The General Data Protection Regulation (GDPR) will come into force on 25 May 2018, and will set a high bar for global privacy rights and compliance. We are actively preparing our technology, marketing and compliance processes for the GDPR to take effect, and this guide is intended to help our users do the same.
Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might impact to your organisation.
What is the GDPR?
You have likely heard of the GDPR, a European privacy law approved by the European Commission in April 2016. It replaces the Data Protection Act (DPA) 1998 and governs how personal data is collected, held, protected and deleted by data processors and data controllers (which are similar definitions as in the DPA).
A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU and by any organisations that may clients in the EU. Brexit outcomes do not affect UK compliance requirements. The GDPR is an attempt to strengthen, unite and modernise EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organisations may obtain, use, store and delete personal data.
Personal data includes, but is not limited to:
- Email address
- Social media posts
- Personal medical information
- IP addresses
- Bank details
When does it come into effect?
The GDPR will enter into force on 25 May 2018. There will not be a “grace period,” so it is important that organisations impacted by the GDPR prepare for it now.
Who does it affect?
The scope of the GDPR is very broad. The GDPR will affect (1) all organisations established in the EU, and (2) all organisations involved in processing personal data of EU citizens. The latter is the GDPR’s introduction of the principle of “extraterritoriality”; meaning, the GDPR will apply to any organisation processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organisation anywhere in the world, and all businesses should perform an analysis to determine whether or not they are processing the personal data of EU citizens.
You should consult with legal or other professional counsel regarding the full scope of your compliance obligations. Generally speaking, however, if you are a business that is incorporated in the EU, or one that is processing the personal data of EU citizens, the GDPR will apply to you.
The regulation introduces tougher fines for non-compliance and breaches – as high as €20 million or 4% of global annual turnover, whichever is higher. Ultimately, the fine will depend on the nature of the infraction. There does not need to be a breach to be non-compliant.
How is Seedrs preparing for the GDPR?
We are committed to working towards GDPR compliance.Our GDPR preparation started last year, and as part of this preparation we have been reviewing (and updating where necessary) our internal processes, procedures, data systems and documentation. While much of our preparation is happening behind the scenes, we are also working on a number of initiatives that will be visible to our users and service providers in the coming weeks and months, including:
- Updating our third-party vendor contracts;
- Developing a communications preferences portal to give greater control of how you hear from us, and when;
- Creating tools for you to control how your website activity is used and how it’s tracked;
- Straightforward process for data portability requests; and more.
Another important part of the regulation is “Data Protection by Design,” which is an approach to projects that promotes privacy and data protection compliance from the start. It is important to abide by this approach to minimise risk of data and privacy issues from the start of each project, process development, design and activity.
What you need to be doing now
There are now less than 80 days until the GDPR comes into force, so if you’ve not yet started to look at how it may impact your business, you really should. For more information and things you may need to start considering for your organisation, please visit the Information Commissioner’s (ICOs) website.
Here are a few things that are most likely to affect your business operations and processes:
Internal awareness and developing champions:
If you’ve not yet done so, start letting everyone in your organisations know about the GDPR, as well as l your initial assessments of how it may impact the business. Then allow teams to feedback any gaps or areas that may have been overlooked.
Implementing the GDPR could have significant resource implications, especially for larger, more complex organisations. You may find compliance difficult if you leave your preparations much longer.
Map out personal information you hold:
Under the GDPR, “personal data” is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Consider the extremely broad reach of that definition. Personal data will now include not only data that is commonly considered to be personal in nature (e.g., names, physical addresses, email addresses) but also data such as IP addresses, behavioural data, location data, biometric data, financial information and much more.
This means that, particularly for businesses raising on Seedrs, information that you collect about your subscribers and contacts will be considered personal data under the GDPR – including cookies. It’s also important to note that even personal data that has been “pseudonymised” can be considered personal data if the pseudonym can be linked to any particular individual.
Analyse how you process data:
Per the GDPR, processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Basically, if you are collecting, managing, using or storing any personal data of EU citizens, you are processing personal data within the meaning prescribed by the GDPR.
Keep in mind that, even if you do not believe your business will be affected by the GDPR, the GDPR and its underlying principles may still be important to you. European law tends to set the trend for international privacy regulation, and increased privacy awareness now may give you a competitive advantage later.
Are you a controller and/or processor of data?:
If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you are in.
- A controller is the organisation that determines the purposes and means of processing personal data. A controller also determines the specific personal data that is collected from a data subject for processing.
- A processor is the organisation that processes data on behalf of the controller.
The GDPR has not changed the fundamental definitions of controller and processor, but it has expanded the responsibilities of each party. Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor, as well. Accordingly, it is important to understand whether you are acting as a controller or a processor, and to familiarise yourself with your responsibilities accordingly.
Update privacy notices:
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data. The GDPR requires the information to be provided in concise, easy to understand and clear language.
Understand and communicate individual/user rights:
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
The GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
Users’ right to access considerations:
Individuals will have the right to obtain the data that is being processed about then, and understand how it is being processed. Look at your processes to see how you can comply.
- In most cases you will not be able to charge for complying with a request.
- You will have a month to comply, rather than the current 40 days.
- You can refuse or charge for requests that are manifestly unfounded or excessive.
- If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.
Have a lawful basis for processing personal data:
Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
- Contact details for the data controller.
- Purpose of the data: This should be as specific (“purpose limitation”) and minimised
(“data minimisation”) as possible. You should carefully consider what data you are
collecting and why, and be able to validate that to the regulator.
- Retention period: This should be as short as possible (“storage limitation”).
- Legal basis: You cannot process personal data just because you want to. You must
have a “legal basis” for doing so, like when the processing is necessary to the
performance of a contract, an individual has consented, or the processing is in the
organisation’s “legitimate interest.”
Look at how you achieve consent:
Consent is one of the fundamental aspects of the GDPR, and organisations must ensure that consent is obtained in accordance with the GDPR’s new requirements. You will need to obtain consent from your subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis.
Keep in mind that:
- Consent must be specific to distinct purposes.
- Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects
must explicitly opt-in to the storage, use and management of their personal data.
- Separate consent must be obtained for different processing activities, which means
you must be clear about how the data will be used when you obtain consent.
If you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent (like “legal obligation” or “legitimate interest”, above).
Do you work with children?:
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. You may need to make special considerations, such as consent has to be verifiable and when collecting children’s data your privacy notice must be written in language that children will understand.
Prepare for data breaches:
You should put procedures in place to effectively detect, report and investigate a personal data breach. You may wish to assess the types of personal data you hold and document where you would be required to notify the ICO or affected individuals if a breach occurred.
Restructure or find someone to be responsible for compliance. You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your business’ structure and governance arrangements.
You should consider whether you are required to formally designate a Data Protection Officer (DPO). You must designate a DPO if you are:
- a public authority (except for courts acting in their judicial capacity);
- a business that carries out the regular and systematic monitoring of individuals on a large scale; or
- an organisation that carries out the large-scale processing of special categories of data, such as health records, or information about criminal convictions.
There are many other principles and requirements introduced by the GDPR, so it is important to review the GDPR in its entirety to ensure that you have a full understanding of its requirements and how they may apply to you and your business.
If you have any questions in relation to how Seedrs is preparing for the GDPR or how your use of Seedrs may be impacted when the legislation comes into effect, please email firstname.lastname@example.org.