GDPR for accountants: An introduction
With allegations that Cambridge Analytica harvested data from more than 50m Facebook users to target ads for the Republican Party, the world is beginning to wake up to the power of personal data. Stewart Twynham sets out the conditions that the General Data Protection Regulation (GDPR) is trying to address.
Forget about a few stolen credit card numbers - in the wrong hands, personal data has the power to change the opinions of an entire nation. A safe, modern information society needs regulation, which is where GDPR comes into play.
A brief history of data protection
Many of the principles of the GDPR can be traced as far back as 1981 when the Council of Europe started working to establish common standards across member states to facilitate the flow of information. The Data Protection Act (DPA) 1984 was born, requiring UK organisations that held personal data on computers to register with the Data Protection Registrar.
If there was a weakness in the DPA 1984 it was that it failed to address matters of privacy. Privacy is a significant concern to many Europeans, for whom mass surveillance and persecution still resonates after their experiences after the Second World War.
Here in the UK the updated Data Protection Act 1998 became a target for tabloid ridicule. Companies up and down the country hid behind the DPA. We’ve all been on that call where something perfectly benign was said to be impossible “for data protection reasons”. Even the police joined in, blaming the DPA for a string of mistakes including the deletion of intelligence data concerning 1950s child-murderer Ian Huntley.
Although the principles of the GDPR have become well established over the last 34 years, many businesses chose to ignore them, mainly because until April 2010 the maximum fine was just £5,000. Even today, despite receiving 817 breach notifications in the last quarter of 2017 there have only been a handful of serious monetary penalties handed out in that same period.
What is personal data?
Although the definition of personal data has changed little in the last three decades, even experts can still get it wrong. Put simply, personal data is “any information relating to an identified or identifiable natural person (‘data subject’)”.
The scope for indentifying a natural person has increased subtly but importantly under the GDPR, which now includes “online identifier” - which includes IP Address.
There are two really important, but common mistakes that catch people out. First, many assume that email addresses such as [email protected] or an office DDI number are not personal data because they belong to a business and are not “personal”. This is incorrect - anything that allows a natural person to be identified (think privacy rather than ownership) is personal data. An example which isn’t personal would be something like [email protected]
The second common mistake relates to information in the public domain, such as that found in directories or on social media. Nowhere in the DPA or GDPR does it define personal data according to where it came from. If you glean information from someone’s publically available online profile, then that information still remains firmly within the scope of the GDPR.
Another common mistake that people make relates to the “protection” side of data protection. Protection isn’t simply how you look after data in transit or at rest - it’s the entire lifecycle of how you collect, use and eventually destroy that data - something called ‘processing’.
Under the GDPR, any new or innovative processing - especially automated profiling as that alleged against Cambridge Analytica - would come under significant scrutiny. Your desire to process information in a certain way would have to be carefully balanced against the rights and freedoms of the individuals concerned.
This isn’t a grey area - the kind of processing that Cambridge Analytica is alleged to have carried out would absolutely not be allowed under the GDPR.
A new global reach
One of the significant changes is that the territorial scope for the GDPR is now global. Any organisation that wishes to process the personal data of EU citizens must now abide by the GDPR. Many will have noticed that organisations such as LinkedIn and MailChimp have been busy updating their terms and conditions in preparation for 25 May.
Brexit will mean little change for the UK. Our new data protection laws will continue to mirror those of the EU in order to ensure that EU personal data can continue to flow legally inside the UK.
A lack of clarity
One of the biggest single complaints about the GDPR is the lack of clarity. Many business owners and managers are currently looking around for a quick and simple downloadable chart that explains that businesses who want to do X need to do Y.
Unfortunately, the GDPR isn’t like that. Like previous data protection legislation, the GDPR is a mix of principles and what seems like an incomplete set of hard and fast rules. On one hand, a personal data breach should be notified “not later than 72 hours after having become aware of it” - a definitive figure. Yet the period for which data can be stored is defined as “limited to a strict minimum” - about as woolly an answer as you can get.
Various guidance documents have been produced to fill the gaps, but not all of the guidance will be ready in time for 25 May, and guidance itself isn’t the law. Even the Information Commissioner’s Office (ICO), the UK’s supervisory authority, has been known to get guidance wrong. Ultimately the ICO doesn’t get the final say - that will be down to a court of law, and decisions will be taken by the Court of Justice of the European Union and the European Court of Human Rights both now and in the future.
Inevitably, this just makes everything look unnecessarily complicated.
Take a really simple example: the legal basis to process employee salaries. When you process personal data you require a legal basis to do it - the GDPR offers six - and processing employee data about as fundamental a role as you can get. So this should be absolutely straightforward, well defined and clearly explained in step-by-step guides all over the Internet, right? Wrong...
Of the six legal bases for processing personal data (consent, contract, legal obligation, vital interests, public function, and legitimate interests), one doesn’t apply to private firms (public function) and another isn’t relevant (vital interests means it’s a matter of life and death).
A third (consent) has been proven over the last decade or so to be more or less incompatible with the employee/employer relationship, but the way the GDPR now defines consent basically makes it unworkable. This leaves us with three viable options: that processing payroll data is necessary to fulfil a contract, that it is necessary to meet legal obligations and that it is a legitimate interest for the business concerned.
So, which one is it? The answer is... it depends!
It’s not what you use, it’s the way that you use it
For small businesses that simply want to process their payroll, “legal obligation” is a perfectly valid legal basis. They can point their GDPR documentation to the HMRC website which explains that they need to keep records and exactly which records to keep.
The downside to legal obligation is that you would only be able to process the data that’s absolutely necessary for that purpose (the principle of data minimisation).
Many businesses collect far more data about their employees and do far more with that data - performance reporting, vehicle tracking, CCTV and the monitoring of computer usage are just four examples. In these cases, “contract” and “legitimate interests” could both be valid options, but it is legitimate interest which offers the greatest flexibility (read: “wriggle room”).
Legitimate interest is not a blank cheque, though. The processing would have to be strictly necessary and balanced against the rights of the individual; it would need to be proportionate and what they might expect. For example, if the monitoring of computer usage wasn’t strictly necessary - if the risks didn’t justify it or there was another way to achieve the same end result such as simply restricting web access on certain machines - then the interest would no longer be considered legitimate.
A marketing example
Many businesses use electronic means such as telephone calls and e-mail to market their products and services, but that creates some issues under GDPR. These activities fall under the Privacy and Electronic Communications Regulations (PECR), which, unlike the GDPR, is entirely rules-based. This creates some interesting challenges where some scenarios can fall between the cracks.
I work with charities, many of which have relied on consent in the past to maintain a database of individual donors. The GDPR sets a much higher bar for consent, which means that they now need to contact donors and obtain consent that meets the requirements of the GDPR. This is where things get a little tricky.
Contacting donors to ask them to opt-in under the GDPR is considered by the ICO as marketing. There are provisions under Regulation 22 of the PECR for a soft opt-in, but this is only “in the course of the sale or negotiations for the sale of a product or service” - which obviously does not include donations. So, if the contact details were obtained in the course of receiving a donation as opposed paying for something at the local jumble sale – or, far more likely, if the charity cannot distinguish between the two cases because they only have contact details and no further information about their source - this leaves said charity in a catch-22 position. They are unable to use consent as the basis with which to process data on individual donors moving forward, yet they cannot legally contact those donors electronically to ask them for that updated consent. This is the point where your GDPR consultant begins to earn their keep...
All is not lost
I give these examples simply to point out that the GDPR can often appear frustrating and overly complicated. In actual fact, for most small businesses there are very few new things to worry about and it doesn’t have to be a challenge. That said, in order to make it work you have to fully understand your data and how you intend to use it.
Next time: having introduced the GDPR, I’m going to look in more detail about its principles, the legal bases and some of the key roles and responsibilities.