The latest news from Meantime IT

Nobody can have avoided hearing about the EU law on General Data Protection Regulation (GDPR) which came into force on the 25th May 2018.

Over the last 18 months this has meant a busy time for us and our clients. To prepare for this significant legislation our team began attending webinars and reading research material as far back as September 2016. Despite the United Kingdom being scheduled to leave the European Union in 2019, GDPR has been adopted within the Data Protection Act 2018 on 23 May 2018 (which contains equivalent regulations and protections). There is of course nothing stopping the UK government modifying this once we do officially leave, but for now the two remain in-step

GDPR seeks to regulate the processing of personally identifiable information (PII) of individuals (or ‘data subjects’ as they are more formally called). It is tricky, because it doesn’t just apply to businesses based in Europe, but to anyone doing business in the EU, regardless of their physical location. If you are found to be in breach of GDPR, you can face a fine of €20 million or up to 4% of the annual worldwide turnover, whichever is greater, hence why it has been taken so very seriously!

We won't try and explain it all here but the basics of GDPR are very simple to grasp. For example, you must now have a legitimate business reason to collect data about a subject. That means if you were running a travel system the passport number is vital but your hair colour or religious beliefs are not. Equally, data may only be used for the purpose for which it is being collected, otherwise you’ll need consent to use it. In the same example about the travel system, you would need the person's consent to share their data with the marketing team to allow them to be emailed about special offers, but you wouldn't need consent in order to email them about their booking.

You must also have a clear policy in place for how long you will keep someone’s data (most large businesses have catered for this change by upgrading the privacy policies – you’ll have seen a flurry of warnings on nearly every website you have visited), and the subject has a right to have their data deleted before that time period has elapsed, and they also have a right to see what data you hold about them.

There is also the more tricky question of what constitutes PII – it can be anything from a name, email address, or even IP address, down to residential address, car registration, or even a photograph.

Meantime has worked with each of our clients individually in our capacity as data processor, and their capacity as data controller, to identify areas in their software which didn't comply with GDPR, and then amend the software as necessary. For some, it’s been as simple as a privacy policy update; for others, complex data deletion scripts and anonymising processes. We are nothing if not thorough when it comes to data security! Happily, everyone is now either compliant, or well on their way.

Oh, and perhaps you're wondering why everyone has been asking for you to re-consent to have marketing emails sent to you when it’s been illegal to email you without consent since 2006. Simply put, ambiguous wording in GDPR! Firstly, the EU stipulated you must have consent: most people can demonstrate that. Secondly, you must be able to show where the data came from and that it was legitimately obtained: slightly harder, but should have been possible. And, finally, prove the date consent was obtained (slightly harder, but should have been possible), and prove the date consent was obtained. That last part is the one that had lawyers trembling, as collecting that data element was not always commonplace, hence the ‘belt-and-braces’ approach most have taken. It was illuminating to see all the places our email addresses had got to over the years.