Amongst the many other things I am responsible for, I am Culture Republic’s Data Protection Officer (or ‘DPO’). This means I am registered with ICO and I am responsible for ensuring that we are compliant with data protection legislation.
What is GDPR?
GDPR is European Union legislation. It is not a wholesale change to data protection regulation, but builds upon the current regulation to make it fit for purpose in today’s society. GDPR will be enforced as of 25th May 2018. Not long now!
Even though it’s European Union regulation, Brexit will make no difference. Firstly, because GDPR will be implemented before Brexit is implemented. After Brexit, the UK government will be responsible for the legislation, but ‘equivalency’ – any country that wants to do business in the EU or with countries in the EU must have equivalent legislation – will mean it probably won’t look much different to GDPR.
For anyone not familiar with the data protection regulator, they are the ICO (Information Commissioner’s Office). The ICO publish a blog with interesting insights and information and you can also sign-up for the ICO newsletter.
Why is GDPR necessary?
The Data Protection Act came into effect in 1998, but a lot has changed since then. Here’s a reminder of what technology looked like in the 90s.
There have been huge advances in technology in the past 20 years. You can tell by the numbers reported in the video above that there’s been a huge growth around the world in the use of the internet. What’s gone along with that is use of ‘Big Data’, using analytics to gain insights into what people are doing when they’re online. This has enabled greater sophistication in marketing in terms of personalisation of messages and channels.
why is GDPR important?
Start by forgetting your professional capacity for a moment and think as an individual. Data protection legislation regulates the use of our personal data as adult individuals or data subjects as the legislation refers to us. To make this real, lets think through a few a simple examples of how an organisation’s data practice important to us as individual ‘data subjects’.
Think of a time you have been on the receiving end of nuisance phone calls, spam emails or, in the worst case scenario, identity fraud. If our personal data is not treated with care, the risk of negative things happening increases. And that’s just for adults. The risk for children and vulnerable people is even greater. Therefore, there is quite specific guidance on children under GDPR.
The trick is to translate these into specific things. These fall into two categories – personal and sensitive personal data.
Personal: Name, Email Address, Telephone number, Date of Birth, Identification numbers – such as National Insurance numbers, NHS CHI numbers (GDPR also takes into account online identifiers such as your IP address and cookie data) or Location – GDPR also makes allowance for location data. Think about the implications (both good and bad) of your mobile device tracking and sending your location data.
Sensitive Personal (or ‘special category’): Gender, Ethnicity, Criminal record, Physical / mental health, Political / religious beliefs, Trade union membership or Sexuality.
Why the distinction? Though this isn’t an exhaustive list, sensitive personal data are the types of data that can be used to discriminate against individuals, so a greater level of care should be taken over this type of data.
Why is your organisation holding information? Why is it important to your organisation to protect the data of your patrons? What do you risk if you fail to protect people’s data?
As an organisation, your success depends on attracting as many people as possible. Excellent data practice (which is what GDPR is pushing) builds confidence and trust in your organisation from the individuals who make up your audiences.
The benefits to increased confidence and trust are you increase the likelihood that individuals will engage with you and your products and services. That is good in every way, whether your business is bums on seats, visitors through doors, services rendered or products sold.
You increase the likelihood that individuals will engage with you.
Plus, excellent data practice enables your organisation to understand the individuals who make up your audiences and understand those who don’t. This gives you the foundation to create the mechanisms you need to connect and engage with these people accurately and appropriately.
How to tackle GDPR
Start by thinking about two principles: Accountability and Transparency.
In response to this principle, we at Culture Republic recommend a three-step data journey to assist organisations on their path to accountability.
- Take the test – We created a quick-fire survey in collaboration with the ICO that gives you instant feedback on your current position with GDPR.
- Data audit – This is the really important one, the meat and potatoes, we’ll look at this in detail next.
- Use and enrich your data – once you have your data in order, the products and services that we can offer to help you understand your audience.
It is almost impossible, or certainly far more difficult, to do any of the things that GDPR requires you to do if you don’t know what data you hold – how it’s collected, where it lives, what format it’s in or who is responsible for it. An organisation-wide data audit, will help you understand all of this. Our data audit template is a three-step process:
Step 1 – The Data Asset Inventory is where you list all of the data assets that you have:
- The asset name
- Who is responsible for it
- Where it lives
- What format it’s in
- How important it is
Step 2 – The Detailed Audit. Once you have your inventory complete, you can then move on to auditing each asset individually.
Step 3 – The Data Processing Record. Additionally, once you’re asset audits are complete, it is very important to record your processing activity. Part of this is determining the lawful basis for the processing activity, which is important when you get to transparency.
Building your data audit is not a one-off task, it should be periodically reviewed and revised.
Do note: If your organisation has less than 250 employees, you do not have to record every processing activity, only those that:
- are not occasional; or
- could result in a risk to the rights and freedoms of individuals; or
- involve the processing of special categories of data or criminal conviction and offence data.
Your processing activities may span multiple data assets. Building your data audit is not a one-off task, it should be periodically reviewed and revised.
- your intended purpose/s for processing the personal data
- the lawful basis for processing the data
During your data audit you will have recorded the lawful basis you are using for the collected data, therefore you will be able to articulate this in your privacy notice.
Additional GDPR Responsibilities
A data audit is the key tool here as it will enable you to fulfil these responsibilities: Subject Access Requests; right to be forgotten; retention policy and your data breach procedure. Data processors should also consider the data they hold in contracts or agreements, which includes membership agreements.
Subject Access Requests happen when a data subject requests confirmation of all of their data held by your organisation.
Consider how your organisation would respond to a subject access request right now. Would you know where to look? It’s vital that you know your data assets in order to facilitate this.
Again, consider how your organisation would respond to an erasure request right now. Would you know where to look? It’s vital you know your data assets in order to facilitate this.
Finally, consider how your organisation should implement a retention policy. It’s vital you know your data assets in order to facilitate this.
Just when you thought it was safe to think about one piece of legislation, along comes another! This is not new, the Data Protection Act is partnered with the UK Privacy and Electronic Communications Regulation 2003, otherwise known as ‘PECR’. PECR will be replaced by the ePrivacy Regulation, currently in draft status. The original plan was for both GDPR & ePR to launched at the same time, but this will not happen, there is currently no timetable for ePR.
The direct marketing channels that relate to PECR and ePR are: email, text message and automated phone calls. Those that are not regulated by PECR or ePR are post (but you must respect individuals’ wishes expressed through the Mail Preference Service) and live phone calls (but you must respect individuals’ wishes expressed through the Telephone Preference Service).
There are six lawful basis to process personal data:
- Consent – The person has consented to you keeping or using their data.
- Contractual – Keeping or using someone’s personal data is required to fulfil a contract between them and your organisation.
- Legal Obligation – Your organisation needs to keep or use personal data in order to comply with the law.
- Vital Interests – Keeping or using someone’s personal data is necessary to protect the vital interest of them or somebody else.
- Public Task – Your organisation needs to keep or use someone’s personal data to perform a task that is in the public interest.
- Legitimate Interests – It is in your organisation’s and the person’s legitimate interests for your organisation to keep or use their personal data.
It’s important to note that these basis are applicable across all your activity, not just direct marketing. There is no basis less or more important than another. You must decide which one is most appropriate to the processing activity.
If you choose consent keep these tips in mind.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes.
- Be clear, concise, specific and granular.
- Check your consent practices and your existing consents. Refresh consents if they don’t meet the GDPR standard.
- Keep evidence of consent – who, when, how, and what you told them at the time.
- Keep consent under review and refresh it if anything changes.
- Make it easy for people to withdraw consent and tell them how.
Many cultural organisations are currently processing data based on consent, which means that this is where a lot of activity and/or reconsideration is taking place.
If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests. With that in mind, there are three elements to the legitimate interests basis recorded as a Legitimate Interests Assessment (LIA). You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
Knowing your data inside-out enables organisational accountability, which in turn enables you to do the other necessary things you must do to be GDPR compliant – SAR, erasure, retention, breach – which in turn enables you to be transparent about how you handle personal data.
Once you have your data ducks in a row, then you can get to the fun stuff, using the data for audience development! Excellent data practice enables you as an organisation to understand the individuals who engage (or don’t engage) with your services and take data-informed decisions on how to tackle your organisations’ audience engagement goals.
Finally, a few disclaimers
- I am not a lawyer, as such my advice does not come from a legal standpoint.
- I am not affiliated in any way with the data protection regulator, the Information Commissioners Office, and as such my advice does not come from a regulatory standpoint.
You and your organisation will still be responsible for your data management decisions, even if you base your actions on this advice.