GDPR: a complex puzzle
On 25 May a new law regarding the holding of personal information comes into force: the General Data Protection Regulation (GDPR). This law builds on the existing Data Protection Act 1998 (DPA) and will streamline data protection legislation across Europe, but its principle aim is to give citizens more control over the information that organisations hold on them.
If organisations do not abide by their obligations to keep personal data secure and use it for purposes beyond what it was collected for, they can be hit with larger financial penalties than under the DPA. In the UK, the Information Commissioner’s Office (ICO) is responsible for policing the GDPR and it has a two-tiered sanction regime: ‘lesser’ incidents are subject to a maximum fine of either ¤10 million or 2% of an organisation’s global turnover, whichever is greater; with the most serious breaches resulting in fines of up to ¤20 million or 4% of turnover.
To put this increase in perspective, the £400,000 fine given to TalkTalk for a data breach in 2016 would, under the new GDPR sanctions, be estimated at £59 million (according to a 2017 study by NCC Group).
While multinationals like Yahoo – three billion user accounts hacked in 2013 – and Uber – 57 million customer and driver details hacked in 2016 – make headlines for the size of their data breach misdemeanours, the GDPR affects every organisation, big or small, that holds personal information on people.
That is why it is important that all independent funeral directors are aware of your responsibilities under GDPR and have made plans to ensure you are compliant when the law comes into force at the end of May.
GDPR will require organisations to be more accountable for their handling of people’s personal information, with formal data protection policies, data protection impact assessments and formal documents to record how data is processed.
For companies employing 250 people or more, documentation is required which states why people’s data is collected and processed, what information is held and for how long, and the technical measures employed to keep the information secure. For larger companies that collect a lot of sensitive data as part of their business there is a requirement to employ a dedicated data protection officer.
Golden Charter has been preparing for the advent of the new legislation and has been developing a number of resources that will also help independent funeral directors prepare for GDPR.
Heading up Golden Charter’s GDPR project team is Alison Wilson, Director of Compliance & Risk, who recently gave a webinar for funeral directors with Louise Love, Head of Compliance – Funeral Director Sales, to explain the fundamentals of the regulation and how it affects you and the way you hold data. This is just one element of the support that Golden Charter is planning for independent funeral directors in the coming months to prepare for GDPR.
Data processors
Alison said: “The main difference compared to the previous data protection law is that GDPR puts more of a focus on individual rights in terms of what data companies collect, what they do with that data and the public’s access to that information. It gives people the right to have easier access to the information held about them, free of charge. The law also gives them the right to have it deleted, where appropriate.”
Under GDPR definitions, data is any information that can be used, directly or indirectly, to identify a living person such as name, address, IP address etc. Data on deceased people is not covered by GDPR.
In terms of funeral plans, Golden Charter has obligations under GDPR as a ‘data controller’: the entity that decides the purpose and the manner in which personal data is used. However, in addition to being data controllers in your own right, funeral directors also have new data protection obligations. You are classified under GDPR as ‘data processors’ in your relationship with Golden Charter: any organisation that processes the data on behalf of the data controller, including collating, recording and holding data.
Alison said the term data processor is a bit of a misnomer: “You don’t have to do anything with the data to be a processor, because just storing data comes under the ‘processor’ remit. So, if we send personal information to a funeral director to fulfil a funeral need, and you never touch that piece of paper again, you are still processing it as you store it.
“The new legislation means you have to maintain records explaining what data you hold, such as names, addresses, date of birth, religion etc., and the service/s provided as well as the format it is held in, such as paper records or digitally in a computer, or in the cloud.”
Data security
Security is paramount under GDPR so that if hard records are kept of personal information these must be under lock and key and access limited to only those in the company that need to see this information as part of their job. Electronic records need to be password protected.
Sharing data is also an area where funeral directors need to assess risk and, where possible, write GDPR responsibilities into business contracts with third parties. If any data held is breached – defined as “the destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data – then funeral directors have a legal liability to report the incident to the ICO within 72 hours, and to Golden Charter too.
Consent
A big issue for organisations holding existing data on customers is the GDPR’s insistence that all companies obtain the consent of people they collect information about, and provide evidence of their ‘opt-in’ and their preferred method, if any, for contacting them in the future.
Golden Charter is obtaining this consent when customers contact them and Alison suggests funeral directors modify all business contracts to accommodate an ‘opt-in’ consent form to allow customers to agree to be contacted in the future for information about other services or products.
Under GDPR you cannot contact people for marketing purposes if they have not given their prior consent for you to contact them.
However, you do not need consent to contact a person if you have a ‘legitimate’ interest in doing so as part of your current business relationship with that customer.
Alison said: “We hold people’s data for funeral plans and, since we have a legal contract with them, we can hold that data and contact them in order to fulfil it. This is a case where consent is not the only basis for holding data and contacting people.
“Nevertheless, while customers would expect us to contact them to fulfil the funeral plan, GDPR prohibits us from using their data to contact them for some other purpose, like trying to sell them an additional service, unless they have given us specific prior consent for doing that.
“If you wanted to conduct direct marketing at named individuals then you would need those people’s consent to contact them – they have to have ‘opted-in’ and you must have evidence of this. We record all our customer telephone calls for audit purposes so we have proof of consent, but it’s also fine to have a paper or digital record as long as you record the date and person who took the consent.”
Alison said that consent agreement cannot be buried away under reams of terms and conditions – it has to be kept separate and be clearly legible for the customer to understand and sign.
Golden Charter Chief Executive Suzanne Grahame believes the new data protection law is a positive step forward as it puts customers at the heart of our business. She said: “As a profession we are seeing a big increase in regulation, the GDPR is just one of a number of changes coming forward, but I believe it is a positive step as it raises the awareness of our data protection responsibilities.
“This change in the tone of the conversation around data protection puts the individual at the centre of everyone’s thinking and highlights the importance of protecting the security of personal data. It will make us all more thoughtful about what data we really require, and only using it for the purpose it has been collected for.
“However, becoming GDPR compliant is a challenge and my concern is that many smaller businesses may encounter difficulties, without support, in establishing exactly how the regulations can best be applied to their work.
“When it comes to the funeral profession, Golden Charter has been here to help and provide guidance to our funeral director family in what ways we can. We will continue to run seminars and webinars and develop other supporting information, such as frequently asked questions and scenarios, in the coming months.
“But these changes are far reaching, and businesses of all kinds will need support. It’s important for us all to be compliant as the public expect their data to be well looked after and, beyond the financial implications, a breach of GDPR could cause any business great reputational damage.”
For more information and contact details for the ICO small business helpline, click here.
Tags: Alison Wilson, compliance, data, data protection, digital, EU, funeral directors, GDPR, Golden Charter, information, law, regulation, security, Suzanne Grahame