In 2016 the EU adopted a set of rules that changed the way many companies do business. These new laws were so important that even after formally leaving the EU, the UK retained them in very similar form.
We are talking about GDPR, or the General Data Protection Regulation.
As technology, business and society change, so do the ways we collect and use data. Because of this, the Information Commissioner frequently updates the official guidance on how companies should comply with the regulations. The most recent update was in March 2022.
If you find yourself asking the question “is my data GDPR compliant?” read on.
This blog is intended as a starting point highlighting some of the key issues and indicating further resources for more information. Above all, it aims to show how GDPR is a force for good which will help your organisation build and maintain a reputation as a good corporate citizen. If you need help with GDPR compliant data, we offer a data consultancy service which can bring you in line with the requirements.
Lawfulness, Fairness and Transparency
You must have a good, lawful reason to collect and use personal data. That might appear straightforward and simple, but it’s not as easy as it seems. There are 6 lawful bases and you need to find one that applies to the data your organisation collects.
If you’re not sure what that means, or how it applies to you, the Information Commissioner’s Office (ICO) has a useful interactive tool for guidance on identifying the lawful basis you need. Simply answer the questions and it will give you information relevant to your situation.
Lawfulness is not enough. Even if you can show that your activities are within the law, you must also demonstrate fairness and transparency. The important question is not just ‘can we collect and use the data’, it’s also ‘should we’. Fairness and transparency are very closely related principles.
Your organisation needs to be open, honest and clear about the data you collect, including how and why you use it.
If you’re open and transparent from the start, you can be reasonably confident you also pass the fairness test. The key takeaway here is that GDPR is your friend, it may not seem that way always, but the rules are there for a reason.
In many ways, this is an extension of the transparency requirement. It tells us that you need to be clear and open about why your organisation is collecting data. Your organisation needs to have those reasons documented and available to the public.
This is all about being a good corporate citizen. If people agree to you using their data for a specific purpose, you can’t go and use it for a completely different reason without getting their consent first. We want people to make informed decisions about if and when they are happy to share their personal data. As with so much of the GDPR, it comes down to trust.
One way to cultivate trust in your staff and your customers is to find a reputable broker when you’re buying data online. We’ve got one of the largest, legally compliant data feeds in the UK. Click here for more information about buying data online.
According to the Information Commissioner:
Identify the minimum amount of personal data you need to fulfil your purpose. You should hold that much information, but no more.
The key words here are Adequate, Relevant, and Limited. What these three terms mean will be different to each specific organisation and use case. You should only hold the information you need to do the job. That starts with being clear about what you’re trying to achieve.
There’s more to this than simply limiting the data you hold. Take note, you must also have adequate data to do the job properly, not too much and not too little. It’s just as bad (perhaps worse) to make decisions based on inadequate data, than it is to collect too much.
Good, accurate data is a fundamental part of any marketing campaign, and it also happens to be one of the key principles of GDPR.
The fact is, if you’re using inaccurate data you are wasting your money and breaking the law. The problem is identifying the inaccurate data in the first place. You should have processes in place to check the data you collect and store. Remember that things change, businesses change and people move jobs at a surprising rate. What was once good data can very quickly become inaccurate. Data decays. For more details on how and why, check out the DMA’s infographic Five reasons to cleanse and maintain your data.
Database cleansing is like doing the housekeeping. It’s tiresome, repetitive and it’s not easy. But bad data hygiene hurts your business as much as a dirty kitchen hurts your cooking.
In a large company, every year 60% of people change job function; between 25-33% of email addresses become outdated; 18% of telephone numbers and 20% of postal addresses change. With numbers like that, you simply cannot sit back and do nothing (read our blog post for more on this topic).
This principle says that you cannot store information indefinitely, you can only keep it as long as you need it. Best practice here is to have a “storage retention and disposal policy” which tells your staff and customers what sort of data you hold, how you use it, and how long you will store it
There is an important distinction to make right away. GDPR doesn’t state how long you can keep data, but it does say that once you stop using it you must dispose of it. This key principle of GDPR is here for a very good purpose and one that helps the company collecting data as much as the individuals whose data is being stored.
By implementing storage limitations, GDPR helps you with data cleansing because it minimises the risk of data becoming irrelevant, inaccurate or out of date. Think about this principle as a helping hand, rather than a hindrance. It’s not good practice to keep more data than you need. Among other things, it causes inefficiencies in storage, retrieval and security.
Security, Integrity and Confidentiality
The past 10 years have seen some of the biggest and highest profile data breaches of all time.
The numbers are astonishing. In August 2013, hackers compromised an estimated 3 billion Yahoo accounts. In November 2019, online marketplace Alibaba lost control of 1.1 billion pieces of user data. Linkedin, 2021, 700 million users had their data posted on the dark web. Read the full list here.
Data is a valuable commodity. Because of that there will always be unscrupulous people looking to capitalise wherever they can. Sometimes it’s simply an opportunist who spots a lost laptop or memory stick on a train, or a moment of madness like the civil servant who left 50 pages of classified MoD documents at a bus stop in Kent.
Ensuring you have GDPR compliant data means having the correct security measures in place to make sure this type of thing doesn’t happen. Organisations that hold personal data about individuals or companies must take the appropriate steps to protect that data.
This is a massive topic that deserves an entire series of blog posts. For a detailed explanation of the requirements visit the Information Commissioner’s website here.
The final key principle for GDPR compliant data is Accountability. This rounds up everything we’ve been saying about being a good corporate citizen. It says you need to stand up and be responsible for what you do with the data you hold.
Being accountable means that you will fulfil all the key principles and comply with GDPR in letter and in spirit. Make sure you maintain your data with regular database cleansing. Put the right policies in place to keep your data safe. Be open and clear about how you collect and use data.
Being accountable means that you would happily tell your customers exactly what you’re doing and why. When you think about it, that principle should apply to all your business activities, not just the way you collect and use data.
Make sure your data is GDPR compliant with our expert data consultancy service. In a world overflowing with data, we pride ourselves in offering a high-quality tailored solution. We’ve been doing it successfully for 40 years, so don’t hesitate to contact us to find out how we can take your business to the next level.