GDPR - all you need to know about the new data protection rules

GDPR imposes strict rules on how businesses handle customer data – but that doesn't have to be a bad thing, as Clare Harman Clark writes in EG.

Data protection is not necessarily the first thing you think about when you consider your real estate assets, but our ability to harness smart technology and collect data on the people who use our bricks and mortar is changing the way we use and monetise square footage. Tech can help us drive efficiencies, increase sustainability and generate opportunities for new income streams and business analytics – but as fast as our ability to collect data is expanding, so too is the regulatory framework.

The General Data Protection Regulation comes into force on 25 May this year, giving individuals the right to sue anyone who holds their data and doesn't deal with it properly. It represents a seismic shift in UK data protection law, currently enshrined in the Data Protection Act 1998. Designed to "harmonise" data privacy laws across Europe, it gives far greater protections to individuals while increasing accountability in all those holding data.

The risks for retailers are perhaps more obvious than in other sectors, but you don't have to be customer-facing per se – everyone involved in holding, controlling or occupying property will be affected by the need to hold and process personal data in accordance with the regulation, and the consequences for not doing so are considerable.

Key features of the GDPR

What does it do?

Essentially, the GDPR comprises 99 articles that provide increased data protection rights for individuals, increased obligations on data controllers and, for the first time, some obligations imposed directly on data processors.

What is the difference between a data processor and a controller?

While a controller determines how and why personal data is processed, the processor is the entity actually obtaining, recording, adapting or holding it on the controller's behalf. GDPR affects controllers and processors of personal data.

What is personal data?

Basically, any data unique to an individual that can be used to directly or indirectly identify them. It might be collected piecemeal or via an automated process. Look for obvious identifiers (eg names, photos, addresses, e-mails, social media posts, dates of birth) and less obvious ones (eg cookies/beacons, IP addresses). GDPR introduces a concept of pseudonymised data (ie where it's possible to identify someone by a pseudonym) and look out for the special category of sensitive personal data attracting even greater protections (eg trade union membership, religious beliefs, sexual orientation).

What constitutes consent from a data subject?

The conditions for acquiring consent for processing personal data are strengthened by GDPR. Requests for consent must be accessible, explicit and unambiguous, so that the data subject understands what it is consenting to. This most likely means "opt in" must be given, especially where sensitive personal data or marketing permission is involved. Key to this is assessing the appropriate grounds that legitimise the data processing. GDPR does not mean that consent is always required, but it does demand transparency.

What are the consequences of breach?

There is a tiered approach to fines for breach. For the most serious infringements (eg obtaining inadequate consent) the maximum fine can reach 4% of annual global turnover or €20m (whichever is greater). Less serious breaches (eg failing to make data breach notifications) can still attract fines reaching 2%. To put these figures in context, the current penalty tops out at only £500,000.

But what about Brexit?

For the time being, GDPR is a regulation under EU law, which means it bites in the UK without the need for any enabling legislation. Moving forward, of course, Brexit is lumbering over the horizon, but the UK is in the process of implementing its own new Data Protection Bill. While there are small concessions to protect the media and scientific researchers, among others, this largely covers the same GDPR provisions. The bill is a work in progress, however, so it is eminently sensible to work towards full GDPR compliance.

Building trust

In February, the information commissioner, Elizabeth Denham, delivered a keynote speech at the Direct Marketing Association's Data Protection Event 2018. She stressed that the Information Commissioner's Office is focused is on public education and called on UK organisations to take a "collaborative approach" to data protection reform. With a secure plan for GDPR compliance in place, the risk of those headline fines recedes and the data protection revolution seems capable of strengthening our relationships with customers and engendering trust in data driven environments. In that sense, for customer-facing businesses with the right approach, GDPR could be an opportunity as much as a challenge.

Five steps to GDPR compliance

Step 1 – Increase awareness and project scoping

The key to effective GDPR awareness is in ensuring your organisation's movers and shakers are engaged. This will likely mean talking to individuals in customer data collection teams, HR and IT, as well as governance & risk professionals. Consider where you act as a processor or a controller, or where (to date) you have subcontracted processor responsibility, eg within a supply chain.

Step 2 – Building a data inventory

Consider the personal data you collect either accidentally or by design to ensure that you have properly compiled and documented a full data inventory. Establish where data comes from, who it is shared with, and who it is sold to.

In the context of traditional building management and security, you might retain the contact details of key holders and the financial references for licensees or franchisees; reception staff might collate records for car park use or the names of third party visitors and meeting attendees.

Using sophisticated retail analytics to track shopper movements creates more obvious GDPR compliance issues, but think also about smart technology drivers for sustainability and efficiency. You might be collecting data on energy usage for example, which tells you how people move around a building, or whether they like the air to be hot or cold. The use of employee apps or smart cards in some buildings will record a user's lunch or coffee preferences as well as their thermostat settings.

Some companies are inadvertently amassing large data repositories which need to be properly controlled.

Step 3 – Conduct a gap analysis against GDPR

Review your existing data protection and privacy policies (what they say, how they say it and how they are provided), reconsider your data protection impact assessments and plan for necessary changes in light of GDPR.

Are you prepared for the exercise of new rights? Ensure you properly consider each of these rights so you will be able to comply. Changes to access rights, for example, mean that personal information (and any supplemental information) must be made available free-of-charge within one month. Is this logistically possible? Are you obtaining sufficient consent for the data you hold? Are you prepared to delete data when required?

Are you prepared to comply with the new obligations? Establish which obligations will apply to your organisation. There are improved protections around children's data, for example, while documenting a rationale for information collation is important for companies with over 250 employees. Are you able to demonstrate and articulate a legitimate interest in the data you hold?

Are you prepared for data breaches? Data breaches posing a risk of "destruction, loss, alteration, unauthorised disclosure of, or access to" data must be notified to the individuals involved without undue delay and to the relevant authority (the ICO) within 72 hours. Is your notification policy appropriate to the level of risk and sufficiently robust? Are the right procedures are in place to detect, report and investigate breaches? Do you encrypt/pseudonymise data as you share it with (or sell it to) third parties? How is the backup managed? How often is your system and your breach plan stress-tested?

Step 4 – Create project team to lead remediation/implementation

Data protection could become a boardroom issue in a way it has not been to date. Consider whether you need formally to hire or designate a data protection officer. Regulation 37 ensures they are appointed by public authorities and organisations engaged in large scale "systematic monitoring" or "processing" of sensitive personal data. Enable someone in the organisation to take responsibility for GDPR compliance, slotting the role for maximum effectiveness within your structure and governance arrangements…