If your business takes possession of personal information such as a list of named individuals to be mailed or cleansed, then chances are you will need to make changes to your business to become compliant with GDPR. Organisations who collect, store and ‘own’ data are classified as data controllers, whereas organisations who take custody and use the data for example to print and send a direct mail campaign are classified as data processors.
As of May 2018 data processors such as mailing houses, printers and data bureaux will be subject to many of the same new legal obligations enforced upon data controllers. Failing to adequately prepare your business for GDPR increases the risk of fines, but will also likely cost data processors their clients. Organisations who send mail will seek only GPDR compliant mail producers to further limit their own exposure to breaches and fines.
“GDPR means a new type of relationship between processors and their data controller customers – with more detailed and explicit instructions tallied to strong control by the processor. The benefits will include greater clarity for processors and much greater confidence from their clients.”
Peter Galdies, Development Director DQM GRC
The Information Commissioners Office Are Serious About GDPR
Unprecedented power has been granted to the Information Commissioners Office (ICO), the independent authority tasked with implementing GDPR here in the UK. Those failing to adhere to the regulations face fines of up to €20 million or 4% or annual global turnover – whichever is higher. What is also clear is this is no empty threat. Since 2014 both the number of fines and the value of fines has risen each year. As of September 2017, 48 fines totalling more than £3.5m have been issued and the total is well on course to double that of last year. This sharp rise pre-empts the introduction of GDPR with the current rules being far more forgiving and fines capped at £500,000. When GDPR comes into force in May 2018 the velocity and value of these fines is likely to rise sharply once more.
Figure 1 – ICO Fines (taken 15/09/2017) (https://ico.org.uk/action-weve-taken/enforcement)
“The new GDPR legislation is a game changer for data processors. Increased responsibility to their customers and huge legal liabilities for failure to comply mean that all those organisations processing data on behalf of others need to take action.”
Christine Andrew, Managing Director DQM GRC
How Data Processors Should Prepare for GDPR
The GDPR text is 11 chapters and 99 articles long, however Article 28 is specifically directed at data processors. This article sets out the explicit requirements for data processors which will include mail producers, printers or data bureaux. Data processors should take action in these 5 areas of GDPR:
- Update Legal Contracts – with clients to agree processing activities
- Carry Out a Data Audit – to demonstrate compliance and make changes to policies
- Keep Records – of all data processing work carried out
- Update Processes, Policies and Training – in readiness for GDPR compliance
- Prepare to Assist ICO and Clients – in the event of an audit or breach
1. Implement a Legal Contract for Processing
Taking a data processing brief over the phone or undertaking processing work without a contract will not be acceptable from May 2018.
From the Text: “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law”
From the Text: “processes the personal data only on documented instructions from the controller”
GDPR requires data processors to have a written, legally binding contract between the data processor and the data controller. This contract cannot be the processors standard terms and conditions. The contract must stipulate in writing the specific processing work to be carried out.
From the Text: “[The contract] sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller”
The text implies activities such as screening, merging, sorting, suppressing or home mover tracing recipients must all be explicitly stated and agreed to by the data controller. Although article 28 includes provisions for regular jobs, most processors will need to develop a template contract which can be quickly and easily tailored for the processing work to be carried out.
From the Text: “The processor shall not engage another processor without prior specific or general written authorisation of the controller”
The obligations of the data processor are also extended to subcontractors. Mail producers who engage with a data bureau or online cleaning service will need to ensure their contracts with clients provide unambiguous consent to using these named third party processors.
Take Action: Commission or update a legal contract template which can be easily amended for all the various types of data processing your organisation undertakes.
2. Undertake a Data Audit
Much like the data controller, the data processor must also be aware of the personally identifiable information it holds. In ICO’s guide Preparing for the General Data Protection Regulation it is suggested organisations document
- What personal data is held
- Where it came from
- Who it is shared with
Data processors should consider if historical data supplied from clients could be safely erased and if policies for data retention need to be updated. If there is a legitimate requirement to retain personally identifiable information within the organisation then consider encrypting that data to reduce the impact of a breach and restrict access to the data to the minimum required staff. Document the process to demonstrate compliance and accountability in the event of an ICO audit or data breach within the data chain of custody.
Take Action: Undertake a data audit to determine what personally identifiable data is held. Safely erase all unnecessary data and update policies to minimise retention and encrypt data.
3. Keep Records of Processing Activity Carried Out
According to Article 30 “Records of Processing Activities” it will be required that data processors record data processing activities undertaken for organisations with more than 250 employees.
From the Text: “Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller”
The text specifically requires data processors to record the following details for each job processed.
- Name and contact details of processor(s), controllers
- Categories of processing carried out
- Transfers of internationally
- Description of technical and organisational security measures
Mail producers, printers and data bureaux will need to consider implementing changes to their job management systems to ensure data processing work is captured and logged consistently and efficiently. Ideally the change should involve updating an existing process such as adding extra fields to an existing job sheet or booking in form.
Take Action: Implement a process for recording data processing activity. Either implement a change to existing management or job logging systems or create an online form to be completed before data processing work commences.
4. Update Documentation, Processes and Train Staff
Accreditations such as ISO 27001 are not measures of GDPR compliance, however the ISO standard does advocate the implementation of documentation and processes which may be useful in demonstrating GDPR compliance.
From the Text: “Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees”
Some documents and policies to consider implementing or updating prior to the enforcement of GDPR include:
- Data Protection Policy
- Data Retention Policy / Schedule / Erasure Procedure
- Data Processing Procedure
- Data Breach Notification / Reporting Procedure
- 3rd Party Processing / Subcontracting Contract
- Subject Access Request Procedure / Form
- Data inventory / Information Asset Register
- Data Mapping Documentation
Documenting procedures should be complemented by training existing staff and new hires about the regulation and the resulting process changes.
Take Action: Determine which policies are missing or require updating to demonstrate compliance with GDPR. Consult a solicitor where relevant to implement or update policies to comply with GDPR.
5. Prepare to Assist ICO and Clients
Unlike the current data protection act, GDPR places equal responsibility on the data processor as the data controller. In the event of a data breach or an ICO inspection it is just as much the responsibility of the data processor as the data controller to demonstrate compliance with the regulation.
From the Text: “[Data processors must] assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights”
In practical terms data subjects for example recipients of a direct mail programme may exercise their right to be removed from a client database. If a data processor fails to take the measures to effectively suppress or remove that record after instruction from the data controller to do so, the processor could be held liable for the action taken by ICO.
From the Text: “if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing”
If data is stolen, lost or compromised by the data processor it will be the data processor who risks monetary penalties or even prosecution by the ICO.
Take Action: Implement data breach reporting notification procedures and internal management processes to ensure all GDPR related policies are being followed.
Why GDPR Compliance is Good for Business
From the Text: “the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation”
GDPR may be regarded as an unwelcome burden for mail producers, printers and data bureaux, however it also undoubtedly represents an opportunity. By taking action early and being able to demonstrate GDPR compliance processors could elevate their status with existing clients and maybe even win some new ones. GDPR has the potential to improve the sentiment towards direct marketing and could somewhat paradoxically help to ensure the sustainability of the channel over the long term.
For those looking for direct assistance in preparing for GDPR, The Software Bureau has partnered with DQM GRC, experts in GDPR compliance and technology. DQM GRC provide a unique GDPR Radar Assessment which can help identify specific actions to take for your organisation. To find out more about the Radar Assessment, please contact Mark Dobson on mark.dobson@thesoftwarebureau.com or 0870 735 1322.