First off before the general data protection regulation or GDPR for short, sounds too intimidating it’s essentially a revamp of the data protection act of 1995. It’s also regularising and combining multiple agencies into one to ensure European citizens have better online rights.
Much of the current guidelines are similar to the data protection act of 1995, the difference? Now you’re much more likely to be fined huge amounts of money (€20m or 2-4% of global business turnover) if you don’t comply or have a system in place for managing your data appropriately.
If you want to read the actual law – click here for an 88-page document!
When does the GDPR come into effect?
The GDPR is being enforced from May 25th, 2018. This gives you 5 months from now to really ensure you’re ready & not going to receive any surprise fines in the post.
We incorporate privacy policies into our website complying with all modern law changes in the EU and beyond. Creative Wavelength websites also ensure GDPR compliance is followed on the backend, taking the stress of these new law changes away. Our service plan packages on Business+ and beyond will also ensure you’re following this new law change.
Does your business check off GDPR compliance?
First off before we get into a checklist, if your business doesn’t have a privacy policy of some kind. You’re already breaking laws. Same if you’re using cookies to track customer spending habits for the purpose of analytics without a cookie policy displayed clearly to the user. These are among the first things officers will check with your online business.
If you want to prepare for GDPR compliance there is a handy step by step PDF guide located here which I will summarise below
- Awareness – make key personnel aware of the changes GDPR will bring and have risk assessments across your online identity. Be aware of the new rights this law grants your consumers/traffic and be aware of how to deliver it if asked.
- Assess the information you currently hold about individuals (not limited to working or personal accounts – a person is a person under the new rules) That you ensure you hold accurate data and share any inaccuracies to be corrected if shared with 3rd parties. It also requires you keep a record of the data updates or sharing you do.
- A privacy policy must be kept in place with clear easy to understand language for what lawful purpose you are using their data – you also need to provide your identity in the said privacy policy. Most good privacy policies already incorporate this information based on your business identity – businesses on our business service package already get a premium privacy policy custom tailored to their business and GDPR compliant.
- You must be able to ensure that you can delete users records completely from your business and site if requested. You must also be able to provide to users electronically the complete list of their held data in an easy way. So before the new law passes administrators must be aware of a workflow for both of these tasks as they are vital.
- You cannot charge users for their request in most cases unless they are manifestly unfounded or excessive. You have 30 days instead of 40 to comply with the requests. You can refuse a request but an explanation must be given why and the user will have the right to complain to the supervisory authority.
- You should note your lawful reasons for collecting data, document it in the privacy policy and users have stronger rights to have data deleted than previous in the DPA.
- Users consent must be clear and obvious. Written clearly, pre-checked checkboxes will no longer cut it. You need the user to be in full knowledge when they are ‘opting in’ for any data being held or processed about them. A useful guide is located here
- Childrens data will be given extra protection – those aged under 16 will require additional parental or guardian verification for their data to be held or processed. Privacy policies must be clear and concise to the age group and written in simple terms if under 16. This may be lowered to 13 in the UK.
- You must have security systems in place to detect any potential data breach, if your data is breached and is of high risk to those involved you must inform them and the ICO.
- Privacy by design is no longer a requirement but rather a lawful requirement as part of the GDPR as termed ‘data protection by design’. Some organisations who handle data and fall under the following situations require‘Data Protection Impact Assessments’ as mandatory.
- Where a new technology is being deployed;
- Where a profiling operation is likely to significantly affect
individuals; or - Where there is processing on a large scale of the special categories
of data.
11.Data protection officers will be mandatory in some cases ( more on that below ) but are mainly required in public authorities, those who manage data on a large scale and those who manage data on large scales on specific categories such as health records.
12. If your organisation holds multiple offices across Europe you must designate and make clear which is the lead when it comes to data protection supervisory.
You have until May 2018 to make sure you’re fully prepared for this and the larger your organisation the sooner you should act. As the more complicated your data management is or poorly setup your data management is, the harder it will be to have systems in place for ensuring your business is GDPR compliant. In extreme cases, a full system overhaul for how you handle employee and customer data may be required.
Data protection officers
If your organisation in the UK is a ‘public body’ – a vague term but seems to cover everything from government organisations to small parishes & schools. You will be required under law to ensure you have a Data Protection officer in place.
If this directly effects you then more information on who requires a data protection officer can be found here
Will Brexit effect the GDPR?
Yes and not really. The UK will pass its own version of the law but it will be fairly similar to the GDPR the Europeans are passing, some minor changes may be in place such as the children minimum age requirements as mentioned earlier. The best practise would be to prepare as if they will be identical.
Any further information I find out about will be edited into this article likewise any necessary corrections so feel free to bookmark for further reference or share using the social sharing links below to those who could benefit from seeing.
Useful links
A summary of the GDPR from the ICO
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
Public information on GDPR
Useful guide from Data protection commissioner from Ireland