On 25th May 2018, the new European Union General Data Protection Regulation (GDPR) came into force in an effort to protect consumers and their data in light of the new ways that data is now used. This has a wide-reaching effect and will have an impact on every business within the European Economic area.
Do you know what it means to your business and how you should comply?
The GDPR is designed to introduce large penalties on organisations who fail to comply, or who’s system fail to protect against a breach of their users’ data. These regulations are also not only applicable to businesses within the EU, but also to any business who handles data from citizens residing with the EU – obviously this is a pretty far-reaching net. Clearly, this also means that Britain’s exit from the European Union will also have no bearing on the requirement for UK businesses to comply with these regulations – in fact, the UK government are already planning to implement their own regulations that will in effect serve to enforce GDPR within UK law.
So what does GDPR mean for my business?
- The new GDPR legislation came into effect on 25th May 2018, and is applicable from that date.
- Personal data breaches must be disclosed within 72 hours.
- Penalties for non-compliance can reach €20 million or 4% of your global turnover (whichever is greater).
- GDPR applies to all companies who store and/or process the personal data of EU subjects, regardless of the location of the company.
What does the term “Personal Data” mean?
- “Any information relating to an identifiable person who can be directly or indirectly identified in particular reference to an identifier” (ref: EU GDRP).
- This includes names, identification numbers, location and online identity data (IP addresses, etc).
What are the specific terms of GDPR that will affect my business?
- Right to Access – data subjects must be given the ability to request a free-of-charge electronic copy of their personal data stored by your company.
- Right to be Forgotten – data subjects must be given the ability to request that their data be destroyed.
- Data Portability – data subjects have the right to receive a copy of the data concerning them in a ‘commonly used and machine readable format’.
- Breach Notification – within 72 hours of becoming aware of a data breach, both data controllers and data processors must inform all potentially affected data subjects.
- Privacy by Design – this part of the legislation requires that data controllers and data processors only hold and process the data that is absolutely necessary for the completion of their duties. These parties must also ensure that access to this data is only provided to those that need it to act out the processing.
What do I need to change on my website in order to ensure it is compliant?
This will change slightly from business to business, but in general terms:
- It is no longer acceptable to infer acceptance, not is it allowed to default options to “Accept”.
- Data subjects must be give the ability to opt-out at any time, as easily as it is for them to opt-in.
- Any contact, registration, comment or application form on your website must ask users for their consent to further communication. Again, this must be explicit consent, and answers must not be defaulted to “accept”.
How can you help me to ensure that my website is compliant?
We’ve had an exceptionally busy time in the lead up to GDPR helping many of our existing and former customers to update their websites accordingly. If you have a WordPress website, we’d be more than happy to help. Simply get in touch with us using our contact form and we’ll do our utmost to help!