Privacy didn’t truly enter the mainstream when Edward Snowden leaked details of the NSA surveillance debacle; instead, it only got real when the EU started to clamp down on privacy on 25 May 2018 with the General Data Protection Regulation (GDPR). Once the GDPR became law, and fines of up to 4% of gross revenue or 20 million euros were possible, privacy became real.
The result included companies trying to understand the often-nuanced aspects of the GDPR and sending a deluge of emails requesting long forgotten or never captured, consent to process personal data.
Still, in the two years post-GDPR, privacy violations that make your eyes water have been regularly reported in the news media. The spectre of the GDPR continues to haunt businesses and this time it is personal. Here, we look at what has happened post-GDPR, and how, even in a B2B environment, we must continue to meet its stringent requirements.
It is coming up to two years since the GDPR first passed into law and there have been reviews of the success rate of the regulation. These offer a good insight into the effectiveness of the policing of the legislation as well as the ease of achieving the requirements. Here are some of the latest data on the GDPR and its use across affected industries:
Almost two years on and GDPR still hangs over many businesses. The problem seems to be around definitions and scope. Data, the lifeblood of GDPR, is an area of contention; what is GDPR protected data and what is not. Whilst the GDPR defines data in Article 4 as “any information relating to an identified or identifiable natural person (‘data subject’)” the scope of this can be blurred. Questions such as “does business data come under the remit of the GDPR”, persist.
Under GDPR any data that can be linked to an individual is potentially under the watch of the legislation. In other words, if a snippet of business data is associated directly (or potentially even indirectly) with an individual, it is likely to come under GDPR requirements. This includes data normally described as ‘business data’. So, for example:
It is worth noting, business cards are only a GDPR concern if you take the data and either file it or put it onto a computer (in whatever form).
The same rules apply to business data representing an individual as any other personal data. But the teasing out of the two can be where it gets tricky. Some areas that can help in complying with GDPR when it comes to business data are:
Data Minimisation and consent: When you process data under GDPR you need to do so with a clear legal basis. As is stated in Article 40 of the GDPR this should be “processed on the basis of the consent of the data subject concerned”. However, consent is not a tick box exercise; it is an ongoing commitment.
As such, to reduce the burden of consent, which must be collected whenever data is collected and any process update/renewal, you can use the principles of data minimisation. That is, only collect the data absolutely needed to service your relationship. In a B2B situation, this may mean collecting more generic company data if possible and reducing the burden of personal data collection. Look at ways of filtering data based on personal vs. business in your business processes and online data collection methodology.
Legitimate Interests: Under certain circumstances, the GDPR, under Article 49, offers derogation opportunities in meeting the requirements; or in other words, a get-out clause (sort of). ‘Legitimate Interests’ is an example. However, the clause has some clauses within itself. To use Legitimate Interests, you must demonstrate that whilst processing personal data:
The use of B2B personal data may come under Legitimate Interests and is worth exploring.
Data Privacy Impact Assessment (DPIA): A DPIA is needed to ensure you comply if an “individual’s data processing is likely to result in a high risk”. And a DPIA is not just about checking boxes, a DPIA can also alert you to any potential non-compliance areas. Whilst not essential for GDPR compliance, it can end up as a reason for a fine if a DPIA is not carried out when it should be. The fine is at the lower level, but still, 10 million euros or 2% of gross revenue, whichever is higher is not peanuts. Working Group 29 has written a white paper on the details of who should carry out a DPIA and what it entails.
The question, “is it business or is it personal?” may feel difficult to answer. However, as is often the case, business data is personal data as it has the potential to be easily linked back to an individual. In this case, when business data is personal data, the GDPR rears its head. If you use methods such as a DPIA to check your compliance, you can potentially spot any issues before they become a fine. This extends to the front end of your business, e.g., websites and partner portals. Understanding the type of data you handle will inform your GDPR compliance needs. This, in turn, allows you to know how to approach data collection, consent, and processing. Once you understand the type of data you have you can make the GDPR work for you.
Human-Centred Design (HCD) is a creative approach to problem-solving that starts with understanding the people you’re trying to reach and …
User Acceptance Testing (UAT), also known as End-User, Application or Beta Testing, is the final phase of the testing process ahead of relea…