GDPR and how it affects your business
First, a disclaimer: Please note that we are not lawyers, and this is not legal advice
The ‘General Data Protection Regulation’ (GDPR) is the European Union’s new data privacy law. The European Union is changing the way it regulates data protection in the wake of large-scale cyber attacks and data loss incidents. Coming into effect in May 2018, GDPR will supersede the existing UK Data Protection Act 1998, building upon and strengthening current rules.
GDPR has some potentially far-reaching consequences for business that don’t meet the new rules – including fines of up to EUR 20 million or 4% of your annual turnover. So it needs to be taken seriously.
Who is affected?
Any businesses taking online payments, or handling consumer data, from EU citizens, needs to be ready for GDPR adoption by the 25th of May 2018. It applies to any business that have customers in the EU (not just businesses located in the EU).
Does GDPR affect UK companies after Brexit?
Yes. Firstly, during the cross-over period, UK law will mirror EU law where relevant. However, non-EU countries with customers in the EU are affected too so, even after Brexit, most UK companies need to comply with GDPR.
What is GDPR anyway?
The GDPR replaces the UK’s Data Protection Act that is currently in place, and has a much wider scope. GDPR gives people more rights over their personal data, and it defines what counts as personal data very broadly.
GDPR covers all personal data that your organisation holds (e.g. Excel, any self-hosted data systems), and personal data held on your behalf by your third party partners (e.g. your web host, MailChimp, Salesforce, etc).
If you are a business owner, that means you are a data controller. Your web developer, web host and web-based marketing tools are data processors. The data controller is ultimately responsible for the protection of personal data they store. However, data processors are also responsible for meeting GDPR requirements.
What does GDPR regard as “personal data”?
If you collect or store any information that can be linked to an individual, that counts as personal data.
If you let your customers create accounts on your website, or you collect their email addresses, name, address, telephone numbers – even a user’s IP address – all of these count as ‘personal data’. This applies whether you store that data in a website, CRM system, Excel spreadsheets, or anything else.
What you need to do
Every business is different, so you may need less or more than listed here, but this is a general guide:
1. Check if you need a data protection officer. This is not always obligatory – it depends on the type and amount of data you collect, whether processing is your main business and if you do it on a large scale. However, you still need someone to take responsibility for GDPR compliance, and to handle any data breaches.
If needed, your data protection officer should be a director or senior-level employee as they will require indemnity insurance to cover the liability of this role. Consider data protection training and certification. Also consider choosing someone who has a good understanding of data and how it’s used.
2. Update your websites’ privacy policies, to include, in plain language:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with? (e.g. third-party companies)
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
- Inform users that they can request to see the data you hold, and can request that it is deleted.
3. Ensure that you have consent to hold each individual’s personal information. You need to be able to “demonstrate that the data subject has consented to processing of his or her personal data”.
Here is the GDPR definition of ‘consent’: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Example steps to ensure you have consent:
- Don’t purchase email lists.
- Remove all automatic e-newsletter opt-ins on your site. All e-newsletter signup checkboxes must be empty in online forms, including on checkout pages.
- Enable ‘Double opt-in’ functionality on your email marketing software (double opt-in means that a new subscriber will be sent a confirmation email, and the user needs to click an activation link to confirm their subscription to your e-newsletter)
- Refresh existing consents now if they don’t meet the GDPR standard. This may mean inviting ‘older’ email subscribers to reconfirm their subscription.
- You “cannot infer broader consent from a simple failure to object”
The ICO guidelines aren’t exactly clear on how long consent lasts: “The GDPR does not set a specific time limit for consent. Consent is likely to degrade over time, but how long it lasts will depend on the context.” Source
4. Give people the right to opt out of direct marketing that uses their data.
Make it easy for users to unsubscribe from marketing emails and other marketing materials. Consider adding a form to your website which allows users to request to be opted out of direct marketing. Make sure these requests are acted on, promptly.
5. Collect only the information you need to run your business.
Don’t ask for unneccesary personal information on enquiry forms or as part of checkout processes. Collecting extra information in case you may use it in the future is un-lawful. Information you have about individuals that you have no use for must be deleted.
Delete personal information you have on servers, excel sheets etc that you no longer use. This includes emails with attachments of files of personal information.
6. Check that any third-party services you use (MailChimp, Google Apps, etc) are also GDPR-compliant. For third-party services based in the US, check that they are certified with the EU-U.S. Privacy Shield (a framework designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements). Also check for specific information about your suppliers’ commitments to data security and privacy, as a data processor.
7. You may keep copies of personal info, but only for backup and restore purposes. Up to four backups is acceptable. If you keep more it needs to be justified. The location of the backups needs to be recorded in your data audit.
8. Create a data breach plan.
The new guidelines state that all organisations must report to the ICO “where a breach is likely to result in a high risk to the rights and freedoms of individuals”. For example, it could lead to discrimination or loss of confidentiality. The GDPR states that you must report a data breach to regulatory bodies within 72 hours of the breach. You must also inform people of data breaches if there is a serious risk to them.
Examples of data breaches:
- Personal information coming into the possession of an unauthorised data processor.
- Passing of personal data to into a non-GDPR-compliant country.
- Passing of personal data to a third party without the knowledge of the data subject.
- Personal information leaked as a result of a hack on a website.
Your data breach plan should be relied upon on in the event of a data breach (and which you can demonstrate to regulators, should it be requested). Your data breach plan should include steps to determine intrusion detection, and threat response steps. Test your plan – go through worst case scenarios with key staff.
9. You must let people access their data and give it to another company.
Have a plan in place to verify the requester’s identity, and process that request in good time (30 days), free of charge. Make sure you have the data before processing the request, if you do not have the data respond and say “I don’t have the data” . Do not create more personal data while performing the request. Record this event in a data audit log.
10. People have the ‘right to be forgotten’*.
Allow users to request that all data you hold is deleted, free of charge. If someone in the EU emails you and asks you to delete their history of purchases from your store, for example, you need to be able to mak that happen. Verify the requester’s identity, and process deletion requests in good time (30 days). Record this event in a data audit log.
*‘Right to be forgotten’ is not an absolute right and is subject to certain limitations, eg where you have a legal obligation to store data – this is covered in Article 17 of the GDPR. EU citizens do have an absolute right to prevent their data from being processed for direct marketing, without their consent.
11. Update your contracts and NDAs.
All staff should sign NDAs and data protection awareness training. Update customer contracts with a GDPR clause. Update any contract and NDA templates that you may use.
12. Communicate your GDPR requirements internally
Communicate with your board and senior leadership, and train your staff.
13. You may need extra insurance, to cover you in the event of a data breach
Where does Consilience Media fit in?
We are a web development agency so, for our clients, we are a data processor – we are therefore putting in place measures to prevent data breaches and to more generally protect the rights of data subjects in general. We are also following the steps outlined above.
The goal of the GDPR regulation is to enforce transparency and care in how you handle your users’ personal data
GDPR is designed to mandate organisations to develop a system of ‘privacy by design’, with the aim to get organisations to build data compliance into their processes from the start.
No company can, in good faith, claim 100% data security. So, although it is essential to do everything you can to meet the GDPR requirements which strengthen the handling of personal data, it is also sensible to expect that a data breach will happen at some point. You must, therefore, do all you can to protect personal data, have a plan to deal with data breaches, and respond appropriately when a breach occurs.
Each company is different, so how you handle customer data will determine what you need to do to comply with the new GDPR regulations. Take GDPR as an opportunity to formulate your processes for the collection, handling and security of personal data. Hopefully the above steps, plus the resources linked to below, will give you a good steer on what you need to do to become GDPR-compliant.
If you are member of a trade association, check out any advice they may have which is specific to your sector.
If you’re still unsure, you may need to consult with a lawyer to check how GDPR may affect your business.
If you need help to ensure your website and online data processes comply with GDPR, please contact us.
- The EU has an interactive GDPR infographic, which is worth checking out
- The UK’s data protection authority is the Information Commissioner’s Office (ICO). The ICO has a PDF outlining 12 steps to take to prepare for GDPR
- ICO has published draft guidance to consent and GDPR (PDF)
- Salesforce have published this PDF to separate GDPR fiction from fact, which explains some details which other sources don’t cover
- International law firm White & Case have a detailed practical handbook on GDPR
- The UK Government Data Programme has created a six-point Data Science Ethical Framework to help organisations evaluate the benefits and risks of using personal data. This isn’t GDPR-specific, but may be useful nonetheless.
- The official GDPR website official Regulation (EU) 2016/679 (General Data Protection Regulation) is available here in website form.