how and why personal data is processed. They can be a person, public authority, agency or other body. They’re responsible for demonstrating compliance with GDPR by implementing measures that meet the principles of data protection.
You can find a very comprehensive guide to data controllers and processors on the Information Commissioner’s Office (ICO) website.
A data processor handles the technical processing of the data on the controller’s behalf. This could for example include a cloud services organisation which provides a hosting platform where data is stored.
Data processors primarily answer to controllers. They’re expected to use appropriate technical and organisational measures to comply with GDPR, delete or return data to the controller once processing is complete and adhere to certain conditions that require collaboration with other processors.
According to the DPA, ‘processing’ means obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data.
Any person whose personal data is being collected, held or processed.
You must ensure that you only collect personal data you actually need for specified purposes. You also need to periodically review the data you hold and delete anything you don’t need.
You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading. If you discover that any data is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible.
This states that you must not keep personal data for longer than you need it. You also need to be able to justify how long you’re keeping data for.
This is when data subjects are given the opportunity to allow or deny permission to use their personal data. It needs to be clear what the data is going to be used for and consent should be as easy to revoke as it is to give.
Encryption is the process of converting information or data into a code. This is typically done to prevent unauthorised access by anyone who doesn’t have the decryption key.
Right to be forgotten
Anyone can request that the personal information you have stored about them is deleted. This can also include items that have been posted online by the subject themselves (such as a review, for example).
This is another word for exceptions or exemptions. Please head to FAQs, ‘are derogations permitted by GDPR?’ for further information.
What does GDPR stand for?
General Data Protection Regulation. This is an EU law on data protection and privacy for individuals residing within the European Union and the European Economic Area.
Who does GDPR apply to?
GDPR applies to organisations in the EU as well as to those located outside the EU if they offer goods or services to or monitor the behaviour of EU subjects, regardless of their location.
What happens if I don’t comply with GDPR?
There are hefty penalties for companies that fail to comply with the rules and for those that suffer data breaches.
If you don’t follow basic principles for processing data, your data protection authority could issue a penalty of 4% of your global annual turnover or €20 million, whichever is greater.
If you fail to report a serious data breach within the 72-hour deadline, you could face penalties of up to 2% of your annual worldwide turnover or €10 million, whichever is higher.
In addition to this, individuals will be given the right to claim compensation from the business for any damage that results from a GDPR violation.
What counts as personal data?
According to the European Commission, personal data constitutes:
“Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address.”
How will Brexit affect GDPR?
Both the Information Commissioner and the UK Government has confirmed that GDPR will still apply to organisations in the United Kingdom even after we’ve left the EU.
What happens if my business has offices based in multiple countries across the EU?
In this incidence, a single supervisory authority will be selected as your lead authority. This will typically be based on the location of your head office (or main establishment).
This lead authority will act as the ‘one-stop-shop’ for your business and they will supervise all of your business’s data processing activities.
Do I need to appoint a data protection officer?
An organisation must appoint a data protection officer (DPO) if it:
- Carries out large-scale processing of special categories of data
- Carries out large scale monitoring of individuals such as behaviour tracking
- Is a public authority
Although it isn’t mandatory for organisations outside of those mentioned above to appoint a DPO, all organisations need to ensure they have the skills and staff necessary to remain compliant with GDPR legislation.
Who organises the supervisory authorities?
A European Data Protection Board (EDPB) is in charge of coordinating the supervisory authorities and they’re responsible for maintaining consistency throughout the EU.
Article 23 of GDPR laws stipulate that EU member states can introduce derogations (exceptions or exemptions) in a number of defined situations. This is however only permitted in instances where a data subject’s fundamental rights and personal freedoms will still be respected.
Derogations may also be permitted if it’s thought that society could be negatively impacted by any inadvertently conflicting rules under GDPR. This is most likely to apply to national and public security, national deference and criminal law procedures. With this in mind, derogations are unlikely to apply to SMEs or those who are self-employed.
What breaches need to be reported?
You need to report data breaches which involve unauthorised access to or loss of personal data.
If it’s likely to result in a risk to the rights and freedoms of individuals and lead to discrimination, damage to reputation, financial loss, loss of confidentiality or any other economic or social disadvantage, you’re obliged to report the breach.
This can include the name, address, date of birth, health records, bank details, or any other private or personal data you hold about customers.
What procedure do I need to follow if I suffer a breach?
If a breach occurs, you should contact your supervisory authority within 72 hours of you first becoming aware of it. In some cases, you may also need to inform any individuals who have been affected by the breach.
This needs to be done via a breach notification which must be delivered directly to the victims. This information may not be communicated only in a press release, on social media or on a company website. You must send direct correspondence to those who have been affected.
What do I need to put in a breach notification?
Whether you’ve suffered a cyber attack, lost data or human error has simply taken place, your company is obliged to send a breach notification to anyone who may have been affected.
This must include approximate data about the breach including:
- The categories of information and number of individuals which have been compromised
- The categories and approximate numbers of personal data records concerned
- A description of the potential consequences of the data breach (for example theft of money or identity fraud)
- A description of the measures that are being taken to deal with the breach
- The contact details of the data protection officer or main point of contact dealing with the breach
How does GDPR affect my marketing activities?
Data plays a crucial role in both digital and direct marketing strategies. Marketers therefore need to ensure they have demonstrated clear compliance and consent. You must also demonstrate how the data subject has consented to the processing of their personal data.
It’s good practice to cleanse and review your databases regularly to ensure that your organisation can identify consent which has been granted lawfully and fairly. Although GDPR only affects those living in the EU, if you operate internationally it’s a good idea to ensure your entire global audience is GDPR compliant.
How do I check I’m GDPR compliant?
We’ve put together a handy checklist which details everything you need to do to ensure your organisation is GDPR compliant. You can download your GDPR compliance checklist for small businesses here.
GDPR Compliance Checklist
We hope our guide has answered all your questions about GDPR. There’s a lot to take in so it can feel overwhelming if you’re not familiar with the regulation and everything it entails. To help you understand everything you need to know about keeping your business compliant, we’ve created a simple, easy-to-follow GDPR compliance checklist.
Helpful articles and tools
- GDPR explained in five minutes: everything you need to know
- 10 things you need to know about GDPR compliance regulations
- GDPR compliance: 10 steps to avoid fines
- What are data controllers and processors?
- Free GDPR compliance checker
For further information about GDPR for small businesses, you can contact the Information Commissioner’s Office on 0303 123 1113 (local rates apply). Alternatively, you can use their live chat function for free between 9am and 5pm Monday-Friday.
The information in this guide is for general guidance about data protection rules and is not legal advice.
We have tried to ensure that this guidance is accurate and relevant as at June 2019. However, Nominet UK will not accept liability for any loss, damage or inconvenience arising as a consequence of any use of or the inability to use any information contained in this guidance.