You are here
Demystifying GDPR – Question and Answer session
As part of our new series of Michael Page webinars we were joined by a panel of industry leading experts to explain and discuss the impact of GDPR and what it means for your business.
Ian Moyse is UK Sales Director at Natterbox Ltd and Non Exec Board Advisor at Assuredata Ltd; a GDPR training firm. Louis Botha is Director of Information Security at PageGroup and a GDPR specialist.
Q. There has been lots of talk about ‘compliance’, but as I understand it there is no proactive way to be considered compliant?
A. Louis Botha: Whilst no organisation can be 100% compliant – mostly because key areas of interpretation have yet to be clarified by the regulatory bodies – there is a lot you can do to bring your organisation closer to compliance. The best approach is to do whatever you can to comply with the areas that are clear, ask advisers for their advice on areas that you are unsure on and be prepared to change your approach and plan should new information come to light which clarifies areas that are not completely clear today.
A. Ian Moyse: To a degree you are correct, there is no certification or sign off from a professional body to show that you are in compliance. What you can do is put in place data principles, documentation, processes and training which will demonstrate that you are compliant and have done all possible to adhere to the GDPR requirements.
What is the definition of personal data in this context? If for example a list of names is leaked is that considered a breach?
Louis Botha: Identifying what is personal data can be tricky at times as it could be anything, either by itself or in combination with other data or context, which identifies a living individual. Context is very important though, and in breaches it is also important to consider the level or risk. For example if it is simply a list of names which was leaked the context is all important. A list of the members of your local cricket club is unlikely to cause any damage. However the loss of a list of the children who attend a special needs education workshop is likely to cause distress.
Ian Moyse: Personal data is that which identifies a human being as being an individual. In the UK the ICO has documentation which lists what is considered to be personal data.
Do photographs count as personal data?
Ian Moyse: The GDPR states that IP Addresses, IMEI (Mobile Phone Identifiers) and possibly photographs can be considered personal data. Photographs where individuals are clearly identifiable, are tagged or where personal data is labelled, or which can be searched online for a match may be considered personal data and therefore fall under the GDPR.
Do historic databases have to be deleted if specific permission to hold the data has not been received?
Louis Botha: It depends on how the data was originally gathered and what exactly you are doing with it. Consider that there are a number legal bases other than consent which permit you to process personal data. In some examples you could look into citing ‘legitimate interests’ as an alternative to consent. If consent is truly the only legal basis of owning the data, and you did not gain consent within the guidelines of the GDPR, you will have to ask for consent again in the correct way, or delete the data
Ian Moyse: You are unlikely to have lifetime use and storage of an individual’s data. If they gave you consent or inferred consent (for example submitted a CV three years ago) you do not have the assumed right to continue to store and use it. If you are working with aged databases you will be required to re-gain consent from each individual whose data you hold.
We store reasons for sickness absence, and believe that there is legitimate business reason to do so. The system is properly protected but in terms of the GDPR is this OK?
Louis Botha: Always check with your legal counsel as there may be specific circumstances which we are not aware of. Article 9 of the GDPR states that you are not allowed to retain health data unless one or more of the following conditions apply:
(a) The data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
(b) Processing is necessary for the purposes of carrying out the obligations of the controller or of the data subject in the field of employment and social security and social protection law.
(h) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or pursuant to contract with a health professional.
Bear in mind that EU member states may introduce further conditions, including limitations, with regard to the processing of data concerning health and wellbeing.
Supplier Master Data – I can’t seem to find a straight answer as to whether vendor contact details falls under the remit of the GDPR. For example ‘[email protected]’ is in my master file – does that count as being able to identify a person?
Ian Moyse: In this case the email address does count as it is unique to an individual and identifies them. It comes down to what other data you are storing in relation to that email address, i.e. the emails themselves being archived or there being notes in your CRM system against them. However if that email address is publically available, such as attributed to a LinkedIn profile it could be deemed in the public domain and therefore exempt.
Louis Botha: Under GDPR, email addresses which identify an individual, such as this one, are classed as personal data as they are deemed ‘online identifiers’ as per article 4. Shared mailboxes such as ‘[email protected]’ would not be covered as it is likely shared by several team members and would therefore not identify an individual.
Email is often a problem area as it frequently exists alongside personal data. Sending any data over an unencrypted email would not be good practice. However consider implementing server-to-server TLS encryption, which is standard across most email platforms nowadays.
If my business’ customers are other businesses rather than individuals how does this impact our approach to compliance?
Louis Botha: Legal persons (i.e. companies) are not covered under GDPR. In this case your customers (the businesses) are not covered but the individuals working for them would be (as per the question above)
Ian Moyse: GDPR relates to storing information about an identifiable individual. There remain other laws and data regulations about processing business data you hold but not in the GDPR specifically. If you hold confidential financial information on a business you are still obliged to protect it. GDPR is focussed on consent and the rights of the individual data citizen.
Is the use of Dropbox considered in breach of GDPR?
Ian Moyse: By definition, the use of Dropbox, Box.net, Google Drive etc. do not breach GDPR. Cloud storage and sharing can readily be used. The consideration is what data is stored and under what security conditions. Consider whether you provide a corporate sharing account and provide guidance and training to staff to only use this, what they can store in it, etc.
Shadow IT relates to where employees are using these storage mediums unknown to the company and are putting sensitive data into them. This puts your business at risk and in non-compliance as personal data is being stored in unprotected, unknown locations.
As an SME, how does this regulation impact the way in which we are able to communicate and market to our prospect database of 35,000 records?
Ian Moyse: It really depends on how clean your data is and how recently, if at all, you have recorded consent to mail them. I would suggest sharing a new opt-in with each of them as soon as possible – perhaps a highly informed, value-driven campaign and including a call to action to opt-in for further similar communication. This article is a great resource on small businesses and GDPR.
Will marketing campaigns breach the regulations?
Ian Moyse: Possibly, and if you don’t review your data and processes very likely! GDPR contains far more detail than before, on the right to use data, how long for, what you do with it etc. For example, you can no longer automatically add someone to your mailing list. Further to that you can no longer opt them in to broad sharing of their data; previously you may have had a tick box stating ‘we may share your information with third parties’ – under the new regulation you will need to list separately all those companies and allow the individual to opt-in or out to each one separately. You must also provide an easy method to opt-out of each at any time.
Louis Botha: The whole purpose of GDPR is twofold: to harmonise data laws across Europe, and two protect citizens’ privacy in an environment where their data is being processed in increasingly complex ways. It is not intended to place barriers on marketing campaigns. It will however give individuals enhanced rights to object to unscrupulous marketing campaigns, and to give regulators ways to penalise those companies who abuse personal data. Pay particular attention to the new E-Privacy Regulation which specifically talks about personal data in a marketing context.