Hold onto your seats, I’m going to take you through the wild world of the General Data Protection Regulation (GDPR) . Merry Christmas 😉.
All joking aside, if you are subject to EU data protection law then GDPR will affect you.
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.
What counts as personal data?
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
This affects many types of online cookie and advertising businesses so it is important your compliance teams are up to speed as the cookie can represent a form of “identifier”.
If the data you collect is anonymous and cannot be tied to an individual, then you should be ok.
What is “sensitive personal data”?
“Sensitive Personal Data” are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU’s legislative competence).
Rec.10, 34, 35, 51; Art.9(1)
This does note affect the vast majority of businesses as it is outside of what they do.
A key area to delve into is that of “pseudonymous data“.
Pseudonymous data can be defined as:
Some sets of data can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) without a “key” that allows the data to be re-identified. A good example of pseudonymous data is coded data sets used in clinical trials.
How does GDPR affect pseudonymous data?
Pseudonymous data are still treated as personal data because they enable the identification of individuals (albeit via a key). However,provided that the “key” that enables re‑identification of individuals is kept separate and secure, the risks associated with pseudonymous data are likely to be lower, and so the levels of protection required for those data are likely to be lower
Pseudonymisation of data provides advantages. It can allow organisations to satisfy their obligations of “privacy by design” and “privacy by default” and it may be used to justify processing that would otherwise be deemed “incompatible” with the purposes for which the data were originally collected. In addition, the GDPR explicitly encourages organisations to consider pseudonymisation as a security measure. Source
The above is particularly important and extremely relevant to those that operate online . As an organisation you need to be clear why you are collecting the data. Does it improve the customer experience, make the service offering better or some other reason?
You need to be explicit what you will use personal data for and make sure it is transparent.
The obligation to ensure that personal data are not excessive is replaced by a more restrictive obligation to ensure that personal data are “limited to what is necessary”. Organisations will need to carefully review their data processing operations to consider whether they process any personal data that are not strictly necessary in relation to the relevant purposes.
In short you need to get consent from your users and customers. For a lot of companies this can easier be said than done.
However at Loyalty Bay we believe we have a way that can benefit both the business and the customer giving consent. Consumers these days realise that their data is valuable, so why not reward them for it. Make use of the basic psychology principle of “reciprocity ”
“I will scratch your back if you scratch mine”
Imagine you want a user to “opt in” why not offer them a reward or incentive to do so. That way everyone wins.
Please feel free to get in touch so we can explain how we may be able to help your organisation.
I owe a huge hat tip to White and Case for helping clarify and digest GDPR. Do check out their website for more detailed explanations.