(DISCLAIMER: This is NOT legal advice, we are not lawyers!)
For small to medium businesses it’s a minefield, made worse by the incomplete guidance available and the huge sums of money some legal and GDPR companies are charging for their advice (which they won’t accept liability for if their wrong!).
As a small business ourselves, we’ve done a lot of research on the topic to ensure we are up to speed and compliant. So here it is from us, put as simply as we can…
What is it?
In the UK, the current Data Protection Act 1998 sets out how personal information can be used. GDPR is a new EU regulation aimed at helping to strengthen data protection for everyone. The key difference between the Data Protection Act and GDPR is that GDPR changes how personal data can be used. The rules are much stronger with big financial penalties (up to £17 million or 4% of a company’s annual worldwide turnover) and more restrictive than the “EU cookie law.”
If you think Brexit is a potential get out clause, think again. We may be leaving the EU, but we still have to implement GDPR!
There are two main aspects of the GDPR: “personal data” and “processing of personal data.
”Personal data pertains to “any information relating to an identified or identifiable natural person” – like name, email, address or even an IP address. Processing of personal data refers to “any operation or set of operations which is performed on personal data”. Therefore, a simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user.
The GDPR applies to both automated personal data and to manual filing systems.
GDPR will have a huge impact on website design. It will also affect how your website integrates with digital activity like email marketing, social media, and e-commerce.
Are you a controller, processor or both?
A ‘controller’ is the body that decides the purpose and manner that personal data is used, or will be used, and a ‘processor’ is a person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data.
All individuals and companies that are ‘controllers’ or ‘processors’ or both, of personal data, will be covered by the GDPR, which includes ecommerce merchants storing data about individuals.
Do you need to employ a Data Protection Officer?
The GDPR does not require everyone to appoint a Data Protection Officer. However, the recommendation is that companies should designate someone to take responsibility for data protection compliance, even if they are an existing member of the team and are a ‘voluntary DPO’. Beware though, ‘voluntary DPO’s’ need to understand Data Protection and GDPR laws to a competent level. If you don’t appoint anyone then you should keep records of all decision-making processes, including why you don’t have one.
How do you start to ensure you’re GDPR compliant?
The best way to begin is by doing a data mapping exercise. Even if you seek external support to help ensure you’re compliant, you are best placed to do this exercise because it will not only save you money, but you know what data you hold and where.Your website might collect user data in the following ways for instance:
- user registrations
- contact form entries
- analytics and traffic log solutions
- any other logging tools and plugins
- security tools and plugins
A security audit on your website site should, in general, reveal how data is being processed and stored on the servers, and steps that are required to comply with the GDPR.
When you are data mapping, don’t forget things like contact databases on your email system. Have you got saved emails with personal information in i.e. CV attachments from any recruitment? Anything that has personal data on it needs to be included in the process.
We’ve done our data mapping on an excel spreadsheet with the following headings:
- Data Title – what is the name of your data? i.e. hospitality sales
- Description – what is the data? i.e. hospitality ticket sales
- Purpose of Data - why has it been collected? i.e. to send out tickets and for digital marketing purposes
- Data Collected – what data has been collected? i.e. name, address, email, mobile, age
- Format – how is the data stored? i.e. excel spreadsheet
- How Data Was Collected – was the data collected GDPR compliant? i.e. did they have to opt in to receive information?
- Transfer – is the data ever shared internally or externally and how? i.e. internally shared through server and externally via email to third party data processors
- Protected – is the data protected and how? i.e. password protected
- Reviewed/Disposal – how often is the data reviewed, has it been disposed of?
- Manager – who is responsible for managing the data? i.e. Events Manager
- Accessibility – who has access to it? i.e. Events Assistant
How do I make sure I’m compliant?
Under the GDPR, the concept of consent being given freely, specific and informed is being strengthened. A significant part of this involves transparency and informing individuals about what and how their personal data is being used, by whom and for how long.
Communication is key. It’s important to be clear and concise and give people a way to request a copy of it within a month of the request and/or have it deleted if they wish. A data subject has the right to have all the data you hold on them deleted. If an individual asks you to remove their data from your systems you have to comply. All backups, all references - literally everything.
Here are some headlines for you to consider whether you are (or how to be) GDPR compliant:
- Provable consent must be explicitly given and the data must only be used for the purposes that consent has been given.
- Verifiable consent must be given by a minor’s parent or guardian before their data can be used.
- Website forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank.
- Consent should be set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data i.e. contacting them with promotions and offers.
- Users should be able to provide separate consent for different types of processing i.e. post, email, telephone) and also asking permission to pass details onto a third party.
- It must be as easy to remove consent as it was to grant it. Individuals always need to know they have the right to withdraw their consent from all or some of the lists you hold them on
- Web forms must clearly identify each party for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations, they need to be named.
- Privacy Notice and Terms and Conditions need to be updated to reference GDPR terminology. In particular, you will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and also by your office system.
- If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway. If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period. The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.
What about my existing data?
Companies will have to make sure the consent they’ve already got meets the standards of the GDPR. If not, it will have to be re-obtained.
I use a third-party processor; do I still need to be GDPR compliant?
Yes. It is your responsibility to ensure any third party you use is GDPR compliant. Contact them and find out if and when they plan to be compliant. If they don’t give you a satisfactory answer, get them to delete all the data they hold on your business and replace them with someone who will.
What happens if I have a data breach?
The GDPR requires you to have suitable processes defined and in place in case of a data breach. Depending on the severity of the breach, the DPO has a legal obligation to report a data breach within 72 hours. They will expect full details of the breach and proposals for mitigating its effects.
Holding data is a liability. Unless you need to keep it, delete it!
All information featured in this article is obtained from or influenced by the sources found below. This article is designed as an aid only. We recommend you seek legal advice or contact the ICO for official and additional information about the GDPR.