What is GDPR?
GDPR stands for General Data Protection Regulation and it is going to replace previous legislation regarding data protection. Previous legislation, the Data Protection Act was enacted in 1998 so over the years has become a bit out of date due to the rise of the internet.
Who will be affected?
These new rules will affect all citizens of the European Union and any business based in the EU, and they will change how businesses like yours handle their customer’s information.
The reach of these new rules is not just limited to the EU however but any organisation (or website) that collects or handles information of EU citizens. If your website has traffic from the EU you are going to be affected and need to make sure that your website is compliant.
What does the new legislation cover?
The key changes from previous legislation aim to protect EU citizens privacy, with the main focus ensuring people are knowingly allowing their data to be collected and processed, and on new rights for them to decide what can be done with their information.
If you collect any data, personal or sensitive, from your website, whether it be names, emails, phone numbers, IP addresses, sexual orientation, religious views or any other data that can be used to identify someone you must be sure that you have a good reason to do so, and you should explicitly request consent first.
These requests must be in plain and simple language and be presented in a clear way, not just mixed in with other text where the user may not find it.
You must also have a clear privacy possible, visible and accessible on your site that will inform users how their data is going to be collected, stored and used.
The GDPR now also gives users a lot more power to access any information stored about them. Any user may now request the personal information you have on them and you must present it in full within one month of the request. Currently, the Subject Access Request allows businesses to charge £10 to users who wish to be given the data held on them, under the GDPR this charge will be scrapped and information must be provided free of charge.
Users may now also withdraw consent at any time and under some circumstances have the power to make you erase all data held on them (the right to erasure) if it is no longer necessary for the purpose collected.
You should be prepared to ensure that all information you hold is up-to date and relevant and also that you do not continue to process information (including keeping it on file) if you do not have a legitimate reason to do so.
What parts of your website do you need to worry about?
Any forms you use to collect data will now need to be made GDPR compliant. This can be contact forms, enquiry forms, e-commerce forms that go through sites such as PayPal. If you are collecting absolutely any personal information and other content from users you will need to make sure this collection of data is GDPR compliant.
You must also make sure that anywhere you are processing that information is also compliant. This includes not only the transmission of this information back to head office but also any systems you use to store and retrieve that information.
So, how can you comply?
Clearly, request consent – before the user clicks the ‘submit’ or ‘send’ button they need to be aware that the information that has been entered on to this form is going to be collected and stored, and most importantly what you plan to use it for. We can add a tick box to your forms that users check to give their consent for data to be collected.
Update your privacy policy – In your privacy policy, you need to fully disclose how your intent to collect store and use the data submitted through the forms on your website.
Make data easily accessible …
Add a way for users to easily request their data – There are a few ways in which this can be done, for example, you could add a form on your privacy policy page in which users can review and easily withdraw their consent for their data to be collected and request any data you have stored on them.
What are the penalties for breaking these new rules?
Non-compliance with this new legislation that leads to an actual breach of data security that effects peoples rights and freedoms can lead to fines up to either 4% of your business annual turnover or £20 Million, whichever is greater. It seems likely that the ICO will be putting a few £2 Million fines in place for the first few breaches, providing they are not particularly severe.
When does this new legislation come into effect?
This new legislation will apply from 25 May 2018 –this may be a few months away but ideally, you want your website to be compliant ahead of time. We also recommend you consult independent advice on GDPR to ensure you are compliant in other areas of your business. The ICO has published great resources online https://ico.org.uk/for-organisations/
We must strongly advise that it is your responsibility as a business to ensure your website will be compliant. We will of course implement any necessary changes as a result of compliance.
If you have any questions about the GDPR and how it is going to affect your site, please feel free to contact us.