Making Online Customer

Data Secure
Understanding GDPR
Keith Grinsted

Abstract: Wherever you are online, whatever you say or

do online, you are creating an indelible digital footprint!
In the EU the new General Data Protection Regulations
are forcing businesses to reevaluate what data they hold
and how they hold it. This article covers many aspects
of data protection and security.

Keywords: Connect, Data Protection, Digital Footprint,

Engage, Eventbrite, Evernote, Facebook, General Data
Protection Regulation, LinkedIn, Networking, Online
Banking, Online Data, Online Shopping, Personal Data,
Profile, Promote, Security, Sensitive Data, Social Media

Making Online Customer Data Secure:

Understanding GDPR
We live in an age of far greater connectivity than ever
­before. As part of this connectivity we are leaving more
Keith has been involved in social
media since first becoming a member
of the early business networking site
Ecademy in 1999.
Now with 17,000+ connections on
LinkedIn, 5,000+ followers on Twitter,
and 2,000+ friends on Facebook, Keith
also runs the largest charity-related
group on LinkedIn—Charity UK—with
39,000+ members.
Keith also has a popular blog on
Huffington Post UK.
Keith teaches and mentors business
people on how to make the most of
social media in business, especially
LinkedIn.
Keith sees himself as a social impact
entrepreneur and has established
Olderpreneur to help older people set
up business.
of our data online. In fact, we are leaving a veritable trail.
Social media has become a central part of most of our
lives, across all ages, for personal and business use. It has
become an essential tool for marketing businesses. Through
what other medium these days can you connect with
­millions of potential clients for your products and services?
We bank online, we shop online, we chat with our
friends online, we live a significant part of our lives online.
As I have said time and time again, ­remember, wher-
ever you are online, whatever you say or do online, you
are creating an indelible digital footprint!
How secure is all that data we leave online? And if we
have a business holding some of that data, how secure
do we hold it? And should we be holding it at all?
We need to look at the requirements, as a business,
for making online data secure and to focus on the new
General Data Protection Regulations (GDPR) being
­
­enforced throughout EU member states. This includes
UK even though they are exiting from the EU over the
coming couple of years.

© Business Expert Press 978-1-94744-195-8 (2018) Expert Insights

1
www.businessexpertpress.com
 Making Online Customer Data Secure
Many of the GDPR’s main concepts and
principles are much the same as those in the
current Data Protection Act (DPA), so if you
are complying properly with the current law
then most of your approach to compliance will
remain valid under the GDPR and can be the
starting point to build from. However, there
are new elements and significant enhance-
ments, so you will have to do some things for
the first time and some things differently.
In the United States there is the EU-US
Privacy Shield Framework. This is a frame-
work for transatlantic exchanges of personal
data for commercial purposes ­between the
European Union and the United States. One
of its purposes is to e ­ nable U.S. ­companies
to more easily receive personal data from EU
entities under EU privacy laws meant to pro-
tect EU citizens. The EU-US Privacy Shield is a
­replacement for the ­International Safe ­Harbor
Privacy ­Principles, which were declared i­ nvalid
by the European Court of Justice in October
2015. In view of various challenges in 2017
and the implementation of GDPR in 2018, it
is unlikely this framework will survive. What
will replace it is, as yet, unknown.
Further details are available here: https://
www.privacyshield.gov/welcome
What Is GDPR?
There are six key data protection principles
as laid out in EU legislation. These set out
the main responsibilities for organizations
in how they collect, store, and handle data.
1. Lawfulness, Fairness, and Transparency
Processed lawfully, fairly and in a trans-
parent manner in relation to individuals;
2. Purpose Limitation
Collected for specified, explicit and
­legitimate purposes and not further
­processed in a manner that is ­incompatible
with those purposes; further process-
ing for archiving purposes in the public
­interest, scientific or historical research
purposes or statistical purposes shall not
be considered to be incompatible with
the initial purposes;
2 © Business Expert Press 978-1-94744-195-8 (2018)
www.businessexpertpress.com
3. Data Minimisation
Adequate, relevant and limited to what
is necessary in relation to the purposes
for which they are processed;
4. Accuracy
Accurate and, where necessary, kept up
to date; every reasonable step must be
taken to ensure that personal data that
are inaccurate, having regard to the pur-
poses for which they are processed, are
erased or rectified without delay;
5. Storage Limitation
Kept in a form which permits identi-
fication of data subjects for no longer
than is necessary for the purposes for
which the personal data are processed;
personal data may be stored for longer
­periods insofar as the personal data
will be p ­ rocessed solely for archiving
­purposes in the public interest, scientific
or ­historical research purposes or statistical
­purposes subject to i­ mplementation of the
­appropriate technical and ­organisational
measures required by the GDPR in order
to ­safeguard the rights and freedoms of
individuals; and
6. Integrity and Confidentiality
Processed in a manner that ensures
­appropriate security of the personal data,
including protection against u­ nauthorised
or unlawful processing and against acci-
dental loss, destruction or damage, using
appropriate technical or o ­ rganisational
measures.
Article 5(2) requires that the c­ ontroller shall
be responsible for, and be able to d ­ emonstrate,
compliance with the principles.
Who Does It Apply to?
The UK Information Commissioners Office
(ICO) defines those to whom GDPR applies
as follows:
■■ The GDPR applies to “controllers” and
“processors.”
■■ A controller determines the purposes and
means of processing personal data.
Expert Insights
 Making Online Customer Data Secure
■■ A processor is responsible for processing
personal data on behalf of a controller.
■■ If you are a processor, the GDPR places
specific legal obligations on you; for
­example, you are required to maintain
records of personal data and processing
activities. You will have legal liability if
you are r­ esponsible for a breach.
■■ However, if you are a controller, you are not
relieved of your obligations where a proces-
sor is involved—the GDPR places further
obligations on you to ensure your contracts
with processors comply with the GDPR.
■■ The GDPR applies to processing carried
out by organizations operating within the
EU. It also applies to organizations out-
side the EU that offer goods or services
to ­individuals in the EU.
■■ The GDPR does not apply to certain activi-
ties including processing covered by the
Law Enforcement Directive, processing
for national security purposes, and pro-
cessing carried out by individuals purely
for personal/household activities.
What Information Is Included?
Again, the ICO refers to personal data and
sensitive personal data:
Personal Data
The GDPR applies to “personal data,” m­ eaning
any information relating to an identifiable
person who can be directly or indirectly
identified in particular by reference to an
identifier.
This definition provides for a wide range
of personal identifiers to constitute personal
data, including name, identification number,
location data, or online identifier, reflecting
changes in technology and the way organi-
zations collect information about people.
The GDPR applies to both automated
personal data and manual filing systems
where personal data are accessible accord-
ing to specific criteria. This could include
chronologically ordered sets of manual
­records containing personal data.
© Business Expert Press 978-1-94744-195-8 (2018)
www.businessexpertpress.com
Personal data that has been pseudony-
mized—for example, key-coded—can fall
within the scope of the GDPR ­depending
on how d ­ifficult it is to attribute the
­pseudonym to a particular individual.
Sensitive Personal Data
The GDPR refers to sensitive personal data
as “special categories of personal data.”
The special categories specifically i­ nclude
genetic data and biometric data processed
to uniquely identify an individual.
Personal data relating to criminal c­ onvictions
and offences are not included, but similar
extra safeguards apply to its processing.
The Rights for Individuals
One key area covered by GDPR is the rights
for individuals:
■■ The right to be informed
■■ The right of access
■■ The right to rectification
■■ The right to erasure
■■ The right to restrict processing
■■ The right to data portability
■■ The right to object
■■ The right not to be subject to automated
decision making including profiling.
What Do You Need to Do?
The UK ICO gives plenty of guidance on
GDPR and provides a simple 12-step plan
for you to adopt. The key points of the plan
are as follows:
1. Awareness—You should ensure that
­decision makers and key people in
your organization are aware that the
law is changing to the GDPR. They
need to a ­ ppreciate the impact this is
likely to have.
2. Information you hold—You should
­document what personal data you hold,
where it came from, and who you share
it with. You may need to organize an
­information audit.
Expert Insights
3