One thing I’m always urging clients to do is to consider publishing a regular email newsletter to keep people connected with their research updates. That’s because direct email remains an excellent way of reaching out to an engaged audience and taking control back from unpredictable social media platforms and their ever changing algorithms (see Facebook’s recent news feed changes)
BUT there are legal requirements when it comes to holding people’s data in the form of names and email addresses and they’re about to get even more strict and far reaching. All thanks to GDPR.
What is GDPR?
GDPR stands for General Data Protection Regulation and refers to a new set of EU regulations that are set to kick in on 25th May 2018.
Currently, rules about how personal data is processed by individuals, companies and organisations is governed by the Data Protection Act (DPA), which was devised in the mid 1990s when the digital world was a very different place, and is no longer fit for purpose. High profile cases of data breaches caused by companies paying too little attention to how they collect and use people’s personal data (e.g. the hacking of 3 billion of Yahoo’s accounts) have exposed its weaknesses and the GDPR aims to shore up the gaps by granting citizens greater rights over how their data is used.
What’s in it?
The full GDPR document runs at over 88 pages long, containing 99 different articles. I'm not about to detail each element here, as much of it is irrelevant (and I'm not going to pretend I've read the whole thing!) but the general thrust of the regulations is:
- Allowing people to have easier access to the data that companies hold about them.
- A new fines regime to punish those who do not comply.
- A clear responsibility for organisations to obtain the consent of people they collect information about.
Who Does It Apply To?
The short answer is...everybody. Or any individual, company or organisation who holds data on EU citizens, at any rate.
The good news is that many of the main principles of the GDPR are much the same as those in the current Data Protection Act, so if you’re already complying correctly with the current law (which I'm sure you are!) then you’re in a good position and shouldn’t have to do too much to get up to speed with the new regulations.
So what do you need to do?
The organisation in charge of implementing data protection laws in the UK, the Information Commissioner’s Office (ICO) has created a helpful GDPR check list.
Here’s a breakdown of some of the main points that are relevant to organisations that are holding names and email addresses for the purposes of research communication.
(Researchers who are using data, especially sensitive personal data, as part of their actual research, not just for the dissemination of that research, are going to be subject to a particular set of rules, which the UK government is devising at the moment.)
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR.
2. Document the Information You Hold
You should document what personal data you hold, where it came from and who you share it with. Doing this will also help you to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.
3. Communicating Privacy Information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.
The GDPR requires the information to be provided in concise, easy to understand and clear language. The ICO’s Privacy notices code of practice reflects the new requirements of the GDPR.
4. Individual’s Rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
The GDPR includes the following rights for individuals: the right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right not to be subject to automated decision-making including profiling.
5. Lawful Basis For Processing Personal Data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. You will also have to explain your lawful basis for processing personal data in your privacy notice and when you answer a subject access request.
Consent is one example of lawful basis, so provided you have a robust opt-in process when it comes to gathering names and emails you should be covered.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
You should read the detailed guidance the ICO has published on consent under the GDPR, and use its consent checklist to review your practices.
Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.
You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking.
The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.
Remember that consent has to be verifiable and that when collecting children’s data your privacy notice must be written in language that children will understand.
Disclaimer: This post is only supposed to provide an overview to the GDPR rules, it should not be taken as advice regarding any individual or organisation's legal obligations when it comes to the protection of personal data. If you're in doubt about your obligations you should contact the ICO or a legal professional.
Peter Barker runs Orinoco Communications, a digital communications company specialising in helping research groups from science, the social sciences and the humanities to bring their research alive and engage with the public.