The GDPR… it’s personal

The new General Data Protection Regulation (GDPR) effective from 25 May 2018 will supersede the Data Protection Act 1998 (DPA), which all UK organisations that process and store personal data must currently adhere to. The GDPR is the result of many years work by the EU to bring data protection legislation up-to-date considering the new ways data is used today. The new legislation brings stricter fines for non-compliance or data breaches, clearer rules and, most importantly, more ownership for individuals on the data that organisations hold about them including greater control over what the organisation can do with that data.

The GDPR classes personal data as any information that can relate to an identifiable person, such as name, contact details and location data, including IP address. The GDPR does not impact on the processing of information that solely identifies a company or business entity.

What to expect

What does this mean for businesses online? We expect the following to become common place in the commercial digital landscape over the coming months:

  • Positive opt-in - pre-ticked marketing opt-in checkboxes on websites are less widespread today, however these will definitely become a thing of past as the GDPR insists that consent requires a positive opt-in action. Pre-ticked checkboxes or any other form of default consent, where consent is required, aren’t allowed.
  • Double opt-in consent - before a user's data can be processed and where consent is required, the GDPR stipulates that the act of consent must now be demonstrable. Additionally, it must be recognisable that consent was indeed given by the person named in the transaction. The process of double opt-in is the recommended method for recordable and auditable consent. Double opt-in normally refers to a situation where a user signs up to a mailing list, for example, for the first time with their email address, the user’s intention and identity is then confirmed via the click of a link emailed to the supplied email address. This proves the sign-up was by the individual named in the submission, reconfirms a second time what the individual’s data will be used for and provides an auditable trail of consent. 
  • Granular consent - obtaining blanket consent for multiple purposes is not allowed under the GDPR, instead consent must be given for each purpose. For example, a single opt-in covering email, SMS and postal marketing would need to become 3 separate checkboxes/opt-ins. The ICO states that “consent means offering individuals real choice and control” - we expect to see individuals given far greater choice around how their data is processed.
  • Re-consent - many organisations will likely have existing mailing lists that do not conform to the GDPR’s stricter rules around consent. Leading up to 25 May expect to receive emails from organisations looking to refresh consent and your marketing preferences before the new legislation comes into force. Perhaps refreshing consent is something your organisation needs to do? It is also worth noting that “consent” is one of 6 lawful grounds under the GDPR for processing personal data and so consent may not always be required. Consent also isn’t required for individuals given the opportunity to opt-out at the point their details were obtained in the context of a sale of products or services. In these circumstances the GDPR actually has zero impact and instead the existing rules set out by the e-Privacy Directive [https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/] that governs consent for e-marketing continues to allow first party e-marketing to be sent on an opt-out basis.
  • More explicit consent statements - personal data may only be used for the explicit purpose defined in the statement of consent displayed at the time the data was obtained. As well as rewritten privacy policies, we expect to see more upfront statements of consent separated out from general terms & conditions and displayed alongside data capture forms. Statements will detail more clearly what data is being collected for, how it will be stored and for how long, as well as naming any third party processors who will also rely on consent.
  • Simplified data capture - a core principal of the GDPR is to restrict data collected to the bare minimum required to complete the transaction. We expect to see data capture forms decrease in the number fields especially the removal of demographical data fields, such as race or gender, of which collection will be strictly forbidden unless absolutely necessary. Perhaps website owners will benefit as a result from an increase in the number of submissions as users may be more inclined to submit forms that ask for less information. 
  • SSL Certificates - the prevalence of HTTPS is rapidly increasing across the web and we expect this to continue as organisations strive to protect the personal data that their websites' collect and store.
  • Two-factor authentication (2FA) - the GDPR brings additional obligation for companies to apply technical measures to secure websites or systems that process and control personal data. 2FA goes beyond the typical username and password login requiring a second piece of evidence, e.g. a passcode sent via text message. We expect to see content management systems and other online applications start to include similar access controls more.

Disclaimer

The GDPR is not an exact science and the impact of compliance will vary considerably from one organisation to another. This article is merely a prediction of the compliance action we expect to see over the coming months leading up to the 25 May deadline. This article in no way represents legal advice nor should it be considered a compliance checklist. Furthermore, the GDPR regulations go far beyond the topics covered in this article and we recommend taking advice from both a GDPR expert and your legal team.