Tag Archives: gdpr

Countdown to GDPR: How well are you prepared for the new regulation?

25 May 2018 is the day the General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998.

As a business that handles and manages consumer data, we have been busy creating a roadmap of what we need to have in place for more than 12 months. But for a lot of businesses, there are immediate steps that can be taken to become compliant with the new regulation.

Opportunity for advantage

The first thing to note is that a technical solution is not the panacea; a piece of software won’t make you compliant.

It’s up to you to make sure that you know what your responsibilities are and understand what you need to have in place, such as processes and policies. Importantly, you must be able to demonstrate that you can comply with GDPR – i.e. you must be able to show that you are accountable.

Another important step is to gain buy in from the top of your organisation, so that the steps you will take are valued. If GDPR processes are seen as a box ticking exercise, chances are gaps will appear throughout the organisation that put you at risk.

Instead, look at GDPR as a way of acting responsibly and as an opportunity that could give you a competitive advantage.

Frequently asked GDPR questions

As a data-driven business, we are often asked by other businesses for guidance on GDPR preparation. So, in the lead up to 25 May, The Lead Agency’s compliance manager Kathy Fleming will be answering some of the burning and more common GDPR questions to help you with your preparations.

“We’re an SME with just over 100 employees – do we need to do anything about GDPR? Isn’t there an exemption?”

KF: If you handle personal information, then you have responsibilities under data protection law and the introduction of the GDPR doesn’t change this. GDPR places obligations on organisations to document and maintain records of their data processing activities. However, there is a limited exemption which means that if you have less than 250 employees, you only need to keep limited records. Don’t forget, you may be required to make the records available to the Information Commissioners Office (ICO) on request!

The ICO website has produced some useful templates that you can use for this purpose.

“Do we need to appoint a Data Protection Officer (DPO)?”

KF: There is a duty to appoint a DPO only in certain circumstances (if you’re a public authority or if you carry out activities on data that require large scale, regular and systematic monitoring, such as online behavioural tracking).

However, even if you aren’t required by law to appoint a DPO, you may decide to voluntarily appoint someone to carry out these tasks, or you may just decide to make someone responsible for making sure that data protection is given due consideration throughout your business.  The consequences of getting it wrong can not only mean a financial penalty, but your brand and reputation may suffer too.

“What is the Right to be Forgotten and what does this mean for businesses? Do we have to delete records if an individual asks us to?”

KF: The Right to be Forgotten (the Right to Erasure, to give it the correct name) is not an absolute Right. Basically, it means that certain conditions must be met before an organisation has to erase data:

  • If it’s no longer necessary for you to keep the data
  • If you asked for consent to process the data and then consent is subsequently withdrawn
  • If you relied on ‘legitimate interests’ to process the data and the individual objects, and you can’t prove that any over-riding reasons to continue processing it
  • If the individual objects to direct marketing
  • If you haven’t processed it lawfully in the first place
  • If a legal obligation compels you to
  • If the data has been processed in relation to data collected from children, especially processing of this information on the internet.

“What does the right to be informed mean?”

KF: If you collect personal data from individuals, you must provide them with certain information. This applies to employees as well as your customers and, generally, you should do this at the time you collect the information from them. One way to do this (especially if you are collecting information on line) is to provide easy and simple access to a Privacy Notice on your website.  The information you provide should includes:

  • Your name and contact details (including your Data Protection Officer if you have one)
  • The purpose for processing their data
  • What lawful basis you are relying on (consent, performance of a contract etc., etc.,)
  • How long you are going to keep the information for
  • What their rights are
  • Who they can complain to

A complete list of what information you need to provide can be found on the ICO website.

If you have a question, email it to [email protected] or post it as a comment on LinkedIn.

TLA appear on GDPR discussion panel

The Lead Agency’s compliance manager / data protection officer Kathy Fleming will take to the stage this morning for BusinessCloud’s GDPR – are you ready? panel discussion.

Kathy joined the business recently to lead our GDPR programme, alongside our other compliance activity. She has taken over the responsibility from our data team, which began preparing for the new regulation around 18 months ago.

Today’s breakfast event, taking place at UKFast Campus in Manchester, will see data protection experts, legal professionals and business leaders discuss what companies can do to prepare for GDPR.

The full list of speakers is as follows:

  • Oliver Shaw, CEO, Cascade;
  • Kathy Fleming, compliance manager, The Lead Agency
  • Nicola Frost, head of legal and company secretary, UKFast
  • Liz Ashall-Payne, founder and CEO, ORCHA
  • David Helliwell, owner, Helliwell Media
  • Edward Whittingham, managing director, The BFPP
  • Sean Crotty, partner, Weightmans
  • Anna Dick, CTO, Hiring Hub
  • Elizabeth Clark, CEO, Dream Agility

BusinessCloud is a north west-based tech publication that runs a number of events across the region. It’s GDPR event is sponsored by Weightmans and Cascade.

For more on our data protection approach or GDPR programme, contact us today.

Preparing for GDPR: Practical steps companies can take

With May 2018’s General Data Protection Regulation (GDPR) in sight, The Lead Agency’s compliance manager Kathy Fleming discusses how companies can prepare.

Accountability

Under GDPR, companies will need to be able to demonstrate their compliance (referred to as ‘accountability’).

The first step is to review its current processes, procedures and policies so they can be benchmarked against the requirements of GDPR. This will help companies to identify where small improvements are needed as well as bigger gaps that require more time and attention.

Third-parties and data

Make sure third-party companies who process data on your behalf are compliant. Ensure all written contracts include your instructions and expectations for them to provide a fully compliant service.

The accountability still sits with your company but ensuring your partners meet your requirements will provide peace of mind.

How long to keep personal data

If you’re storing personal data, create a retention schedule and makes sure that you don’t keep the data longer than you need to. Just because storage space is cheap doesn’t mean to say that you can keep it forever.

Make a record of the data processing activities that your business is responsible for. Examples include the purposes of processing, a description of the categories of the individuals, categories of personal data, recipients of personal data, retention schedules and the security measures that are in place.

These steps will help you to demonstrate your compliance and accountability.

Customer consent

GDPR will have stricter standards for consent than current data protection legislation. Among the requirements will be making it as easy for people to withdraw consent as it is to provide it.

If you manage an online service that lets people log-in to a personal account, consider including the option to withdraw consent within their account preferences.

Conditions for processing

Make sure you’re clear about the legitimate and justifiable reason for using an individual’s personal data. The reason will dictate some the rights that can be exercised by the individuals.

Data Portability, for example, is a new right that allows individuals (in certain circumstances) to receive and port their personal data that they have provided to the company in ‘commonly used, machine readable’ format. It gives the individual the ability to obtain and reuse their data for their own purposes and across different services.

Right to be forgotten

If a customer exercises their ‘Right to be Forgotten’, do the systems you use allow you to ‘erase’ data? If not, but the data is no longer of any use and there is no legitimate reason to keep it, you’ll have to find a way of anonymising it.

Privacy notices

Check that Privacy Notices are clear, concise, transparent and unambiguous. Companies will be expected to provide a lot more information to customers, so the best way to approach this is by taking a layered approach.

Rather than overwhelming people with information , companies can provide the key privacy information immediately and at short notice but have more detailed information available for those that want it.

Security measures

Think about basic security measures to keep data safe. Many are easy to implement. Simple solutions could include buying a good standard shredder to dispose of confidential waste or using screen locks after a certain amount of inactivity to ensure information can’t be accessed when people aren’t sat at their computers.

Nature of the business

There are many other aspects of GDPR that companies will need to consider depending on the nature of their business and extent of the service they provide. These include things such as territorial scope, processing involving children’s data, definitions of ‘personal data’ and ‘sensitive personal data’ (special categories), breach notification, profiling, appointment of a DPO etc.

If lead generation is among your considerations, speak to our team today to discuss your approach.  

TLA strengthens in Liverpool with double appointment

We are pleased to welcome two important additions to our team in Liverpool.

Patsy Mawdsley (left) has joined the business as our new head of the contact centre from Arvato’s BMW team.

Patsy will lead a team of more than 40 customer service operatives and report directly to Tom White, who joined us earlier this year as automotive managing director. The contact centre is responsible for engaging, nurturing and qualifying our clients’ future customers within automotive, higher education and property.

Our new addition brings more than 12 years’ experience in contact centre management, spanning basic call handling through to multi-channel engagement.

Data protection officer

Joining her through the door is data protection officer/compliance manager Kathy Fleming (right) who arrives from Betfred, where she held the role of data protection officer. Her remit will be to continue developing the company’s compliance programme, which covers data and finance as well as a number of other processes.

Kathy, who has previously worked for Your Housing Group and St Helens Council, is a specialist in data protection and will be responsible for developing and embedding processes that ensure the business’s full compliance with GDPR.

For our latest vacancies, visit our careers page

Preparing for GDPR: Documentation of consent

In the latest in our series on GDPR, we look at one of the key aspects of the regulation: the documentation of consent.

In order to comply with the EU General Protection Regulation, companies will be required to keep a wide range of documentation. According to the ICO, the following bad and good examples provide an indication of the level of documentation of consent you will be required to maintain:

BAD: “You keep the time and date of consent linked to an IP address with a web link to your current data-capture form and privacy policy”

GOOD: “You keep records that include an ID and the data submitted online together with a timestamp. You also keep a copy of the version of the data-capture form and any other relevant documents in use at that date”

On a recent webinar, The DMA said that ‘relevant documents in use’ could, for example, refer to a telephone call script. As a lead generation company that manually qualifies leads via telephone calls, this is highly applicable to the way we work. Plus, as we introduce a more omni-channel approach to consumer communication, this would then extend to transcripts of online communications using channels such as Facebook Messenger, WhatsApp etc.

Consent documentation in lead generation

For some companies, this documentation of consent is potentially a high bar to meet. Depending on their technical infrastructure, they may be relying on a third party hosting/website company to implement the means to capture the correct timestamps, etc. at the point of data collection for example.

As a mature player in the industry, this is a low bar for TLA. All of our website assets are built and managed in-house, and enquiries are recorded in secure databases. This means that we fully in control of how we record this information, including text and policies that were seen, and the user’s choices. Where consent is gained in a telephone call, we use robust call recording technology, and our QA team are constantly checking for quality and compliance.

We are currently building a compliance portal where partners will be able to access complete and transparent audit trail information, showing the entire customer journey through our processes as well as providing access to call recordings.

Other documentation solutions

For a straightforward web-based data capture form, simple software solutions have entered the market, but these are not without limitations: for example, something that takes a screenshot of the enquiry form at the point of submission creates technical and storage overheads, and ultimately leads to non-database storage of data, which in itself creates risk. This approach also only covers a small part of the consent process in a more complex user journey.

With the progression of technology and changes in consumer habits, we are embracing new ways to communicate with our consumers. Many prefer an interactive enquiry rather than fixed, form-based approach and we are currently trialling our latest chatbot technology that engages with consumers through conversation in order to generate enquiries. Again, because these are built in-house, and feed directly into our own systems, we can obtain and record consent in these systems in a way which third-party software solutions could not.

Keep an eye out for more details of some of our latest tech innovations, as well as GDPR-related articles, via the News & Views.

Bill Lawrenson, business intelligence manager, The Lead Agency

Preparing for GDPR: What can companies learn from the Equifax data breach?

Following our recent post about GDPR and the UK’s Data Protection Bill and in a continued effort to help companies prepare for the new legislation, we’ve turned our attention to a major data story from the US.

Following on from Yahoo’s one-billion record loss, and the hacking of 200m US voter records, data company Equifax has now acknowledged the loss of 143m consumer records.

The loss included data that could be very valuable to criminals who want to steal people’s identities, such as addresses, dates of birth, and social security numbers. And to add insult to injury, Equifax is a data company that offers an identity theft product as part of its portfolio.

So, other than improving and testing data security, what lessons can companies learn from the breach?

Lessons to be learned

The first point is one of basic PR. The full details are not known yet, but it appears that the breach was discovered on 29 July. Six weeks before it was announced it to the public.

Once the public was made aware, consumers were told to call a hotline number or directed to a website for information. People who tried the hotline complained that they waited a long time to get through, and were then told to visit the website. The website presented an offer of free signup to a year’s identity theft protection.

This offer could seemingly mitigate some of the risks of the data breach itself. But legal experts sounded a note of caution when it was discovered that the T&Cs of the sign-up prevent the consumer from suing Equifax. This has been seen as by some as a cynical manoeuvre to mitigate Equifax’s own losses. By Friday, Equifax stock had lost 14% if its value.

GDPR and data breaches

One of the biggest impacts of GDPR is the reporting of data breaches. We don’t know when Equifax reported this breach to US authorities. But, under GDPR, a breach that is ‘likely to result in a risk to the rights and freedoms of individuals’ – including financial loss or loss of confidentiality – must be reported to the ICO within 72 hours. If the data breach poses a ‘high risk’ to the rights of individuals, those concerned must be informed directly.

Failure to notify a breach can result in a fine of 10 million Euros, or 2% of turnover.

How to prepare

Once companies have taken steps to protect their data, what can they do to prepare for a data breach?

The first thing is to identify breaches: ensure that staff know what a breach is, and create a culture where people aren’t afraid to report something that looks like one.

Once the breach is identified, having a plan to deal with it is as imperative as any other part of a disaster recovery plan. Ideally, the procedures to be put in place should be brief, easily accessible, and include templates for statements to the media.

In summary: take all steps to prevent breaches; identify them as soon as possible if they do occur; and have a plan in place to deal with them.

Bill Lawrenson, business intelligence manager, The Lead Agency

Preparing for GDPR: Understanding the UK’s new Data Protection Bill

Yesterday, the Department for Digital, Culture, Media and Sport (DCMS) published a statement of intent for a forthcoming Data Protection Bill. The purpose, it claims, is to bring the UK’s data protection laws up to date, support innovation and ensure “our data is safe as we move into a future digital world”.

Missing from the statement was mention of the General Data Protection Regulations (GDPR) – the heavily publicised European-wide regulation that comes into force in May next year.

The DCMS announcement, which you can read about more here, has caused confusion amongst companies working towards GDPR compliance. How do the two relate? Does one replace the other? Will the UK’s law come into force sooner than the GDPR?

GDPR in lead generation

The Lead Agency is at the forefront of the lead generation industry with our approach to GDPR, having implemented a programme in 2016 to ensure we are fully compliant. Quality has always been a key foundation, which has given us a competitive edge, and compliance is one of the pillars upon which it is built.

As well as internal education about GDPR, we have liaised with motor manufacturers and agencies to inform, and to understand their perspective, and we have attended events and conferences outside of our own industry to learn from others, to provide support, and to help spread the message about GDPR. In some cases, this can be as simple as relaying the simple fact that Brexit won’t affect implementation of the GDPR, as it is a regulation, not a directive, therefore will immediately become law on 25 May 2018.

GDPR will have many benefits: as consumers ourselves, it is important that we have control of our data, and as a company that serves consumers, we believe it is right that are consumers are aware of what their data is being used for.

We perceive that enforcement of GDPR will lead to companies who fail to recognise the significance of protecting consumers’ data, and of informing and allowing consumers choices in what happens to their data, ultimately exiting the market. At TLA, GDPR is not simply seen as an ‘IT/Compliance’ issue – it affects all areas of the business.

Ultimately, many of the principles of GDPR are equivalent to the Data Protection Act, which has been in place since 1998: it is evolution, not revolution, so the businesses destined to fail are likely to be those that are already lacking a compliance framework. For businesses who operate good practices under current legislation, it is essential to ensure that entry and exit points of data into the business meet the new standards, and that the relationships between all parties in the data supply chain are correctly defined and documented.

GDPR and the UK’s Data Protection Bill

The decision to avoid mention of GDPR or Europe in the DCMS press release will be seen as a political move by some commentators. GDPR is an example of an EU law that will definitely benefit consumers, which doesn’t particularly fit the narrative of ‘Leave’ campaigners; ministers who supported ‘Remain’ will be happy to market an EU-crafted law as their own if they think it will sit well with voters.

Fundamentally, the GDPR will be implemented on 25 May 2018 regardless of the UK’s new bill. At its simplest, this cements it into UK law to Brexit and beyond. As well as taking GDPR and embedding it in UK law, the government will use derogations in certain areas, and augmentations in others to supplement the law. For example, the government’s manifesto promise to allow a person to request their social media data from before they turned 18 is deleted; exceptions for journalists in certain circumstances to allow a balance between privacy and freedom of expression. This new law will also repeal the 1998 Data Protection Act.

The law itself is likely to be published after the summer recess, at which point it will be clearer whether the government intends to align this law with the current GDPR timetable. Obviously, the government’s perilous majority will affect the speed at which they can progress Bills; however, given the more controversial aspects of Brexit law-making that are likely to be pushed through in the coming year, it seems unlikely that opposition parties will expend much energy hindering the progress of this one, unless there are as-yet unmentioned efforts to use this to allow the government to access our data more freely, with the civil liberty implications that would raise.

Are the new UK data protection laws a good thing?

As expressed previously, for consumers, having greater control over their data is important in a data-driven world. But, from a business perspective, this is the first, and essential, step to ensuring that EU partners will trust the UK to process the data of EU citizens, post-Brexit. Without this ‘adequacy status’, the bureaucracy required to transfer data into the EU will be a potential hindrance to UK business.

We look forward to seeing the final law when it’s published, and will be carefully noting the responses of industry and government bodies.

Bill Lawrenson, business intelligence manager