Written By

Lewis Boyles-White

February 26, 2020 - 4 min read

Privacy didn’t truly enter the mainstream when Edward Snowden leaked details of the NSA surveillance debacle; instead, it only got real when the EU started to clamp down on privacy on 25 May 2018 with the General Data Protection Regulation (GDPR). Once the GDPR became law, and fines of up to 4% of gross revenue or 20 million euros were possible, privacy became real.

 

The result included companies trying to understand the often-nuanced aspects of the GDPR and sending a deluge of emails requesting long forgotten or never captured, consent to process personal data.

 

Still, in the two years post-GDPR, privacy violations that make your eyes water have been regularly reported in the news media. The spectre of the GDPR continues to haunt businesses and this time it is personal. Here, we look at what has happened post-GDPR, and how, even in a B2B environment, we must continue to meet its stringent requirements. 

 

GDPR, Almost Two Years On 

It is coming up to two years since the GDPR first passed into law and there have been reviews of the success rate of the regulation. These offer a good insight into the effectiveness of the policing of the legislation as well as the ease of achieving the requirements. Here are some of the latest data on the GDPR and its use across affected industries: 

 

  • A benchmarking report from DataGrail on GDPR readiness found that some companies spent more than 9000 hours in compliance meetings. The report also found that only half of organisations achieved self-regulated GDPR compliance by the enactment date.
  • The first overview of the implementation of GDPR was carried out by the European Data Protection Board (EDPB). They identified 206,326 GDPR cases reported by supervisory authorities (SA). 
  • Alpin, a company that keeps track of GDPR fines, shows that in 2018 only 1 major fine was issued. However, in 2019, this figure leapt to 27 major fines. The total amount issued for major fines resulting from GDPR violations, so far, is € 428,945,407; this includes Google (50 million euros) and Marriott International (193 million euros).

 

Some Outstanding Issues – Business vs. Personal Data

Almost two years on and GDPR still hangs over many businesses. The problem seems to be around definitions and scope. Data, the lifeblood of GDPR, is an area of contention; what is GDPR protected data and what is not. Whilst the GDPR defines data in Article 4 as “any information relating to an identified or identifiable natural person (‘data subject’)” the scope of this can be blurred. Questions such as “does business data come under the remit of the GDPR”, persist.

 

Business or Personal Data, Which Is It?

Under GDPR any data that can be linked to an individual is potentially under the watch of the legislation. In other words, if a snippet of business data is associated directly (or potentially even indirectly) with an individual, it is likely to come under GDPR requirements. This includes data normally described as ‘business data’. So, for example:

 

  • Business emails can often overlap with an individual’s personal data, e.g. firstname.lastname@domain.com
  • Personal data can be business data when it applies to sole traders; an example like info@ may seem generic but could be linked to that individual. This also includes (potentially) IP addresses that may resolve to a static domain of a sole trader
  • Databases that contain business contact data
  • Phone numbers, for example, the common use of personal devices at work can mean that numbers you receive from business contacts are also personal contact data

 

It is worth noting, business cards are only a GDPR concern if you take the data and either file it or put it onto a computer (in whatever form).

 

GDPR and Business-to-Business Contact Data

The same rules apply to business data representing an individual as any other personal data. But the teasing out of the two can be where it gets tricky. Some areas that can help in complying with GDPR when it comes to business data are:

 

Data Minimisation and consent: When you process data under GDPR you need to do so with a clear legal basis.  As is stated in Article 40 of the GDPR this should be “processed on the basis of the consent of the data subject concerned”. However, consent is not a tick box exercise; it is an ongoing commitment.

 

As such, to reduce the burden of consent, which must be collected whenever data is collected and any process update/renewal, you can use the principles of data minimisation. That is, only collect the data absolutely needed to service your relationship. In a B2B situation, this may mean collecting more generic company data if possible and reducing the burden of personal data collection. Look at ways of filtering data based on personal vs. business in your business processes and online data collection methodology.

 

Legitimate Interests: Under certain circumstances, the GDPR, under Article 49, offers derogation opportunities in meeting the requirements; or in other words, a get-out clause (sort of). ‘Legitimate Interests’ is an example. However, the clause has some clauses within itself. To use Legitimate Interests, you must demonstrate that whilst processing personal data:

 

  • The processing is not required by law but is of clear benefit (proportionate use)
  • There is a limited privacy impact on the individual 
  • The person would be unlikely to object to the processing of these data

 

The use of B2B personal data may come under Legitimate Interests and is worth exploring.

 

Data Privacy Impact Assessment (DPIA): A DPIA is needed to ensure you comply if an “individual’s data processing is likely to result in a high risk”. And a DPIA is not just about checking boxes, a DPIA can also alert you to any potential non-compliance areas. Whilst not essential for GDPR compliance, it can end up as a reason for a fine if a DPIA is not carried out when it should be. The fine is at the lower level, but still, 10 million euros or 2% of gross revenue, whichever is higher is not peanuts. Working Group 29 has written a white paper on the details of who should carry out a DPIA and what it entails.

 

Conclusion

The question, “is it business or is it personal?” may feel difficult to answer. However, as is often the case, business data is personal data as it has the potential to be easily linked back to an individual. In this case, when business data is personal data, the GDPR rears its head. If you use methods such as a DPIA to check your compliance, you can potentially spot any issues before they become a fine. This extends to the front end of your business, e.g., websites and partner portals. Understanding the type of data you handle will inform your GDPR compliance needs. This, in turn, allows you to know how to approach data collection, consent, and processing. Once you understand the type of data you have you can make the GDPR work for you.

 

 

 

Read More

News
Core Blue Receives ISO Certification

Core Blue is proud to announce that it is now an ISO certified company. …

Insight
What is Human-Centred Design?

Human-Centred Design (HCD) is a creative approach to problem-solving that starts with understanding the people you’re trying to reach and …

Insight
Understanding User Stories and Acceptance Criteria

Simply put, a user story is a short, informal and simple to understand description of a single software feature or function….