Publishers! Here’s some help to get you GDPR ready
You might be forgiven for thinking that the GDPR somehow snuck up on us unawares in the last few months, but this legislation has been years in the making. There are now less than 240 days to go until it comes into force and many publishers are finding themselves drowning in information, advice and offers of expensive services.
Cutting your way through all of this noise to work out what is both important and imperative is not easy, so where exactly do you need to start?
Firstly, a little background. The GDPR sits within legislation created to facilitate the Single Digital Market. It has been created to harmonise data protection practice in a digitally agile world with an ever increasing number of communication channels. It covers all organisations that are based in the European Union, or that target, or appear to target, EU Residents.
The GDPR also comes into force at a time when consumers are asking organisations not just to operate within the letter of the law, but also to do what is right. Individuals want a greater control on the things they believe belong to them, i.e. data, and therefore the GDPR focuses a great deal on intent, responsibility and particularly accountability.
There are some core concepts which you need to understand and adopt as part of the legislation: Data Protection by Design charges you to consider data when you begin thinking about offering a product or service; Data Protection by Default is a requirement to put these data protection by design protocols right at the heart of your business, so that your employees, contractors and suppliers cannot help but protect the data you manage; Data Lifecycle Management Plan incorporates both of these to ensure that data protection is always front of mind.
But mostly, remember that you are now considered to be the custodian of data, not the owner since the GDPR puts the ownership of the data squarely back into the hands of the person it belongs to.
With this in mind you need to find somebody in your business who is willing to become your data protection champion. They need to be a robust individual because they are going to tell you, and other people within your business who are resistant to change, things that you might not want to hear. You will need to listen to what they have to say and you need to give them the tools they require to do the job, whether this is specific training, additional manpower or expert support. You will need to evaluate their advice and take appropriate actions.
Next, you need to find your data, because fundamentally you can’t protect something if you don’t know how much of it you have or where it is kept. You must conduct a data audit across your entire business. This includes a data inventory and a data mapping exercise and should encompass employee as well as commercial data. If, like many publishing companies, you have data spread far and wide: in cloud storage, on laptops, on servers etc. it isn’t going to be easy.
Once this is done you must get into the habit of keeping data in a single location, preferably in a machine readable format such as a CMS system or SQL database that can be easily transferred, with appropriate access control and password protection. Not least because you are going to have to maintain a level of record keeping hitherto unknown, including records of data transfers, data recipients, your legal basis for processing, subject access requests and retention periods. You can’t do this on a spreadsheet.
Data security is brought into clear focus by the GDPR – both in terms of the technology you use to manage data and the physical security you put around it. You need to pay particular attention to the latter because the Network and Information Systems (NIS) Directive also becomes law across the EU next May – another piece of regulation to add to your list!
Mandatory breach notification will be required in certain specific circumstances, so the way in which your employees, suppliers and partners access data also needs careful consideration. You need to evaluate how and where your employees access data (including emails), whether you need to update BYOD policies and assess the security of your devices, i.e. encryption. Think about whether you have created an environment where it is possible, or unintentionally permitted, for individuals to walk away with your data.
Walk backwards and you can start this process by to working out who really needs access to data; when they need to access it; how much of the data they need to see; who should be able to export it; and having a clearly communicated mechanism for recording all of these factors. Never, ever send un-encrypted spreadsheets of data via email.
Any conversation about GDPR often starts around permission and consent particularly in the publishing industry, and especially with businesses that monetise data. We have already established that this is no longer a tick box exercise, not least because the GDPR formalises the concept that you have to elect a basis for processing your data, something which most publishers have not had to do before.
There are six legal bases for processing within the regulation; the three which apply to the publishing industry are contract, consent and legitimate interest.
Contract is where data is given to you to fulfil an order.
Consent is where somebody is giving you permission to take a defined action with their data. This permission needs to be specific, freely given, informed and unambiguous.
Legitimate Interests can be used where there is an existing client relationship and where you have done a balance of interests test called an LIA.
The LIA should establish, in a fair manner, that there is a mutually beneficial relationship between yourself and the data subject, with both of you benefiting equally or the data subject benefiting more from the relationship. Common consensus is that wherever possible, you should aim to make Legitimate Interests your main basis for processing.
However, you need to remember that all aspects of a relationship with a data subject may not be processed under the same basis. This is a complicated concept. For example a magazine subscription could be managed under legitimate interest but you may want to send a third party email to one of your subscribers and this should be processed under consent.
To have effective data lifecycle management it is important to be clear in your mind how you are collecting your data, how it enters, leaves and moves around your business, what you can use it for, who you disclose it to and how long you are going to keep it for. This requires both a practical and clearly documented process for the purposes of the legislation. Going back to data security, if you aren’t keeping your data in a single, formal location, to comply with these terms you could find yourself with a very labour intensive – and potentially error-strewn process.
Becoming GDPR isn’t going to be a quick or one-time fix. It is going to take you until next May to go through all the legislation’s nuances and how it will affect every part of your business. Despite BREXIT the UK is going to need to adopt any and all changes to participate in the European digital economy, so data protection issues are going to be an ongoing part of your business for the foreseeable future, so you need to be paying attention.
Remember – be open with yourself and your customers about what you do. If you are too afraid to say what you are doing with your data then you shouldn’t be doing it. Understand the legislation and get help if the task seems too large.
The ICO is looking to organisations to be thoughtful, knowledgeable, responsible and most importantly accountable about their data practices. It’s a major step change for the publishing industry, but one it is more than capable of embracing.