gdpr next steps

GDPR is live, what’s next?

In the run-up to May 25th, it seems to me that most companies focused all their efforts on ensuring GDPR compliance on the consent and contracts fronts. Assuming these are now sorted, you now need to make sure that the personal data that you hold about your customers and prospects, is accurate and up to date. After all, although the Information Commissioner’s Office doesn’t expect everyone to be perfect by now, they have stressed the importance of demonstrating continuing efforts to achieve full compliance. As Richard Sisson, senior policy officer at the ICO says: “You can’t forget about GDPR and it’s done. It’s an ongoing thing.”

He expanded on this by saying “We are trying to reassure people that if you are trying to do the work that you can to comply, if you are working towards the accountability principle and ensuring you have records of what you’re doing, and you can show that you are working towards compliance – we may not be entirely happy all the time, but we will take those things into consideration. We understand that. We’re not going to be issuing huge fines on 25th May.”

But if you aren’t sure how accurate and up to date your data is, it won’t be! And you need to start doing something about it now. As the Chair of the EU Article 29 Working Party Isabelle Falque-Pierrotin said, “This is a learning curve and we will take into account, of course, that this is a learning curve… but it’s important that you start today, not tomorrow. Today.”

There are two key things that you need to focus on to start with:

  • Making sure that you only communicate with your customers using accurate and up-to-date data. This will minimise the numbers that are prompted to contact you to question what data you have on them and maybe lodge a Subject Access Request.
  • Being able to respond promptly and fully to Subject Access and erasure requests (Right To Be Forgotten).

An accurate and current Single Customer View is essential to have full confidence that you’re meeting your data compliance obligations – but this can involve not only implementing suitable software to create and maintain this Single Customer View, but also admin work in human review of “grey area” matches – records that might be for the same person but are sufficiently different to need someone to check and maybe dig deeper.

So how do you reduce the chances of data inaccuracies being drawn to the attention of your customers, while showing solid steps taken and scheduled if someone lodges a complaint with the ICO?

  1. Consider a comprehensive, effective audit of your personal data, checking for duplication, out-of-date and incorrect addresses, people who have moved or died, phone numbers on the Telephone Preference Service etc.
  2. Make sure that data for any mass campaign or mailing that you undertake is run through an effective data cleansing solution to fix any problems before it is sent to print or the telemarketing agency.
  3. Take steps to implement a Single Customer View. The best matching software such as matchIT Data Quality Solutions will intelligently grade matches so that the vast majority can be automatically processed: combining duplicate records and linking matching records etc. Then the chances of your customers being aware of a problem are greatly reduced.
  4. While your admin team is reviewing those that got low matching scores to make manual decisions or before you’ve even done the automatic processing, matchIT Web provides a real-time Single Customer View that interrogates all your databases as part of your inquiry function: this allows your users to see all potential matches on the screen when a customer calls in. It also enables a quick effective way of handling Subject Access Requests and the Right To Be Forgotten.

One more thing to keep in mind of course, is that you need to make sure that your customer data is kept secure at all times while you’re on your journey towards GDPR data compliance. Maybe I should add a 5th item to those above: make sure you’ve got a plan for if the worst happens and you have to notify the ICO of a data breach… which could in turn require notifying all your customers. The sooner you have that accurate Single Customer View in place, integrated into the security of your database, the sooner you can be confident that you’re doing everything you can to minimise the chances of a breach – and the easier it will be to notify your customers should one happen.

GDPR What you need to know about Consent

GDPR – What you need to know about Consent

Who should read this?

This post is written for Data Controllers and anyone who needs to understand what the obligations of the Data Controller under GDPR are for obtaining consent. We’re talking about customers here, but the same obligations apply to any other personal data that you hold.

What do you need to know?

Over the last several years, data-driven marketing has been increasingly adopted as companies strive to make more effective use of their customer data. However the advent of GDPR has led many to question whether this trend can continue. The main problem is the increased burden for obtaining consent from the customer that GDPR places on you, if you are the data controller. Before we look at this in more detail though, let’s examine when consent must be explicit and when it need not be.

Although GDPR makes several mentions of “explicit consent” rather than just “consent”, it does not define what it means by “explicit”. Explicit consent is required for automated decision-making including profiling e.g. for the purpose of deciding whether to extend an offer. If you’re relying on consent (rather than one of the other provisions of the GDPR) for processing of sensitive personal data or transferring personal data outside of the EEA, then it must be explicit.

You don’t need explicit consent if, for example:

  • You need to use the customer data to fulfil your obligations under a contract
  • It’s required by law
  • It’s in the customer’s vital interests
  • It’s in your legitimate interests, except where such interests are overridden by the interests, rights or freedoms of the customer.

Under the current Data Protection Act, consent must be freely given, specific and informed but it can be implied. As now, under the GDPR, sensitive personal data requires explicit consent. Under the GDPR, consent must also be unambiguous and you must be able to demonstrate that consent was given. It must be clearly distinguishable, intelligible and easily accessible and the customer must be informed of their right to withdraw consent – it needs to be as easy to withdraw consent as it is to give consent. There is also (under GDPR) the much discussed “Right to be forgotten” – the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. When a customer withdraws consent, they may be more likely to exercise the right to be forgotten, so systems need to be designed with this in mind.

Under GDPR it’s no longer acceptable to bundle permission into the terms and conditions governing supply, they must be unbundled from the contract. Each aspect for which consent is being sought also has to be explained in granular detail. To be “freely given”, consent should not be required if it is not necessary for the performance of the contract, which could affect some providers of free web services – as discussed in more detail in this post.

Do I need consent for Direct Marketing?

The legitimate interest test needs some clarification. GDPR includes an explicit mention of Direct Marketing as a legitimate interest, but as Steve Henderson points out in this interesting post on the DMA website, this must be seen in the context of how you come to obtain that data in the first place, as well as how you’re going to use it. For example if you have obtained the contact details electronically then you continue to be bound by the Privacy Electronic Communications Regulations (PECR) and the EU E-Privacy Directive, irrespective of the legitimate interest test. Obviously if the personal data is used for direct mail and the data has been obtained in store or via a coupon, the legitimate interest test is applicable.

How is it going to work in the UK?

Now I want to look at how GDPR may be enshrined in UK regulations. There has been a lot of reaction from the industry to the Information Commissioner’s Office consultation on its GDPR consent guidance; it’s good to see TechUK representing these views to the Department for Culture Media and Sport (DCMS) robustly. The draft guidance states that consent requires a positive opt-in and that pre-ticked boxes or any other method of consent by default should not be used. However, the guidance also recognises that other opt-in methods might include signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or switching a setting away from the default.

In the draft guidance there is a tendency to treat opt-in consent and “explicit consent” as the same, which GDPR itself does not. One potential issue which could arise is the effect that requiring opt-in consent for non-sensitive personal data could have on suppression processing: our comment to TechUK (which it included in its response to DCMS) was:

“One example of where an over-reliance on opt-in consent for non-sensitive personal data could have unintended consequences is where customers have moved to a new address. Currently, there are a handful of providers of lists of people who have moved which are used by many companies, either to suppress correspondence to that person at the old address, or (if the new address is available and it’s for a permitted purpose) to update correspondence records to the new address. The information for these lists is typically provided by financial services companies, who will not provide the data if they believe that it may be contrary to GDPR. Without the new address, suppliers would not know that their customer has moved and would be unable to contact them for permission to send correspondence – it would rely on the customer notifying each company that they have done business with of their new address. An inevitable result therefore of requiring an opt-in consent for non-sensitive personal data would be more mail for the old occupant sent to the new occupant at the customer’s old address.”

The bottom line

Although it’s easy to get bogged down in the detail of what you need to do regarding consent and to look on its tightening up by GDPR as a negative, DQM GRC research this year shows that an increasing proportion of consumers are ready to share their personal data if it’s properly explained why they should do so and the benefit to them: “two-thirds of consumers said they are willing to share their personal information in the right circumstances – a positive shift since 2016 when only half said this was the case”. The fundamental truth is still the same: an engaged customer who feels that they are in charge of the relationship is more likely to be a valuable customer.

Further reading

Some more information, including tips on how to handle the subject of consent, is in this article from Kemp Little.

In the next post, we’ll look at the differing obligations of Data Controllers and Data Processors.

GDPR Key Definitions

GDPR Key Definitions and Terminology

This week, as part of our series on GDPR, we are looking at the key definitions in the EU General Data Protection Regulation to help you decide which of the obligations of GDPR do indeed apply to your business.

Data Controller

Like the existing Data Protection Act (DPA), the GDPR applies to Data Controllers who process personal data. So first, who is the Data Controller? This is a person who decides the purpose for which any personal data is to be processed and the way in which it is to be processed. This can be decided by one person alone or jointly with other people.

Data Processor

Unlike the DPA, the GDPR introduces specific responsibilities for the Data Processor. These are third parties that process data on behalf of the Data Controller and includes IT service providers (many of which are among our clients). In a later post, we’ll look at the specific responsibilities of Data Processors, especially when processing is subcontracted to other Data Processors.

By the way, an employee of a company which decides what and how personal data is to be processed is a Data Controller, not a Data Processor.

Personal Data

The GDPR has a broader definition of what constitutes personal data than the DPA, by incorporating reference to identifiers such as name, identification numbers, IP address and location. Each person to which the personal data refers is known as a Data Subject.

Sensitive Personal Data

Again, the GDPR definition of sensitive personal data is slightly broader than under the DPA. The main addition is biometric data, for the purposes of uniquely identifying a person. Actually, the GDPR talks about a special category of personal data rather than sensitive personal data but the definition is almost the same. The table below illustrates what is sensitive and what isn’t, and what isn’t personal data – but as this excellent article discussing the subject suggests, if you are asking yourself if it’s personal data or not, why not err on the side of caution and treat it as if it is?

What is personal or sensitive data?

Right to be forgotten

The right to erasure of personal data or ‘the right to be forgotten’ enables an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing. We’ll talk more about this in the next post when we discuss consent.

Data Protection Officer

A Data Protection Officer is someone who is given formal responsibility for data protection compliance within a business. Not every business will need to appoint a data protection officer – you need to do so if:

  • Your organisation is a public authority; or
  • You carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • You carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

Data Protection Authority

The Data Protection Authority in the UK will still be the UK Information Commissioner, who is tasked by the EU with the monitoring and enforcement of the GDPR within the UK. The European Data Protection Board is the “super regulator” consisting of the heads of each national supervisory authority. The Queen’s Speech last week announced a new Data Protection Bill to remove any doubt that the UK will implement GDPR so that it continues to be in force after Brexit takes effect.


Derogation, meaning an exemption from the regulations, is something under active discussion within the DCMS at the moment (Department for Culture Media and Sport, the relevant government department). I’m a member of the GDPR working group of TechUK, the software and IT services industry body whose views DCMS seeks while drafting guidelines and derogations for GDPR.

Adequacy and Transfer of Data outside the EEA

If the UK leaves not only the EU but also the EEA, crucially the GDPR allows transferring data outside the EEA to any country or territory in respect of which the Commission has made a “positive finding of adequacy” i.e. is the transfer to a country on the EU Commission’s list of countries or territories providing adequate protection for the rights and freedoms of data subjects in connection with the processing of their personal data? Achieving this “positive finding of adequacy” is one of the main aims of the consultation that DCMS is holding at the moment.


Pseudonymisation is a method by which personal data is processed such that it can no longer be tied to an individual data subject without linking to additional data. This does offer scope for some forms of data processing to avoid the obligations attendant on processing personal data, as long as the data being provided for processing doesn’t include the additional dataset(s).

Privacy Impact Assessments

A Privacy Impact Assessment (PIA) is an obligatory method of identifying and reducing privacy risks to individuals through the misuse of their personal information when you are undertaking new projects handling personal data.


Profiling means automated processing of personal data for evaluation analysis or prediction. When processing personal data for profiling purposes, you must ensure that appropriate safeguards are in place.

Further reading

This is by no means a complete list of the definitions used in the GDPR but it is the most important ones, other than terms like consent and subject access right which we will discuss in later posts. A brief but more complete list of definitions is available here.

In the next post, we’ll look at when you need consent.

uk election week

Suppression screening, terrorism and your vote

The election today and the aftermath of the appalling events at London Bridge and Borough Market have disrupted my momentum for writing about EU GDPR and what you need to know to get ready for next May 25th. I’m a frequent visitor to Borough Market and often walk across London Bridge, so like many others, this is the first time that terrorism has seemed so close to me.

Top of my mind this week is the news that the third mass murderer at London Bridge was an Italian/Moroccan whose name is apparently on the Schengen Information System – according to the BBC, “An Italian police source has confirmed to the BBC that Zaghba had been placed on a watch list, which is shared with many countries, including the UK.” Both the Westminster Bridge and London Bridge attacks were conducted using hired vehicles, the first a car and the second a van. Last month, the U.S. Transportation Security Administration announced that it wants truck rental agencies to be more vigilant in efforts to prevent these attacks and according to the same article, Penske (a nationwide truck leasing company in the US) screens customers using a watch list.

So, the first question that springs to my mind after London is “Should vehicle rental companies in Europe be screening customers against the Schengen list?” Obviously, not all such attacks are committed using hired vehicles, but many (if not most) are committed using hired or stolen vehicles – and stolen vehicles are likely to be on a police database with an active watch being kept out for them. The larger the vehicle, the more dangerous it is, the more likely it is to be able to crash through barriers and kill and maim people – and the more likely it is to be hired or stolen rather than owned.

The next question that rose to my mind was “Will the UK still have access to the Schengen list after Brexit?” Hopefully, however “hard” Brexit turns out to be, UK and EU negotiators will have cooperation on terrorism at the top of their list and such information will continue to be shared, so increasing systematic use of this data should be top of many people’s agendas.

Last, I worried whether the increased responsibilities for protection of personal data (and vastly increased fines) being introduced with GDPR next May will lead to companies putting their own interests first when it comes to (not) sharing information about suspicious persons with the authorities, or whether there need to be exemptions written into the guidance to ensure that individuals and organisations don’t get fined for breaches of GDPR through trying to do the right thing to help protect the public? I can ask this at next week’s techUK Data Protection Group, where one of the people developing the legislation and guidance from the Department for Culture, Media & Sport will be in attendance.

One other thought concerning data about people seems particularly relevant today – last Tuesday’s Telegraph “fears that thousands of postal ballots could have been sent out to voters who have died, putting their vote at risk of being used by somebody else”. Of course, speaking from personal experience, potentially a much bigger fraud could be all the residents of care homes, especially those with Alzheimer’s, being sent postal votes. Are additional precautions taken in checking that these votes are being filled in by the residents themselves? I know that in at least some cases, the postal vote addressee is not screened against the Power of Attorney registers. Given that GDPR obliges organisations to make sure the personal data that they keep is accurate and up-to-date, I wonder how the formula for fining an organisation 2-4% of global gross revenue under GDPR applies to a taxpayer-funded body such as a local authority!?

GDPR – what is changing next May?

This is the second in a series of posts about the EU GDPR – now less 12 months away! If you are a marketer, a business/systems analyst or a processor of third party data, this series of posts is written with you in mind – I hope you will be able to use it and the links that we provide to save you time and point you in the right direction as you grapple with the GDPR challenge. You can of course download the 130 page guide from the Information Commissioner’s website or browse through it during your lunch break, but if you want something targeted at you and split into manageable chunks, read on! In the first post, we mentioned how a genuine Single Customer View helps to keep data accurate and up to date. In this post we cover what will change from the current Data Protection Act.

At another very informative TechUK meeting last week on this topic, Rob Luke from the ICO described GDPR as an evolution of the existing rules and not a revolution. Essentially the GDPR is tightening up and clarifying existing rules more than introducing new ones, but there are two big differences:

  • Most obviously there are now huge penalties that can be imposed as discussed last week.
  • There are now responsibilities for data processors as well as data controllers, which is particularly significant for our industry.

Other key changes include mandatory notification of breaches, stricter rules on what constitutes sensitive personal data, making it harder to obtain consent and the introduction of mandatory data protection officers for some types of usage.

We will look at the new obligations for data processors in a later post aimed solely at our professional service provider audience, as well as looking at the new obligations for data controllers in a post specific to them. The key aspect of the GDPR which bears on the relationship between data controller and data processor is the much tighter control of data transfer and the need for written agreements between the two parties detailing their respective responsibilities. We will also look at when you need to obtain explicit consent and what has changed in this respect in a later post – whether you can adopt opt-out or have to settle for opt-in is now a more complex question.

Finally, if you are designing new systems, GDPR obliges you to undertake a Privacy Impact Assessment and incorporate Privacy by Design into your system – privacy and security should not be an afterthought. You must also incorporate privacy by default into collection of personal data: Fieldfisher’s blog summarises it as “businesses should only process personal data to the extent necessary for their intended purposes and should not store it for longer than is necessary for these purposes”. They state as an example that systems should “allow suppression of data of customers who have objected to receiving direct marketing”.

In the next post we will look at the key definitions in the GDPR so you can decide whether some of the obligations do indeed apply to your business. If you can’t wait, you can get a head start by reading this table in White & Case’s excellent handbook on GDPR. To be prompted about the next instalment in our series of posts, follow us on Twitter.

EU GDPR Headquarters

EU GDPR now just 12 months to go – where do you start?

As you should know, the EU General Data Protection Regulation (GDPR) comes into force one year from today, 25th May 2018. As we will still be in the EU then, whatever kind of Brexit we are in for, you only have 12 months to make sure that all your systems support compliance. If you need any incentive to start taking this seriously, you only have to consider that the maximum fine for breach of data protection regulations is increasing from £500,000 to €10 million or 2% of global gross revenue (whichever is higher) – that’s just for a level 1 breach, with double these amounts for a level 2 breach!

To help you on your journey to GDPR compliance, we will be publishing a series of posts about aspects of GDPR over the next few weeks. Initially, we will cover:

After that, we will look at how matchIT Data Quality Solutions can help you be compliant and avoid breaches of the new law – especially how a genuine Single Customer View helps to keep data accurate and up to date and ensures that you can respond to Subject Access Requests promptly, fully and efficiently.

The implications of GDPR are far reaching and HMG guidance is still being developed by the Department for Culture, Media and Sport, in consultation with industry bodies such as TechUK. Some companies may find that with only one year to go, they may not be able to become completely compliant by then – in which case, it is vital to mitigate potential costs of non-compliance by demonstrating effective progress, with a realistic timetable for full compliance. Look out for our next few posts to help you navigate towards that goal!