GDPR is undoubtedly the most talked about topic this year. The EU General Data Protection Regulation (GDPR) is cited as ‘the most important change in data privacy regulation in 20 years’ and comes in to effect on May 25th, 2018.
GDPR applies to all companies processing the personal data of individuals living in the EU (regardless of the company’s location) and as such this change affects almost everyone in some way. Unless you restrict your business activities to processing data covered by the Law Enforcement Directive, or for national security purposes then GDPR applies to you.
Despite ambiguity in its interpretation which continues to drive headlines and scaremongering stories in the press, one thing is clear – the purpose of the new Directive:
“To harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy”.
Put simply it is there to protect people from privacy and data breaches in what is an increasingly data-driven world. The previous Directive from 1995 was simply outdated and ineffective. The desire to unify privacy laws, and fundamentally change how companies view and use data is key. While it may not be simple – we think it represents positive change for many businesses.
Our clients comprise of HR and Client Services professionals as well as business owners. All have a duty to manage and protect the data that their organisation owns and utilises in its day to day running. This includes the data shared in the context of gathering feedback with technology like ours.
Why did we write this?
We want to help our clients understand how we ensure they stay compliant with GDPR. We’ve picked out the key parts of the new Directive and explained how they work in context to your feedback programmes. We want to help make it as simple as possible for you to understand your responsibilities and stay compliant. A lot of the changes required are small but designed to show businesses are building data processes with privacy considerations firmly at their core (referred to as ‘Privacy by Design’).
Disclaimer: If you have read up on GDPR or had internal training on it, you may have noticed that interpretation can differ. There’s a large sense of uncertainty even among the experts in this field. Please remember this article is provided as guidance only and should not form the basis of any decisions without you first seeking professional legal advice. If you want to read more about GDPR click here to read the Information Commissioner’s Office guidance.
It’s serious stuff – Penalties can be large for both processors and controllers.
Under GDPR, companies caught breaching the rules can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). Thus, awareness and compliance are critical. This is the maximum for the most serious infringements and there is a tiered approach to fines e.g. a company can be fined 2% for simply not having their records in order.
Read more about the key changes affecting your feedback surveys with The Happiness Index:
The GDPR specifies data as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.” This definition provides for a wide range of personal identifiers including a person’s name, ID number, location or even a unique online identifier. This means whether you are surveying people anonymously or not, you need to be aware of your duties.
- A data controller determines the purposes and means of processing personal data.
- The data processor is responsible for processing personal data on behalf of a controller.
In our partnership with clients, The Happiness Index acts as the data processor. Our clients are the data controller. Whenever a controller uses a processor it needs to have a written contract in place (which we do – see more below on contractual obligations) and we will require authorisation from your organisation’s data protection officer.
As data controllers, our clients retain all the control and much of the responsibility for the data they provide to The Happiness Index. This said, we as the data processors have to adhere to specific legal obligations too. For example, we are required to maintain records of personal data and our processing activities, and we have legal liability if we are responsible for a breach. Read more on this in ‘The Happiness Index and how it handles your data’ below.
Under the GDPR, you must appoint a DPO only if you:
- Are a public authority.
- Carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or
- Carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.
However, any organisation can appoint a DPO. Many businesses already have someone responsible for their data. This can be more than one person in reality – HR manages its data, while marketing and sales may manage theirs separately. Regardless of whether the GDPR requires you to appoint someone, companies must ensure that they have sufficient staff and skills internally to manage the company’s obligations under the GDPR.
The Happiness Index will require you to nominate a DPO at the outset. This person is ultimately responsible for the sharing and management of data during your relationship with The Happiness Index. This person is the first port of call for any data related questions we may receive from your survey respondents. Should we receive requests to opt out of future surveys, or update records, we will contact the nominated DPO first.
Under GDPR, you must have a valid lawful basis in order to process personal data. There are six lawful bases, and which basis is most appropriate to you will depend on your purpose and relationship with the individual. You can read more here. The lawful reason needs to be documented by your DPO.
Our interpretation of the regulation is that in instances where you have a contract with another individual e.g. an employee or client contract, you are not obliged to gain double opt-in consent. You do however need to outline clearly and accessibly in your contracts how you will use the person’s personal data. If you are concerned, seek legal advice on whether to introduce a specific clause relating to the need for feedback and continual business improvement.
It is recommended that you document your lawful basis for processing data internally and with specific reference to any data that you provide to The Happiness Index. Speak to your DPO for more information.
GDPR suggests controllers must only retain and process the data that is strictly necessary for the completion of its duties. They must also reduce the processors’ access, ensuring they only receive what is needed to carry out their duties. This is called data minimisation.
You should only send The Happiness Index the data essential to running your feedback surveys. Your account manager will advise you on what data is needed.
As explained above, where a contract exists between your company the person whose data it is processing, consent is not essential under GDPR. We do however recommend giving employees and clients the option to opt-out of feedback programmes. If we receive any requests to opt-out we will notify you so you can decide how to handle it with your DPO.
Consent forms a major part of the new directive and it says that ”Consent must be clear and distinguishable from other matters”, and provided in an intelligible and easily accessible form, using clear and plain language”. It must be as easy to withdraw consent as it is to give it so if you can make it obvious to people how they go about opting out from providing feedback.
Individuals have expanded new rights under GDPR. These include:
- The right to be told of breaches of their data. Breach notification will become mandatory where a data breach is likely to “Result in a risk for the rights and freedoms of individuals”. Now data controllers and processors have 72 hours to notify people after they become aware of any potential breach. Data processors will also be required to notify their customers (the controllers), “Without undue delay” after first becoming aware of a data breach.
- The right to access their data. People can now obtain confirmation as to whether their personal data is being processed, where, by who and for what reasons. If requested, the controller must now provide a copy of any such personal data, free of charge, in an electronic format to individuals.
- The right to have their data removed. Also known as ‘Data Erasure’, the right to be forgotten entitles the individual to have their personal data erased. This includes the right to halt further dissemination and potentially have third parties halt processing of the data. The conditions for erasure are outlined in Article 17 and include key reasons – for example data is no longer relevant to its original purpose for processing.
- The right to portable data. This allows individuals to obtain and reuse their personal data for their own purposes and across different services. Put simply, the data provided has to be in a “Commonly used and machine-readable format”. If requested by your DPO The Happiness Index can help provide MS Excel format downloads for individuals requesting to view their data.
Sensitive personal data under GDPR is explained as “Special categories of personal data”. The categories specifically include genetic and biometric data where “The data is processed to uniquely identify an individual.” This data is considered to be sensitive and therefore requires more protection. For full information review the ICO guidance, but broadly it includes special conditions for managing data on:
- Political views;
- Trade union membership status;
- Health metrics;
- Sexual orientation.
There are more stringent restrictions and conditions which must be met in order to lawfully process sensitive ‘Special category’ data. Note that criminal offences and convictions are covered in a separate article (Article 10). It’s not common our clients choose to use data of this kind in gathering or analysing feedback, however, if you feel you need to include this type of data and have a legitimate business reason please notify your account manager in advance in writing and speak to your DPO about documenting this also.
Children benefit from extra protection because they are unlikely to understand the risks involved. You must have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but only children of 13 or over can provide consent. For children under this age you must get consent from whoever holds parental responsibility. If you plan to process data of this kind we ask you speak with your account manager in advance and document your reasons as you would with other ‘special category’ data.
The Happiness Index takes its data handling responsibility very seriously and often goes beyond legal obligations to set data handling best practice with its clients when managing feedback programmes. The Happiness Index agrees to:
- Be registered data handlers with the Information Commissioners Office and provide trained and informed staff to work on your programme.
- Build and develop new systems and upgrades with privacy at their core.
- Maintain systems securely and take appropriate measures to ensure the security of processing.
- Have an Incident Managing Process in place in the unlikely event of lost personal data, computer viruses or system intrusions.
- Restrict access to all data you provide us.
- Maintain audit logs for our clients.
- Regularly audit the way we handle data against our data handling policy.
- Notify your DPO of requests to view, update, delete or opt out data from your feedback programmes.
- Assist the Data Controller in providing subject access and allowing data subjects to exercise their rights under the GDPR.
- Delete or update any of your organisation’s individual data from our system, when required to do so.
- Delete or return all personal data to the Data Controller as requested at the end of the contract.
- Report any breaches to you within 72 hours of discovery.
- Assist the Data Controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.
- Consult with your supervisory authority when necessary. Submit to audits and inspections, provide the Data Controller with whatever information it needs to ensure that they are both meeting their GDPR obligations. Inform the Data Controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
As part of the obligation for you to carry out data protection impact assessments (DPIAs), within our contracts we clearly set out key GDPR relevant information for you including:
- The subject matter and duration of the data processing relationship.
- The nature and purpose of the processing we are doing on your behalf.
- The type of personal data and categories of data subject that we will be collecting.
- The obligations and rights of the controller (you).
Please check your organisation’s contracts with The Happiness Index for more information.
During your feedback programmes, instances may arise where you need to update or change your data on our system. Self-servers can do this through the ”People” page in the dashboard. Alternatively, you can ask your account manager to do this for you.
When deleting people data from your Happiness Index account, please note that this permanently deletes records. We do not retain that information or store copies that you cannot access on our servers. As such, deletion through your dashboard satisfies the right for erasure. Deactivating a user however does not erase personal information.
At the end of your contract, you can request we keep or delete your data. We do not automatically delete client data after a certain period. If you require us to delete data after a set period at the end of your contract, please ensure your DPO requests this in writing.
You may be wondering what we do with your own personal information and it seemed prudent to address that at this stage given the context!
As a client of The Happiness Index, we will store personal information about you as a representative of your organisation. We store contact information, retain email correspondence and track everything in our CRM - Salesforce. The information is strictly confidential. We will never share your data with our partners or third parties, other than in the ways necessary for managing your feedback surveys.
We use your personal email and contact info for the purposes of:
- Account management (ad hoc).
- Key product updates (quarterly and ad hoc as required).
- Client-specific updates (max. once monthly).
- Sharing industry best practice and insights (max. once monthly).
- Requesting feedback (quarterly).
- Individually selected event invitations (infrequently).
You can opt out of most of these at any time (we need to be able to contact you to manage your account as a minimum) by speaking to your account manager or by emailing us by return with your preferences.
If you have any questions about GDPR and are a client of The Happiness Index, please contact your account manager.