What is GDPR?
The General Data Protection Regulation (GDPR) is a binding legislative act from the European Union for the protection of personal data. The Regulation tackles the inconsistent data protection laws currently existing throughout the EU’s member states and facilitates the secure, free-flow of data. It replaces the outdated Data Protection Act 1998 and all data protection legislation in EU member states.
It comes into effect on 25th May 2018. Although we are in the process of Brexit, working towards GDPR compliance remains crucial.
What are the consequences of non-compliance?
Potentially a fine – and a hefty one – up to €20,000,000 or 4% of global annual turnover, whichever is higher. That is a scary figure. However, many experts believe that as this is the maximum, this is the figure often brandished around and in reality, a fine made against an SME would be much smaller. This does not mean it is not something you need to worry about. Whilst the ICO does not plan to hit lots of SMEs with a maximum fine, you are still putting your reputation at risk by not showing a willingness and honest attempt to adjust and comply with the new GDPR regulation.
Why GDPR, why now?
There is a need in Europe and beyond to address many outdated Data Protection Legislations and bring them up-to-date with technological advancements and align standards. There is a huge amount of personal data at risk. GDPR seeks to address that. Some of the current issues include:
- Outdated legislation – In the UK, data protection is enforced using a legislation created in 1998.
- Inconsistent landscape – When data is shared between different states, the data is subject to inconsistent laws, rules and regulations.
- Limited control by users – The law does not help individuals ask questions of organisations about how their data is collected, processed and stored.
- Lack of security – Law does not require specific security standards when storing customer’s personal data.
I’m worried, this seems big
Well, it is, but we believe GDPR is a good thing, not just another piece of bureaucracy. It will force all businesses into reviewing how they process and hold data. It’s nothing to worry about as long as you review your processes and act upon them.
Ok, what do I need to do?
If you haven’t started preparing for GDPR, we would suggest you need to now. In a nutshell, once GDPR comes into force, your business must:
- Keep a record of all data gathering you perform and consider if you have the required agreements in place
- Carry out a privacy impact assessment (PIA). More information can be found here on the ICO website
- If applicable to your organisation, designate a data protection officer (DPO)
- Review processes for the collection of personal data
- Be aware of your duty to notify the relevant authority of a data breach and have a process in place for carrying this out
- Implement “privacy by design” and “privacy by default” in the design – this is where we come in, see below.
Specific activities need to include
Review how you obtain consent. For example, do you ask your customers for permission before you use their data? Do you tell them what it will be used for. Consent must be ‘explicit’ which means they have to actively agree by ticking a box – having the box ticked by default is not an option. If you have obtained personal information by a ‘default consent’ method previously, you must seek provision to contact all your database, asking them to ‘opt in’ to specific activities. If they do not reply, they must be removed from the database.
- Implement a process that allows your customers the right to request the data you hold on them and also their right to remove that data. If you do not have a legal obligation or a valid reason to retain that data, customers have the ‘right to be forgotten’ i.e. all data delated.
- Create a policy and process for notifying the ICO of a personal data breach. You must do this within 72 hours of becoming aware of the breach, where feasible. Whilst we understand we may be part of this process, the ICO has a useful resource here. The notification must state; 1. Its nature; 2. The approximate number of people affected; 3. The contact information for your organisation’s DPO (if one has been appointed)
What are we doing as part of GDPR?
For clarity, the GDPR often refers to the ‘Data Processor’ and the ‘Data Controller’. You are the ‘Data Controller’ and your organisation’s GDPR responsibility rests with you. However, as your ‘Data Processor’, we can assist you in this process by detailing our actions as GDPR makes it clear that any business processing EU data must be compliant.
- We use UKFast for your hosting solution. They are an ISO 27018 certified business. The certification provides standards that hold up against audits, customer enquiries and government reviews.
- You are part of a Jellyhaus Dedicated Solution. Only sites designed and built by Jellyhaus rest on this solution.
- The solution has a dedicated Cisco Firewall to help detect and prevent malicious attacks on your data.
- We implement ‘Privacy by Design’ when creating websites, following industry guidelines on the coding and creating of software applications.
- We custom code all our websites so if you need a specific mechanism for customer’s ‘right to be forgotten’ or ‘right of access’, we can implement it for you
How we will be compliant
- Over the coming weeks, we will be updating our policies and procedures to enable effective implementation of GDPR and how we can assist you in the event of a data breach and/or customers’ ‘right to be forgotten’.
I’d like to know more
GDPR will affect everyone in different ways, depending on how much data you collect and how you are already collecting it. The ICO have a comprehensive guide to GDPR, which can be accessed here.