This post will take you through what GDPR is and its impacts. But most importantly, we’ll help you identify if it affects you and how it affects you. If you’ve done your homework and already know the background around GDPR, read on to see what we think should be the key points on your GDPR checklist.
So Something’s Changing…But What?
In 1995 the EU issued its first directive that focused on protecting privacy for internet users. This directive filtered down through the member states of the EU to be enshrined in each country’s own regulatory laws. For us in the UK, this is manifest in the 1998 Data Protection Act (DPA) which covers us to this very moment.
So chances are that if you were subject to DPA regulations – whether or not your site actually did adhere to them – it will also be subject to GDPR. Even if you don’t use your website because it was built pre-1998 and it’s now lost in a long forgotten nook of the internet with a page-hit counter that seems to have been stuck on 11 for the last few decades, you may still be subject and we would recommend for your own sake you cover yourself when GDPR arrives.
What Happens When GDPR Arrives?
On the 25th of May 2018 GDPR will be coming into force with the aim of updating laws that protect user privacy on the internet. For anyone else like me who gets nostalgic at the screeching noise of the way-back-when dial-up-days, you will know how far the internet and technology have come. With these advancements we have seen websites develop tools that collect and store our personal data with ever-increasing ease. GDPR seeks to address and counterbalance these technologies and practices with new laws intended to help protect users and their personal data. So despite any anxiety GDPR may be causing you right now, from this perspective, we must remember that in theory it is a positive step toward better security for everyone’s personal data.
What is Personal Data?
This is a difficult question, but broadly speaking, it is any data that may in any way (directly or indirectly) be used to identify a person. Obvious examples are a person’s name and email address. Less obvious, but still defined, examples include a person’s IP address, mobile device IDs and physical location. Beyond that, there is also the sub-category of sensitive date, which relates to specific types of personal data which require enhanced protection and explicit consent from the data subject to use. These include, but are not limited to, race, religious beliefs, sexual preference and political opinions.
Am I Collecting Personal Data and am I Subject to GDPR?
Most websites collect some kind of data now, even if it doesn’t seem apparent. If you have a contact form, track any of your website usage with analytics, allow comments on blog posts, or sell products (physical or not) with an online shop, then you are collecting data and must be GDPR compliant or potentially face penalties.
Yes, there are penalties and they are not to be scoffed at. Despite some reassurances from the ICO (Information Commissioners Office) that GDPR enforcement intends to be enforced constructively for business rather than punitively, it’s hard not to feel a little faint when fine figures are bandied about like “17 million pounds” or “4% of turnover”. Whether or not the higher end fines are reserved for repeat offenders and big business, what is clear is that preparing for GDPR is a sound financial investment and will probably save you from a sleepless night or two.
Am I Responsible For Ensuring I Comply With GDPR?
Yes. Your website is a business asset and as such it is your responsibility to ensure you comply with GDPR and not the responsibility of your web host, or web designer.
How do I Prepare For GDPR?
As mentioned above, it is highly likely you are in some way collecting data and so are subject to GDPR either as a ‘data processor’ or a ‘data controller’.
- “data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which, and manner in which, any personal data is, or will be, processed.
- “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Read more about these definitions.
Whichever category you fall under, it’s a good idea to be as thorough in your preparations as possible.
It is a good idea to create your own data protection policies as they will help you understand what steps you need to take to comply with GDPR. Creating this can sound daunting, but we suggest the best place to start is by documenting the answers to the following questions:
- What data are you processing and why? Where applicable explain why this data is of a legitimate interest to you as a business.
- Does the scale on which you obtain and process this reasonably reflect its end purpose?
- What are the risks to the individuals whose data you hold?
- What processes are in place to ensure you are exposing this data to minimal risk? Include your security precautions.
So you must be able to justify why you collect, store and use data in general; but this must also match up against the consent gained when the data was captured. You must demonstrate you are aware of the risks to personal data you hold on individuals and have appropriate security measures in place to reflect this risk.
Companies with over 250 employers or more will likely need this kind of documentation, but it is a good practice for any company that is beginning the process to bring itself in line with GDPR regulations.
Let’s now outline the closest thing set out by the Information Commissioner’s Office (ICO) as clear actionable points to be aware of:
- If you have a security breach, you must inform the ICO within 72 hours of becoming aware of the breach, as well as the individuals it may impact (to whom the data refers).
- If your business conducts the monitoring of individuals on a large scale, or processes sensitive personal data (which includes union membership, religious beliefs, political opinions, racial information, and sexual orientation) you should employ a data protection officer (DPO).
- Subject Access Requests (SAR) before GDPR enabled businesses to charge £10 to fulfil a request from an individual about data stored about them. GDPR scraps this and you will have to fulfil such requests free of charge and within a month.
- For many circumstances, individuals can also now insist their personal data is erased if it is no longer necessary for the purpose it was collected, if consent is withdrawn, there’s no legitimate reason for its being kept, or if it was unlawfully processed.
Is there a GDPR checklist?
GDPR is complex and still evolving. As such there is currently no official checklist for GDPR compliance, but here’s what we have for you so far:
- STORAGE: make sure you can access this information and erase data if it is requested by individuals. Make sure you know where data came from.
- CONSENT: make sure you are getting informed consent from individuals when you capture data.
- ADMINISTRATION: appoint a data protection officer and/or register yourself as a data controller if applicable.
Will Brexit Change All of This?
You will read a lot of places that we are still moving ahead with GDPR regardless of Brexit. For all intents and purposes this is correct. In the UK we are actually implementing a Data Protection Bill, which will include the majority of regulations created for GDPR. The Data Protection Bill is currently making its way through the House of Commons and House of Lords and so is still subject to change as debates ensue.
GDPR is complex and fluid but the enforcement date remains the 25th of May 2018. To best prepare yourself we would recommend you start by answering the aforementioned questions as they will form the basis of your specific GDPR policy. We would also recommend that you take advantage of our Support services and we will work with you to assess your next steps to bring your web presence inline with GDPR.