GDPR. No, it’s not a word in another language! You may have already heard the term but not quite fully understood what it was?
GDPR is set to become a hot topic in the next few months and, from talking to our customers, we’ve discovered that there is a bit of knowledge, but also a lot of confusion. We are certainly not experts in this field, but wanted to share our general knowledge of the subject in this article and will follow up with more specific areas of thought on the effect of GDPR on websites for our customers.
We hope that you find this a useful start.
What is GDPR?
GDPR stands for General Data Protection Regulation and is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for individuals within the EU. It also addresses the export of personal data outside of the EU.
In a nutshell, GDPR aims to give control back to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
When will it take effect?
GDPR was adopted as a regulation on 27th April 2016 and becomes enforceable from 25th May 2018.
As it is a regulation and not a directive, it does not require national governments to pass any enabling legislation and is therefore directly binding and applicable.
It is useful to note that GDPR will replace the data protection directive of 1995.
What is the impact of GDPR?
It’s important to highlight that GDPR applies to all personal data that all businesses (however big or small) hold on individuals and is concerned with data that you already hold as well as data that you intend to collect in the future.
The data may be in paper format, voice records or digital records either stored on a computer, on hard drives, USB sticks or via a website.
What do you need to do?
The first thing that any business will need to do is to undertake an audit of what information you are holding on individuals. This stage may take some time as you go through filing cabinets, folders, spreadsheets, discs, USB sticks and indeed any other method you have used to store data since your business began.
The second thing you need to undertake is a data assessment. You should:
Determine what information you need to hold on individuals.
Establish the purpose of the information i.e. why you need to hold it – what have you/are you going to do with it?
Identify the lawful basis for processing this data. If this is consent, demonstrate that you have consent from those individuals in order to hold and use the data for the purpose that you have set out. This includes data you already hold.
Ensure that the data is secure.
Establish a process for access requests. Individuals are entitled to access the data that you hold on them and indeed ask you to stop holding it.
Have a secure process for destroying data. Your initial audit may have led you to find data that you no longer need and individuals may also ask you to no longer hold their data. Your destruction process needs to be rigorous, secure and undertaken in a reasonable time frame.
Personal data and your website
If you collect personal data via your website – this may be via web forms, user profiles, e-commerce or any other means - you need to perform a GDPR audit and assessment as described in the points above. As highlighted above, you must ensure that you have adequate consent from those individuals to use the data for the purpose that you state.
Consent
This is an area which, thanks to GDPR will become crystal clear for individuals. They will completely understand, before they give their consent what their data is to be used for.
This means that businesses need to be unambiguous at the stage at which they want to collect data. There will no longer be a general consent statement. Instead the exact purpose that you will be using the data for will need to be set out in order for the individual to consent to. This may need multiple consents to cover different marketing/information purposes. An individual will have to opt-in to give consent and must be able to opt-out again.
Third parties
If you use third party services for example to buy data or analyse behaviour and collect data from actions on your website, then you need to be very clear on whether the supplier is compliant with the new regulation. The first thing to do is to check the supplier’s GDPR consent process. Do they have the correct consent to collect the data/service you are buying from them?
The second thing to consider is that once you obtain the data/analytical information, GDPR responsibility for this data falls to you.
Cookies
Data collection via cookies on your website should be covered under the privacy policy on your website. You will also need to include a statement on any tracking that you do of your visitors and this should also include instructions on how a user can disable such tracking if they choose for their behaviour/actions on your website not to be collected. Be aware that embedded content and third party services can also set cookies when someone visits your website. You will need to consider how GDPR applies to these too.
Further information
We hope that this article has been a useful introduction to GDPR.
We recommend that you don’t leave it too long to start thinking about the impact that this will have on your business and that you undertake an audit and a data assessment and then establish new business processes in good time before 25th May 2018.
Further information can be found at https://ico.org.uk/for-organisations/data-protection-reform/