The hitchhiker's guide to the GDPR

Duncan Calow
Opinion - Publishing Monday, 30th October 2017

Up to speed on data protection? Duncan Calow has some Douglas Adams-inspired advice...


If the sell-out audience at the recent Publishers Association London seminar on the General Data Protection Regulation (GDPR) was anything to go by, data protection is now on the radar of many publishers. Of course, I would like to believe that my own data protection article published on these pages for the London Book Fair shares some of the credit for that. I suspect, however, that it is the contents of the GDPR itself - including fines for non-compliance of up to €20,000,000.00 or 4% of global annual turnover (whichever is higher) - that have really caught people's attention.

The GDPR will take direct effect across the EU from 25 May 2018. So for those in the industry who haven't yet got up to speed - but now have less than 250 days to do so - here are some issues to focus on:

1. Don't panic.

2. No, really, don't panic. That's the message being promoted by the UK data protection regulator, the ICO (Information Commissioner's Office), which has been publishing a series of "myth-busting" GDPR blogs. In particular, it has tried to reassure us that "scaremongering" headlines about crippling financial punishment (like, er, mine above) are misleading. The ICO stresses that its proportionate approach to enforcement will continue - preferring carrot ahead of stick - and that, in many cases, the GDPR represents an evolution rather than a revolution. That, though, rather assumes a high degree of compliance with current rules.

3. So what personal data have you got? Notwithstanding its calming words above, the ICO is also very clear that doing nothing is definitely not an option either. So check now that you know what personal data you hold, where it came from and whom you share it with. Having an accurate record is a GDPR requirement, and even though there are exemptions that may apply to smaller businesses it is a very good starting point for any GDPR action plan. Audit, ask, dig about - but do find out. If it identifies living individuals (and it doesn't have to name their names), it is probably personal data.

4. Why have you got it? Big picture GDPR concepts like "privacy by design and by default" and "data minimisation" mean you should only be using personal data if there is a good reason to do so. But it's also important that your purposes for processing are lawful, and there are only a limited number of legal grounds for processing that you can rely upon. These include when it is necessary for performing a contract with or for the data subject or necessary for your or a third party's legitimate interests - which aren't out-weighed by the individual's own interests, rights or freedoms.

5. It's not always about consent. Crucially, although consent is also one of the grounds for lawful processing, getting effective consent will be hard under the GDPR. Consent must be treated as an active, ongoing and granular choice, as easy to withdraw as to give - not a one-off decision. Your consent mechanics will certainly need review (pre-ticked boxes are banned) but it may be necessary to re-think, and record, whether one of the other grounds above may be more appropriate instead.

6. Communication. First, the GDPR is very prescriptive about the information that needs to be given to the people whose data you are processing. So the privacy policies and notices used on your website or elsewhere will need updating (with the wrinkle that the separate rules on e-marketing and cookies are still up for discussion - but that's for another time). Secondly, everyone in your business needs to be aware that the law is changing - from those at the top to those not at the top.

7. Not in front of the children. There are special rules if you run online services for under 13s (different ages will apply elsewhere in the EU) and, as with the current law, there are stricter rules if you process "special category" data including about sex, politics and religion. So the interesting stuff is highly regulated, and best avoided if you can.

8. Manuscripts. Don't forget the books you publish may well include personal data. The GDPR includes an academic, artistic and literary expression derogation, but local laws will vary. UK rules will likely stay as is - but the ICO has always been clear they are not a blanket exemption. Like all personal data, they certainly need to be kept secure.

9. Outside the EEA (European Economic Area). The GDPR continues existing controls on personal data being transferred out of the EEA, but also reinforces the jurisdictional reach of the law. The need to comply with the GDPR may be triggered by activities within the EU, but also for organisations established elsewhere when they offer goods and services to people in the EU or monitor their behaviour here.

10. Er, that's NOT it. The GDPR has plenty of moving parts and many other aspects to consider, from the range of rights that individuals will have (the right to be forgotten, etc) to the need to ensure that your efforts include any third party processors working for you.

But it's already time to make a first step on the compliance journey whatever further questions you may have. And the answer may not be 42.

Duncan Calow is partner at DLA Piper UK LLP. For more information on the GDPR see https://www.dlapiper.com/en/uk/focus/data-protection.

This article first appeared in the Publishers Weekly/BookBrunch Frankfurt Show Daily.