Does GDPR apply to me?
If you operate within the EU, and you handle and store personal data (this includes names, email addresses, telephone numbers, payment details and IP addresses), then you have to comply. The regulation applies across the board, irrespective of company size or sector.
Required changes vary dependent on the information you collect, how you collect it, who has access to the data and how you intend to use or handle the long-term storage of that data.
No exit despite Brexit
GDPR came into effect at a time when the UK was still part of the European Union, and as such adopts all EU legislation. During the transition period, EU laws will be rewritten in line with Britain’s new position, meaning that all UK organisations that collect personal data will have to comply with GDPR.
Does my website have to be compliant?
GDPR states that if a website collects, stores or uses personal or special category data, site owners must tell users who they are, why they are collecting data, for how long and who receives it; get clear consent, let users access and export their data, inform users within 72 hours of a breach and let users erase their data.
Whilst not an exhaustive list, this will impact website plugins, privacy policies, cookie policies, forms, comments, Google Analytics tracking, e-commerce, user databases and mailing lists.
What about Salesforce, MailChimp etc.
These systems are classed as third-party data processors because they process data on your behalf. Most, but not all, of these systems are run by US companies who should be going through the process of becoming GDPR compliant, if they have not already done so.
These companies should also be Privacy Shield compliant. The Privacy Shield framework has been co-developed to provide mechanisms to protect the flow of personal data between the EU and the US.