GDPR: what we did and how

The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. That’s very soon and a lot of people are feeling understandably nervous about it…

Here’s what we’re doing at Scroll to prepare for GDPR – and why you should care about it.

What is GDPR?

GDPR is a piece of legislation that updates data protection law so it deals with the new ways we use data – like cookies and large-scale data collection. (The legislation GDPR is replacing came into effect in 1995: a lot has changed since then.)

GDPR makes data protection rules more or less the same throughout the EU. It gives data subjects – the people whose data is being held – a lot more rights over their data.

And, slightly terrifyingly, it means companies can be fined 4% of their annual turnover or 20 million Euros, whichever is greater, if they don’t comply.

Why should you care about GDPR?

Most people creating and editing content for an organisation will come across personal data (data that can directly or indirectly be used to identify someone) at some point.

As a professional, it’s important to understand a few of the issues and requirements around dealing with personal data, or you could unwittingly put your client and your reputation at risk. As you’ll see when you read further, not handling data properly can have serious consequences…

It’s also handy to have some kind of grasp of GDPR so if a client asks, you can look vaguely knowledgeable!

Some key bits of GDPR and what Scroll has done

GDPR is long and complex, so I can only give you a flavour of it here. Your best bet for comprehensive GDPR information is the Information Commissioner’s Office (ICO) website.

With that disclaimer out of the way, here are some key parts of GDPR and a bit about what we did to prepare.

Holding data lawfully

The GDPR says you have to have a legal basis for keeping or using data. There are a number of legal bases but the ones we use at Scroll are:

  • explicit, opt-in consent – gone are the tick boxes saying ‘tick here if you don’t want to hear from us’: people have to opt in to stuff now
  • to comply with a legal obligation – we keep data to show that a Scrollie has the right to work in the UK
  • to perform a contract or to take steps to enter into a contract – we keep data so we can search for roles for Scrollies

We’ve planned data audits once a year to ensure the only data we hold is covered by one of the legal bases above.

Interestingly, under GDPR, personal data is not just the usual things you’d think of, like name, address and email, etc. It now encompasses web data like location, IP address and cookie data, which makes things a bit trickier.

Being fair and transparent about data you hold

There are other rules about holding data, which are identical or very similar to the current Data Protection Act. They mostly come across as rather reasonable things to demand. For example, you must:

  • only collect data you need
  • tell people clearly why you’re collecting it (we do this via short privacy notices, that we show at the point of collecting people’s details)
  • make sure it’s accurate and up to date
  • not use it for any other reason than the one you told people about
  • not keep it longer than you have to

At Scroll, we did a data audit so we now know what data we have and where it’s stored. This means we can keep track of how long we keep information for, who has access to it, why we collected it and who is responsible for it. That helps us stick to these rules.

Keeping personal data secure

Under GDPR, you must keep personal data secure, protecting it from unauthorised use, accidental loss, destruction or damage. Securing your data involves looking at whether your systems are secure and who has access to them, among other things.

As part of our data audit, we classified the data so we knew which was most important to protect – for example, we classified our newsletter sign up list as less sensitive than our Directory, which contains names, past projects, test results and interview details.

We could then make decisions as a team about how to protect the most important data first – we limited access to the sensitive stuff and we’ll be running training on how to handle data properly.

Acting quickly if you have a data breach

If your data is accidentally or unlawfully destroyed, lost, altered, disclosed or accessed, you’ve had a data breach (and you have a problem).

Carphone Warehouse was fined £400,000 when it happened to them.  Wetherspoons deleted their entire database rather than risk another breach.

If you have a data breach, unless it’s a breach of data that can’t be used to identify people, you’ll have to report it to the Information Commissioner’s Office (ICO) and soon. If you don’t do it within 72 hours, you could face a fine. You may also have to inform all the individuals concerned, depending on what kind of data it was.

At Scroll, we’ve set up a data breach procedure and a notification form, so we quickly know what to do if it ever happens to us.

Respecting people’s rights around their data

Under GDPR, people have the right to:

  • access their personal data for free
  • have data corrected if it’s wrong
  • object to or stop you processing their data
  • be forgotten (a person can ask you to delete their personal data)
  • data portability (moving data seamlessly from one internet provider to another, for example)

Most of these rights are the same ones they had under the Data Protection Act, but with some added extras – eg the right to data portability.

All of these rights make it imperative that you know what data you have on people and where it’s stored, which is why you need – yep – a data audit. If this blog makes you think we’re obsessed with data audits, it’s because we truly are!

A summary of what else Scroll has done

There’s far too much to go into in detail, but we have also:

  • documented our journey to compliance and why we made the decisions we did (GDPR is big on accountability) – this document has been really useful as a ‘to do’ list to check off
  • carried out a risk assessment
  • thought about cookies (still thinking about cookies…)
  • updated Scroll’s data protection policy and privacy policy
  • thought about what ‘privacy by design’ will mean for us if we get a new Customer Relationship Management (CRM) system
  • acted on Mailchimp’s recommendations for compliance (we have a Mailchimp mailing list)

What else you should do about GDPR

Most clients you work for will have data protection policies in place already under the Data Protection Act, and will be strengthening them in readiness for the GDPR. Make sure you’re up to speed with what’s expected of you.

You can also have a flick through the GDPR guidance from the ICO – it’s written in a fairly straightforward, easy-to-understand way and is pretty user friendly, with ‘at a glance’ summaries and checklists.

I hope you learnt something new about GDPR from this blog. If you didn’t… could you get in touch and make sure we’re doing it right?

© Scroll Ltd.