The GDPR: Essential guidance for intranet and digital workplace specialists
In under 18 months, one of the most fundamental changes to the way businesses handle data — the General Data Protection Regulation (GDPR) — will come into application. But how will this new legislation impact intranet and digital workplace teams? Today, we take a look at the details.
What is it?
The General Data Protection Regulation (GDPR) is a new piece of European legislation designed to tidy up and strengthen previous guidance on data protection. There are a few definitions to run through first which will help our understanding:
What is personal data?
The GDPR applies to data relating to an individual EU resident, whether it relates to their private, professional or public life. Obvious examples would include their name, photos, contact details, but would also expand to include their bank details, medical records, their social media posts or even their IP address.
What is a data controller?
A data controller is an individual or company that directs how personal data will be collected, used or stored. In the case of employee data, this is very likely to be the employer; in the case of data from the general public, this could be a company that runs a web competition, owns a bank or countless millions of other applications.
What is a data processor?
A data processor is a company or individual that processes data. It might be that this is the same organisation as a data processor, or indeed a third-party. In the case of employee data, this could be the company that processes your payroll or benefits; for public data, it might be the agency that runs your website.
Who does this impact?
The fact that this is European legislation may lead some readers to breathe a huge sigh of relief believing that this will not impact them. You may be right, but let’s be clear on the scope:
- Impacts all personal data from European residents: If you are storing or processing personal data from Europeans, keep reading; this will impact you.
- UK companies and UK residents are in scope: Brexit will not change the application of this law as the UK government have made it clear that they still intend to comply.
- Companies based outside the EU will have to comply if they hold or process EU personal data: If you work for a non-EU based company but handle any EU personal data – for example if you have an office in Germany or you’re based in India but work on EU data – this still impacts you
In short, if you’re handling data from EU residents, it will impact your company. If you are an EU resident, your data will be protected by this legislation. Note that the legislation does not make any distinction between an EU resident or citizen.
The only exemption is for law enforcement agencies and those involved in the business of national security. Criminal conviction data is not protected by this legislation.
How should data be handled then?
There are six guidelines on data protection as outlined in Article 5. Here’s our layman’s summary
- Data must be processed fairly, lawfully and transparently: No subterfuge, no hidden collection, do it subject to local laws
- Can only be collected for an explicit, specified and legitimate purpose and not used for any other reason: It can be archived or used for statistical or research purposes but you can’t collect data for one legitimate reason and re-purpose it for another
- Data collection and processing must be limited to what is strictly necessary for purpose: No collecting 10 pieces of data just in case, when you’re only using 3
- Data must be accurate. Every reasonable step must be updated or erased: Possessing is one thing, but you’re also responsible for maintaining it
- Data can only be kept for the time needed to carry out stated purpose: You cannot hold it for ever, just because you think it might be useful
- Data must be protected from unauthorised or unlawful processing, loss, destruction: The business of storing data is also fraught.
You should also note that individuals have a ‘right to erasure’ that is to say people have the right to request that their data is securely erased. Data controllers also need to be able to prove that they have explicit consent for the data to be held and processed for the specific purpose intended.
What does this mean for businesses in general?
Companies that process personal data are going to have to have to strengthen their data governance to ensure compliance. Processes will change and we expect some companies will cease some activities believing the risks and costs far outweigh benefits.
One new element of this law that we’ve not seen before is for the provision of a Data Protection Officer (DPO). These people will need to be appointed by data controllers who manage or store personal data to ensure that processes are compliant with the law. Importantly, the DPO is to be monitored by the Regulator i.e. the EU and not the company’s Board of Directors. In short, DPOs are paid for by the company but are independent of that organisation, acting as internal regulators. GDPR compliance will certainly appear on a company’s risk register.
Lastly, businesses are going to have to consider the fines. The GDPR allows for fines up to 4% of worldwide turnover for non-compliance. Be under no illusion: this data protection law has teeth.
Lawyers acting for firms or individuals with a grievance can use data breaches or investigations as a tactic. While you might feel confident an employee isn’t going to complain about their data being mishandled, it would be unwise to have the same confidence about a disgruntled customer or former employee.
What does this mean for intranet and digital workplace specialists?
Where personal data is collected, processed or stored, the GDPR will apply and that includes for employees. The new law has made specific reference to consent from employees noting that such consent needs to be “freely given” that is to assume the individual genuinely has free choice and is able to refuse or withdraw consent without detriment.
In short, you cannot just harvest the data, and you cannot ask for consent unless there is obvious free choice. It’s not yet clear how that would work in practice for processes like payroll.
It’s reasonably normal for there to be data ‘ghosts’ when an employee leaves a company such as the teamsites they created, the comments they made and so on. The ‘right to erasure’, if deployed, may mean that these ghosts will need to be deleted permanently.
If your intranet is collecting personal data through forms, analytics, applications, comments and more, then the GDPR will impact your future work. Challenge yourself and others to consider your data:
- Do you have freely given consent for this data?
- If consent is withdrawn, can you erase?
- Are you storing data in the appropriate way?
- Can you demonstrate that you are only capturing those data points that you strictly need and no more?
- Can you demonstrate that you’re using it strictly for the purpose originally specified?
- Can you demonstrate that you’re keeping the data for no longer than strictly needed?
This will no doubt impact targeted content, email delivery, web statistics, competitions, content including comments. If it identifies an individual, if it’s a data-led approach, you’ll likely need GDPR compliance.
You will need to seek legal advice on GDPR and how it will impact your work. Intranetizen are not lawyers, this post is not legal advice and you need to go and protect yourselves! Before May 2018, you will need to verify all your data sources and double-down on your data governance. More legal guidance for intranet mangers can be found here.