It’s highly likely you’ll have seen the initialism GDPR across the media, with people claiming to be experts on LinkedIn recently, mostly accompanied by worrying warnings of massive fines if you don’t comply by May 2018.
It’s true, the new GDPR (General Data Protection Regulation) is something that we all need to understand and get up to speed with; it will cost money to implement the changes and the penalties are large (4% of global turnover or 20 million euros for non-compliance – whatever is greater). And it doesn’t just apply to personal data, but B2B contact data as well. Here at Preface Studios we see it as a very positive step towards protecting the privacy of clients and consumers, but it’s worth preparing yourself now.
As our work and personal lives have become increasingly digitised, companies are holding vast amounts of data and behavioural information on employees, prospects and customers. This poses a real threat if that data is stolen or abused – as we’ve seen in recent cyber-attacks and incidents of hacking. Research by Sharp found a quarter of workers store work information in the public cloud against company policy, two-fifths use their own devices at work, and a third take work home with them. This brings security issues for any data – from customer databases to sensitive payroll information held without management knowledge. Data breaches are almost inevitable. In this blog, we talk about the main areas you need to address to comply and what you need to think about in terms of information security, data privacy and governance.
In our 12 years of designing websites, we’ve seen them evolve from static brochure sites to interactive, engaging, entertaining and valuable consumer resources. We’ve also seen them develop into sophisticated selling tools; we optimise all our websites and incorporate strong calls to action – often supported by data capture – to maximise every consumer touch point and improve the user journey. This is fabulous for clients as it allows them to keep interested parties informed on new products, latest news and special offers on a regular basis. However, there are obviously implications to collecting and holding this data.
We know it’s difficult to get excited about regulation compliance! But, on the plus side, complying with GDPR is a real opportunity to show how much you respect the privacy of your employees, customers and potential customers. It will inspire trust and build confidence in your brand.
Who does it affect and how?
It affects you if you are involved in processing data on individuals related to selling your goods or services in the EU; so it’s still relevant to UK companies, despite Brexit. It places restrictions on the use of commercial data.
What do you need to know about requirements?
- Consent – you have to get consent to use someone’s data for marketing purposes and other processing and you can’t use legal gobbledegook that confuses people to gain consent. It’s necessary to have an effective storing system for individual consent forms. You’ll also need to make it easy for someone to withdraw consent. There are other valid reasons for processing data beyond marketing – performance of a contract, complying with legal obligations and reasonable processing for a legitimate business interest. Consent applies retrospectively: if you hold old contact data, you’ll have to ask for consent again (or delete your records). This is a good way to get back in touch with your consumers and show your respect their privacy and information.
- Breach notification in 72 hours – you must notify data controllers and customers within 72 hours if there’s a breach and any risk. The best thing is to have procedures in place to detect, report and address a security breach. If it happens while you’re enjoying a Friday evening beer, would you be ready to disclose a breach and potential risks with your Monday morning cuppa?
- Right to access – anyone can ask a data controller for a free electronic copy of their personal data.
- Right to be forgotten – if data no longer relevant to a company, people can ask for any information to be erased and for dissemination to stop.
- Data portability – individuals can obtain and reuse their personal data for their own purposes by transferring it across different IT environments.
- Privacy by design – inclusion of data protection from the outset when designing systems, implementing appropriate technical and infrastructural measures.
- Data protection officers – if you have more than 250 employees, you’ll need to appoint qualified officers if you monitor or process sensitive personal data.
There’s not a huge amount of time to make sure you’re compliant, so the advice is to make sure you’re ready and can show you’ve taken steps towards compliance before May 2018.
What do you need to do?
- Internal communication – make sure there’s awareness of the implications of GDPR throughout your entire organisation – training is key. If you fit the criteria above, you may also need to appoint a data protection officer.
- Data audit – map and audit data flows: what personal data do you hold, where’s it stored, where it’s sent, how’s it processed and what do you tell people about that processing?
- Risk assessment – are your processes and handling of data secure?
- Identify joint controllers – third parties, such as healthcare providers, payroll, pension partners, marketing companies or consultants may have access to your data. So you need to make sure you can show subcontractor contracts that ensure data is safe and private.
- Inform and enforce – conduct a review based on the new guidelines, and make changes to your privacy policies, Ts & Cs and contracts etc accordingly.
Is your website GDPR ready?
As part of your data audit, you’ll need to look at your website and the data you collect. The new regulations mean anyone in charge of website planning or data input are responsible too (not just the website owner or hosting company). Make sure that you gain consent at any data collection points and make it clear they’re giving consent. We also recommend notifying people about the information you’re holding in a way they’ll easily understand and allow them to be ‘forgotten’. Inaction (such as putting cookies on machines) is not consent. However, website performance tracking isn’t covered by the new regulations, as it’s anonymous. Companies are legally responsible for collection of data and storing it securely.
You can find out much more about General Data Protection Regulation, which specifies how consumer data should be used and protected here.
The regulations are enforceable in the EU in May 25th 2018.
We are supporting companies in Surrey to help ensure their websites comply, please get in touch if you’d like to know more: firstname.lastname@example.org.