If you collect and process any form of personal data, you need to know about the new GDPR legislation. We have taken a look at what GDPR will mean for your business and outlined steps you should take to make sure your business and website is ready.
What is GDPR
The General Data Protection Regulation (GDPR) is new EU legislation relating to data protection. It has been created to improve the rights of individuals when it comes to the collection, use and storage of their personal data. There are also data management obligations for businesses, and a new structure of fines for those who do not comply.
The new law will apply to all organisations and companies within the EU, or from around the world who supply goods and services to EU citizens. It comes into force on 25th May 2018, and will not be affected by the outcome of the Brexit negotiations; the UK Government will be implementing a new Data Protection Bill, which includes the majority of areas covered in the GDPR.
What does this mean for me & my business?
If you collect and process any form of personal data, you need to make sure your website, internal systems and processes comply with the new legislation.
Ultimately, the new law is designed to offer better protection for everyone. Your company will benefit from being able to reassure your customers and clients that you can be completely trusted with their personal data, by adhering to the new legislation. There are also new powers to fine organisations who do not follow the GDPR, so it is important you know what actions you need to take to make sure you’re compliant by the roll out date.
What is Personal Data
The data referred to in the GDPR falls into two main categories, and both types are subject to the legislation.
Personal Data is anything that can be used to identify a living person, directly or indirectly. This may include name, address, email address, location data or IP address.
Sensitive Personal Data is a special class that has to be even more carefully handled. This can include details relating to an individual’s race, health status, or religious beliefs.
What action do I need to take?
The new legislation gives individuals clear rights when it comes to the personal data that a company holds. This means they can always access it, make changes to or delete it, restrict the use of it, move it and make objections, with no costs associated. Therefore, you need to make sure your records are clear, secure and easy to access, should a client or customer make a request.
You should take the following steps to get ready for GDPR;
- Carry out an audit to find out what personal data you hold.
- Clearly document your policies and procedures for handling this personal data.
- Identify a legal basis for all your personal data processing.
The Information Commissioner’s Office (ICO) is the relevant supervisory authority for GDPR. The ICO website contains lots of information for businesses about preparing for the changes, so we recommend you take a look. Their 12 Step Guide is also especially helpful.
How do I do an audit?
To carry out a complete, thorough audit, you will need to take a detailed look at every area of your business that relates to personal data collection and processing.
This should include (but is not limited to)…
- Who do you hold data on and what is collected? Is it sensitive data?
- What files types are used and where is it stored? (locally, on a web server, in a cloud etc…?)
- How long do you store the data for and is it secured?
Most organisations use a variety of different tools to collect and store data about customers and clients. You should be careful to search every system, including…
- WordPress plugins and ecommerce tools on your website
- Digital files, documents, spreadsheets and databases
- Storage and backups, such as USB sticks and portable drives and devices
- Cloud storage platforms (Google Drive, Dropbox etc…)
- Your emails, messaging apps and social media
You should also consider any third parties who have access to your data. For example, many businesses use Mailchimp to deliver news and updates to their customer base. Check the plans third parties have in place to comply with GDPR, and find an alternative if they don’t have one.
What should the documentation include
When you document all your policies and procedures for handling personal data, you should be sure to include your plans for the following situations;
- If an individual requests access or amendments to, or deletion of, their records, how will you check their identity and carry out their request within the one month timeline specified in the GDPR?
- Outline what you are doing to keep personal data safe, from the files stored on your computers to personal data that is submitted on your website.
- How you would handle any security breaches or hacks. The GDPR also comes with new 72 hour reporting requirements, so you should ensure you have a clear procedure in place.
How do I establish a legal basis?
There must be legal justification for holding personal data. There are 6 main grounds, and at least one condition must be met.
Is the data you collect…
- Necessary for a contract?
- Part of a legal obligation eg keeping business expenses?
- Collected with clear consent, that can be withdrawn at any time?
- As part of a legitimate interest, vital interest or public function?
Once I have done these checks, what should I do next?
If you have carried out your audit, outlined your procedures and processes, and identified your legal basis you should..
1) Delete any personal data you no longer need (Wetherspoons deleted their entire list of customer emails as part of their preparation for GDPR)
2) Do a risk assessment on any remaining data, identifying and protecting that which is high risk
3) Carry out a Privacy Impact Assessment on past or future projects that involve data protection.
(Please note that this post is for information only, and should not be considered legal advice.)