A Quick Overview - The General Data Protection Regulation is coming!
According to the Federation of Small Businesses fewer than 1 in 10 small businesses is prepared for the General Data Protection Regulation implementation on 25th May 2018 - and 1 in 5 are unaware of it!
All businesses are subject to GDPR which updates previous EU legislation passed in 1995 and the UK Data Protection Act, 1998. The legislation is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy”.
GDPR applies internationally, so any organization, whether or not it is part of the EU, must abide by the rules if it processes personal data belonging to an EU citizen.
And yes, it still applies after BREXIT, automatically becoming UK law.
So, What is Personal Data?
Personal data is any data that can be used to identify an individual directly, or indirectly, if data sets are combined.
GDPR Applies to Online and Offline Data!
GDPR gives individuals rights over data captured about them, both online and offline. Businesses will need to:
- Audit existing data whether electronic or on paper.
- Assess what and where data is stored and if it is secure.
- Establish how data was acquired, also when and how did those individuals consent?
If in doubt, businesses should contact individuals to obtain their consent for ongoing communications.
GDPR Defines Roles and Responsibilities Relating to Personal Data
GDPR defines three roles in relation to personal data:
- Data Subject - the person whose data is collected.
- Data Controller - the person/organization responsible for collecting personal data and defines how and why and how the data is used.
- Data Processor - the person/organization who stores and processes the data.
The Data Controller and Data Processor can be the same or different persons/organizations; the Data Controller is still responsible for data processed on their behalf by another organization, so will need to ensure that the Data Processor is GDPR compliant.
Personal Data Rights
GDPR provides individuals with the following rights:
- Access to any personal data held about them and request it to be corrected or erased.
- Control how businesses and organizations communicate with them and easily withdraw permission.
- Companies can only collect data necessary to complete a transaction which can only be used for its intended purpose.
- Data must be kept secure and deleted when it has served its purpose.
What Does This Mean for Websites?
Websites will need to reflect the following:
- Unbundled opt in
- T&C’s check box and contact permission check boxes must be separate and distinct.
- Active opt in
- Check boxes should be left blank and not pre-checked.
- Granular opt in
- Each type of communication channel must have its own check box eg one for email, one for sms, one for post, one for phone and/or other electronic means.
- Withdraw consent or change permissions
- Users must be able to easily change communication preferences or stop communications entirely.
- Named parties, not third parties
- To share data with third parties, each party must be named, each with their own check box.
- Privacy Notice
- T&C’s must state the purpose for collecting personal data, what will be done with the data and how long it will be retained. It should also notify the user they have a right to complain to the Information Commissioner’s Office.
- Tracking software and analytics
- Tracking software will need to be GDPR compliant and notify the user that cookies are being used.
- Website/Content Management System must be secure
- Websites must have an SSL certificate.
- Children’s rights –
- Currently in draft, but in the UK only children 13 and over can give consent for their data to be used (16 and over in EU). Children under 13 require permission from whomever holds guardian/parental responsibility.
Increased Penalties for Non-Compliance
There will be increased penalties for non-compliance, enforceable by the Information Commissioner’s Office, the UK’s independent authority protecting information rights.
The maximum fine under the Data Protection Act is £500k; this will increase to an upper limit of £17m or 4% of global turnover, whichever is higher, under GDPR.
ICO has emphasised that fines are a last resort and is committed to guiding, advising and educating organisations to help them understand and comply with GDPR.
To this end, the ICO provides a wealth of information, examples, templates and supporting tools to help organizations understand and comply with GDPR requirements. There is also a helpline to assist further with any questions.
The ICO also supports Federation of Small Businesses campaigns to help small businesses to prepare, and further information and support can be found on the FSB website.
So, if you’re not yet ‘GDPR Ready’, it’s time to start. See you on the other side :-)!