Are you ready for GDPR?
The countdown is on until 25th May 2018, when the new data protection legislation (GDPR) comes into force.
Whilst at Agility Marketing we are not lawyers, many of our visitor attraction clients rely upon repeat business. It’s been necessary for us to become absorbed in GDPR to identify what is possible. Below is a summary of what GDPR is and what you need to do as a leisure business.
The main website for GDPR is https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
What is GDPR
GDPR is new legislation that replaces current Data Protection. It applies to all of the European Economic Area and despite Brexit, the government has confirmed that it will be implemented in the UK.
The reforms require all businesses to comply while they do business in any EU member state, ensuring all players within the EU are bound by the same rules, regardless of where they are based.
A company that fails to comply with the new rules may be subject to a fine of up to €20 million, or four per cent of the company’s global annual turnover, whichever is higher.
The key elements are below
- Each Member State will have one single supervisory body requiring businesses to comply. In the UK, this is The Information Commissioner.
- You must report any data breach to the Information Commissioner’s Office within 72 hours of it being discovered.
- The description of Personal Data is much more far reaching.
GDPR goes beyond name and address information. It includes any information that relates to a living individual who can be identified by that data or through a combination of the data in possession of the data controller. This covers your past and present staff, as well as enquiries or past and present customers.
In addition to names, addresses, numbers, location data and online identifiers, it also includes how you would describe someone physically, economically, culturally, physiologically and genetically. Or any expression of opinion about the individual.
- Called a ‘Subject Information Request’ individuals can request to see what and how their data is being used by you.
Essentially this means attractions will need to streamline their systems. You don’t want your staff looking into 10 different databases or searching lever arch files for an individual’s contact details. You can’t charge to provide this information and it needs to be supplied within 1 month from request.
One recommendation we can make is Breathe HR for storing all your employee data. This avoids any personal data being stored on paper and we’ve used it for over 3 years.
This isn’t so relevant for leisure attractions, but individuals can request for data to be transmitted to another service provider.
- You must give individuals the ‘right to be forgotten’. Individuals can request you delete all the information you hold on them.
GDPR assumes that when an individual consents to the processing of his or her personal data, he or she does so because that data is intended for the specific purpose. Individuals have a right to request that their personal data is erased when processing this data is no longer required.
It does, however, need to work on both sides. For example, if someone has booked a group visit and requests the data to be deleted, it would only be possible for deletion after their visit date.
- Individuals must opt in to how their data is specifically going to be used. Conditions surrounding consent are becoming more stringent.
For obtaining consent, you cannot use pre-ticked boxes and must keep a record of when and how the consent was given. You must also be aware of what information was provided at the time of consent.
The Information Commission tells us that we have to be specific about why we want the data and what we are going to do with it. If you are going to use it for different types of processing, you must obtain individual opt-ins.
Dealing with existing marketing data
Existing marketing data is where Agility have the strongest knowledge as we are starting to implement systems for our clients.
The first task is to split out what marketing data you hold, when it was collected, how you have used it and whether it was collected with an opt-in. If an opt-in was used for the specific marketing you are doing (e.g. email shots), you can move this data to one side and continue to use it after 25th May.
The second task is to identify how you can change your marketing sign up processes to get opt-ins.
The third task is to identify whether the data that wasn’t opted in has legitimate interest to continue to receive your mail outs/email marketing/text broadcasts. For example, you could consider that an Annual Pass Holder has a legitimate interest to receive your email shot about future events or a past group visit organiser may want to find out about your next season’s activities.
A legitimate interest is when you use customer data in a way they would reasonably expect. For any legitimate interest you identify, we’d recommend you keep a record of your ‘Legitimate Interest Assessment’ to help demonstrate compliance if required.
Any data that falls outside legitimate interest will need to be opted back in or deleted after 25th May. We wouldn’t recommend you just email them to ask as your take up rate will be very low. You should coincide this with giving special offers or running competitions.
What else you need to do?
If you are like most visitor attractions, you will have plenty of hidden corners and cupboards to squirrel away completed Annual Member, Group Booking forms or even CV’s. The new GDPR rules will ensure that every company puts in place clearer and more unified standards for collecting, processing and storing personal data.
Identify if you need a Data Protection Officer
With most attractions being SME’s you may not need a Data Protection Officer. The GDPR rules state you only need to appoint an official Data Protection Officer, if you carry out large scale systematic monitoring of individuals. Unfortunately, no criterion has been given for ‘large’ at this stage.
You will however, need to develop a data strategy and improve processes on data you currently collect/hold. Whether you decide to appoint a working group or delegate the task to one individual, it will need to be pulled together.
Your 5 point Action Plan
With the deadline looming now is the time to start.
Step 1: Inform your entire team
As you go through the Data Audit, you are likely to get more buy-in if your teams are aware of the new data protection legislation and the consequences for getting it wrong.
After you have updated your policies and procedures you will also need to retrain your team to make sure they act in a GDPR compliant way.
Step 2: Undertake a Data Audit
You will need to complete a data audit (similar to the one mentioned above for email data). What staff records do you keep? Where are the photography consent release forms? What annual pass information do you have or group visits forms?
The data audit should consist of what data you hold, how old it is, how you use it, how you store it and did you get consent to use it. The data audit should be summarised in a single document.
Step 3: Update Privacy Notices and document all your processes
Subject Access Request Plan: Update your procedures and plan how you will handle requests to supply individuals with the data you hold on them.
Processing Customer Personal Data: Look at the various types of data processing you carry out, identify your rationale/legal basis for doing so and document it. At this stage you will need to make clear how long you will keep the data for.
Processing Employee Data: Identify all the areas employee data is held, from rosters to payroll. Document your rationale for keeping it.
Obtaining Consent: Review how you are seeking, obtaining and recording consent and whether you need to make any changes. This covers both customers and employees.
Children: If relevant, think about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
Data Breaches: Ensure you have the right procedures in place to detect, report and investigate data breaches.
Third party processes: Controllers are liable for their own compliance but they must ensure any data processors (e.g. HR consultants, marketing agencies, email software subscriptions) can provide sufficient guarantees that the requirements of GDPR are being adhered too.
Step 4: Streamline processes
As a business, you will need to look for ways to streamline and automate processes. Whilst the holy grail of holding all customer data in one database is unlikely, you may be able to end up with data being held in 4-5 areas. This will definitely help with answering Subject Access Requests.
Any new systems should incorporate ‘Privacy by design’, which essentially means data protection and privacy are included at the outset of your project rather than an after thought at the end. The Information Commission recommends you carry out a privacy impact assessment which covers the information flow, the privacy risks, and the privacy solutions. Further information can be found at https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
Step 5: Staff Training
The final and most important step is staff training to ensure everyone follows the new GDPR systems. We’d recommend both initial workshops and one on one training, as well as refresher training.
About Agility Marketing
Headed up by Anita Waddell, Agility Marketing is a niche marketing agency specialising in visitor attractions. With many of their clients relying upon repeat business, understanding GDPR was vital to be able to make client recommendations within the legislation.
Every year Agility work with over 20 clients, including Odds Farm Park, Mead Open Farm, Adventure Valley and Harbour Park.
WRITTEN BY ANITA WADDELL, MANAGING DIRECTOR OF AGILITY MARKETING