As a business owner, you may have concerns over GDPR implementation, how to be fully compliant and how to avoid penalties for failing to comply.
This blog post will hopefully answer any questions you may have about the upcoming regulation. We also recommend that you read the ICO’s 12-step guide to preparing for GDPR.
What is GDPR?
On May 25th 2018, GDPR comes into force in the UK, replacing the 1995 Data Protection Directive. The primary objectives of GDPR are to give consumers control of their personal data, to strengthen and unify data protection for individuals within the European Union, and to unify regulations for international businesses and those within the EU.
GDPR will formalise concepts such as the ‘right to be forgotten’ online, data portability, data breach notification, data exportation and accountability. Failure to comply will result in fines of €20m, or up to four percent of global revenues.
As a regulation, GDPR does not require any legislation to be passed, and will be unaffected by Brexit.
Any organisation that collects and processes personal data will be required to comply. As well as websites and apps, this also includes internal databases, CRMs and emails.
Currently, personal data acts as a currency; sharing gives users access to a multitude of services and content. A significant part of GDPR is about transparency and informing individuals about what and how their data is being used, by whom and for how long. Organisations must also state who the subject should contact with regards to the controller’s data processing actions.
Provable consent must be explicitly given to the data processor by the subject before their data can be processed. Additionally, the data must only be used for the purposes that consent has been given, and consent must be able to be withdrawn by the subject at any time.
Under GPDR, users will have the right to ask for their data to be permanently erased from your systems: logs, backups, signatures, the works.
All public authorities and any organisation that processes personal data on a significant scale must appoint a Data Protection Officer (DPO), who will be responsible for monitoring internal compliance of GDPR regulations. The DPO will ensure data protection is kept high on the organisation’s agenda and ensure that compliance is achieved and maintained.
What data will be affected by GDPR?
As defined by the EU, ‘personal data’ includes any information that can be used to directly or indirectly identify an individual. This means everything from an email address, to a name, IP address, photo and more.
By collecting personal data, you will have to respect user rights, which include:
- The possibility for users to view the data collected on them
- The possibility to rectify some data concerning them
- The possibility to delete data if requested
What about systems like Google Analytics, Mailchimp, Salesforce etc?
GDPR classifies these systems as third-party processors as they process data on your behalf. The majority of these systems should be going through the process of becoming GDPR-compliant, if they have not already done so.
What steps do I need to take to comply?
In order to comply with GDPR, companies that handle personal data must fully understand what kind of information they hold, where they hold it and who has access to that data. To establish this, a company-wide audit is recommended and ideally, this will be carried out as soon as possible.
It is important that all employees who have previously, or will in the future, handle personal data, are made aware of these new regulations. Employees should fully understand the provisions and what they will mean for the organisation.
Moving forward, companies should update their data protection policies and put in place rigorous schemes to govern them. There should also be a system to quickly notice and respond to any data breaches.
GDPR compliance may seem like an overwhelming task, but the reality is that every business must take action to protect themselves and their users sooner rather than later.
What does GDPR mean for my organisation?
There are a number of ways GDPR legitimises the holding and processing of personal data, but for many, the primary concern is consent.
Consent must be clear, affirmative and verifiable. Assuming implied consent on the basis of a box left unchecked on a form years ago won’t cut it.
Here’s an example: Cookie banners use implied consent to set a cookie for the user upon arrival. To date, this has been consistent with compliancy rules. However, from May 2018 you will need explicit consent. If you don’t get it, and no alternative for data processing applies, you won’t be able to use it.
GDPR establishes a number of rights for individuals, some of which you may already be compliant with, and some which will be new to you. The key point is that you need to agree how you will comply with those rights in practice.
The same applies to breaches: If data leaks, how will you meet your obligation? Having a risk log will help you identify issues early and avoid or minimise any inconveniences.
It is important to understand your data landscape, so you can prepare for GDPR. How you use personal data will impact the tools and processes you use every day.
Many organisations have silos of data; individual, unconnected pots of information held across departments, and these will need to be unearthed and understood under the new regulations. Now is the ideal time to clarify this information, so every part of the organisation can be clear on how, why and where it is being held.
Mapping the flow of data provides better visibility over what data is being collected and processed. Understanding where your data resides will be a key element of your GDPR preparation.
As a digital technology agency that serves clients across a range of sectors and geographical borders, we have had to assess our own processes to find the best way forward for ourselves and for our clients.
We have a big role to play in safeguarding the data of those who use the platforms we build, and GDPR compliancy is a part of that.
For us moving forward, the key takeaway from GDPR is the idea that enhanced privacy should feature in design by default. A user’s privacy should be at the core of any digital platform.
It’s also fair to say that as a digital technology agency, we’re interested in exploring what’s possible for our clients and their users. It’s no secret that knowing more about user behaviour can dramatically help organisations to provide the best possible experiences, and the easier it is to access that data, the more opportunities arise.
But as an agency that relies upon data to inform our strategy, we welcome the introduction of GDPR as it will allow organisations like us to demonstrate robust data governance, select appropriate protection and enjoy the benefits that come from secure data practices. Ultimately, GDPR will help to make companies more aware of the data they hold, where it is coming from and how they store it, and that is no bad thing.
Simply put, we view data protection as an act of social responsibility and business best practice.