GDPR in 10 minutes

I saw someone on LinkedIn ask for people to explain GDPR to them in 20mins.

I've been deep in this topic for the past year and a half - so I thoughts I'd try to pull out the most important points in a 10 minute read.

GDPR is essentially trying to make data protection more important - and make sure companies keep your data safe. A couple years back a web hosting company was fined ￡400k as they took over another company and left the customer data on a server which no one paid attention to. It got hacked multiple times. A lawyer backed up her machine and files relating to children and court cases ended up in the cloud and indexed by Google. So GDPR is trying to stop this kind of thing happen again.

Data controllers (i.e. you have customer details in your database) need to show they are taking data protection seriously. So for example getting a cyber security accreditation, making sure there is a culture of stewardship across the company, training their staff in data protection (i.e. always locking screens when away from desks, using 2FA for emails and CMS systems, not storing customer data on laptops, using strong complex passwords from a secure password store, clean desk policies etc etc) would all be good first steps.

Also if you are a Data controller you need to make sure any Data processors you are using (i.e. Mailchimp or AWS - so people who move your data around for you but don't own the data) also are aware of and adhering to GDPR - as you are responsible for them.

GDPR also introduces new rights for individuals. The most important is probably the 'Right to be forgotten.' So in most instances you now have a right to have your details removed from a company database. I say in most instances as clearly if you just took out a ￡100k loan you couldn't then go to the bank and ask to be forgotten - as the bank has fiduciary concerns (i.e. they want the money back from you).

You've probably also seen a million repermissioning emails floating around asking you to stay on mailing lists. If a company had asked permission to send you newsletters correctly in the first place (so it stated and recorded consent of: Who is sending the email? What’s processed (i.e. your contact details)? What’s sent (i.e latest stories)? How (by email)? Opt out right. Link to Privacy Policy) AND any boxes were not pre-ticked or did not contain multiple consents in them (i.e. by clicking the purchase button you agree to get our newsletter and agree to our T&Cs - this would be bad!), then in theory it does not need to repermission (please note this is not legal advice). So 'Sign up to our newsletter' would not have been compliant, but an empty tick box with a message next to it reading 'I’d like Company to use my email address to send me the latest stories, opportunities and tips. I know I can opt-out at any time. See our Privacy policy.' would be much better.

Making sure you have all the correct policies and procedures in place is really important. We have about 60 policies (things like business continuity, document retention, shared office policies etc) which we've developed to ensure a culture of 'Privacy by design' across the business (something GDPR is really hot on).

Finally you've probably heard the fines increase. This is true, they go from a maximum fine of ￡450k to ￡17 million or 4% of global annual turnover for the preceding financial year. So the company above who were fined ￡400k could in theory have been fined ￡73.5 million. Again, this is not legal advice but I think these mega fines would be used for extreme situations like the large American consumer credit reporting agency who had a big breach last year. For sending out emails to people you should not, the fines are likely to remain in the tens/hundreds of thousands - but of course these are going to be the easiest 'breaches' for people to report to the ICO - hence why you are probably seeing all the repermissioning emails floating around now.

Hopefully you got through that in 10 minutes. There is a lot more to this topic of course, if you do want to delve deeper here are links to some articles I've written:

GDPR: https://www.mindtheproduct.com/2017/11/gdpr-who-should-be-your-data-protection-officer/

Data protection: https://www.mindtheproduct.com/2018/03/data-protection-prepare-gdpr-creating-culture-stewardship/

GDPR readiness: https://www.dhirubhai.net/pulse/gdpr-readiness-owen-wallis/