Feature: Private matters

The biggest overhaul of European Union data privacy laws will come into force next year. OPI's Michelle Sturman takes a look at some of the most important aspects.

It’s no surprise that data privacy and storage regulations have been overhauled across the European Union (EU). The existing rules were issued in 1995, but the exponential growth in accessible personal data has left them unable to adequately protect the rights of data ‘subjects’.

On 25 May 2018, the EU General Data Protection Regulation (GDPR) replaces the current Data Protection Directive 95/46/EC and comprises some far-reaching updates. The aim of the GDPR is to protect the personal data of EU citizens from privacy and data breaches; for businesses it marks a fundamental shift in how data is processed, stored and used. 

According to the official EU GDPR portal, the new legislation has been designed to “harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy”.

In the context of the GDPR, it is important to understand that personal data refers to any information that can be used to directly or indirectly identify a person. This includes everything from an email address, bank details and social network posts to medical details, IP address, name or photo. 

The GDPR is not about technology, but is based on principles. This, by default, covers both electronic and paper-based data, such as direct mail, a ‘little black book’, contact lists on your company phone as well as telephone calls, etc.

Consent is one of the most significant aspects of the upcoming legislation and under the GDPR there must be a positive affirmative action: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.” In addition, “silence, pre-ticked boxes or inactivity should not therefore constitute consent”.

Conditions of consent

There are four main conditions of consent:

  1. It should be able to be demonstrated that the data subject has consented to the processing of his/her personal data.
  2. If the consent is a written declaration which concerns other matters, the consent request must be provided in an intelligible and easily-accessible form through the use of plain language. 
  3. The data subject has the ability to withdraw consent at any point which should be as easy as it was to give it.
  4. When evaluating if consent is given freely, it should be taken into account whether the performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. 

The GDPR goes much further than previous legislation in terms of protecting individuals and their personal information. For companies, meanwhile, notification is mandatory under the GDPR where a data breach is liable to risk individual rights and freedoms, and must be done within 72 hours. In addition, data subjects’ rights include the right to access, the right to be forgotten, data portability, and privacy by design.

OP impact?

Fellowes UK Sales and Marketing Director Darryl Brunt says: “Every OP dealer or vendor will need to have certain systems and policies in place to ensure they are compliant with the new regulations. An organised plan will help to avoid data breaches and thereby maintain a trustworthy reputation.”

The GDPR is also relevant globally inasmuch as it applies to organisations located outside of the EU if they “offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location”.

Agreements are already being forged between associations such as the National Retail Federation (NRF) in the US and EuroCommerce which is the principal European organisation representing the retail and wholesale sector. The current deal revolves around developing a common approach to implementing the GDPR. NRF CEO Matthew Shay says: “This cooperative effort will help retailers on both sides of the Atlantic prepare their businesses for implementation of the regulations.”

Any business falling foul of the GDPR could be fined up to 4% of global annual sales or €20 million ($24 million), so dealing with data correctly is imperative. “Documents containing personal data can be stored for the purposes for which they are being used, but need to be destroyed securely once they are no longer needed. The safest way to do this is by shredding them,” says Brunt.

He adds that on-screen data is another important area to consider. “To protect data from being viewed by others, you should invest in blackout privacy filters.”

For office products resellers the GDPR offers three key opportunities, says ACCO Brands EMEA Regional Marketing Director UK & Ireland Elisabete Wells: 

  • Firstly, raise the GDPR topic: highlight the benefits of document destruction as an integral part of a customer’s GDPR compliance process. 
  • Secondly, review a customer’s purchase history:  establish if there are organisations that haven’t purchased shredders, for example, and advise that they increase security levels.  
  • Thirdly, upgrade customers: reinforce the GDPR message, drive awareness and sales.

For more information, Fellowes has written a sales guide entitled ‘An introduction to the European General Data Protection Regulation’ while ACCO Brands offers sales tools and content via https://uk.rexeleurope.com/gdpr.

The full version of the GDPR can be found at http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf.

Preparation is key

According to the UK’s Information Commissioner’s Office (ICO), it is vital that businesses understand the changes in the EU General Data Protection Regulation (GDPR) and start preparing for it now. 

The ICO has released Preparing for the General Data Protection Regulation: 12 Steps to Take Now, which is a useful checklist.

  1. Awareness: Ensure the decision-makers in your company understand that the law is changing to the GDPR.
  2. Information you hold: You may need to do an audit to figure out what personal data you hold, where it came from and who you share it with.
  3. Communicating privacy information: Review any privacy notices and update if necessary for GDPR compliance.
  4. Individuals’ rights: Ensure procedures are updated to include all the rights individuals have under the GDPR, including the deletion of personal data. 
  5. Data subjects’ access requests: Plan how to handle requests under the new GDPR timescale.
  6. Lawful basis for processing personal data: Identify the lawful basis for your processing activity and ensure it’s documented and your privacy notice updated to explain it.
  7. Consent: Rreview how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
  8. Children: Ensure systems are in place to verify ages and obtain consent if necessary. 
  9. Data breaches: Make sure correct measures are in place to deal with any breach.
  10. Data Protection by Design and Data Protection Impact Assessments: Familiarise yourself with the Article 29 Working Party guidelines from the GDPR.
  11. Data protection officers: Appoint someone to take responsibility for GDPR compliance and establish whether you need to have a formal data protection officer on board. 
  12. International: If your business operates in more than one EU country, determine your lead data protection supervisory authority – consult the Article 29 Working Party guidelines. 

For the full report, visit https://ico.org.uk/for-organisations/data-protection-reform