Have you heard about GDPR? It’s been in the news recently and you might have some questions! Here’s a quick “all you need to know about GDPR” – though please note that the following is general information provided for discussion. I’m not a lawyer and if you feel the need, you should seek legal advice if you are concerned.
What is GDPR?
GDPR stands for General Data Protection Regulation and it’s a new regulation that’s been enacted by the European Union which comes into force on 25th May 2018. GDPR is an attempt by the EU to empower individuals concerned about the privacy and the use of, their data. Detailed information is available on their website here.
What’s The Point of GDPR?
The GDPR provides much stronger rules than existing laws and hopes to change the attitude of organisations across the world towards data privacy and data security. GDPR mandates that businesses and organisations who engage with EU citizens, should – amongst other requirements – be transparent about (1) what data they collect and how they collect it; (2) what data they store; (3) why they collect that data and how they use it; (4) how individuals can request a copy of it – or request it be deleted.
How Will GDPR Affect My Business?
The GDPR applies to data collected about EU citizens from anywhere in the world. If you do not engage with any EU citizens during the course of your business activities, then GDPR may not be an urgent matter for you. However, if an EU citizen visits your website, buys something from your business or receives an email newsletter from you – you are liable to follow the regulations.
There is a lot of interest from other countries in this new legislation too, so don’t be surprised to see a similar regulation passing through parliament in your region of the world soon!
Will there be some disruption to your business? Probably not – but you should pay attention to what is needed. However, it’s up to you to decide what level your response should be – whether full compliance now, or working towards it. In the end – the responsibility sits with you as the business owner. In reality, how often GDPR will become an issue for you, or how many “events” will occur in relation to an EU citizen engaging with you, is impossible to say!
Should I Care About GDPR?
At the very least, think about it from a financial point of view. No business likes unhappy customers – and if a customer does complain about your disregard of GDPR – you could face a hefty fine! The penalty for non compliance can be up to € 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
It is not clear who the EU will target or exactly how the EU proposes to “track down and pursue” individual companies, though they intend to have “regional auditors” roaming the internet, looking for non-compliance! It’s also not clear how the EU could “fine” a business not in their legal jurisdiction – but no doubt you don’t really want to find out!
So, in the interest of being a good global digital citizen, it’s recommended that you implement the necessary changes. The good news is, some of the compliance requirements are fairly straight-forward (e.g. Privacy Policy) and you’re probably already fulfilling that requirement (especially if Purple Dog built your website).
How To Become GDPR Compliant
There are many aspects of the GDPR – perhaps too numerous to mention in detail here. However, here are some of the key aspects of GDPR that should be taken into consideration;
1) right to access – provide users with transparency in data processing and storage – in other words; what data is collected, where data is being processed and stored, and the reason behind the collection, processing, and storage of the data. Users have the right to request a copy of their data.
2) right to be forgotten – gives users the option to have their personal data erased, and to stop further collection and processing of such data. This involves the user withdrawing consent for their personal data to be used.
3) data portability clause of the GDPR provides users the right to be able to download their personal data, for which they have previously given consent, and to transfer that data elsewhere.
To be compliant:
- You should publish a clear Privacy Policy page (like ours) and a declaration of what data is collected, how you use it and for what purpose.
- In the case of an eCommerce site, or a newsletter sign up, there should be an “I agree….” button on the checkout that seeks users’ permission for the collection, use of and storage of their data.
- You must also provide information on how users can get a copy of the data held, or if preferred, how to request that any such data is deleted or destroyed. This is more difficult and unfortunately, there are no easy “automated” solutions because data is typically spread across multiple systems and in multiple databases. Therefore, it will likely take time and therefore a cost to process these kinds of requests. It is unclear how often such requests are likely to arise, but you could simply ask the user to contact you for further information. At that stage, you could consider how best to proceed, though the cost of such an exercise will be on the website owner’s shoulders. If you do receive a request, please get in touch with us to find out how we can best assist you.
There are other considerations in addition to the above, but as a website owner, if you focus on these aspects first, you will probably be ahead of the game. You might think it’s another set of bureaucratic rules – and you’d be right! Nevertheless, it’s also considered to be the first set of legislation in a new “battle” on privacy, thanks to a lot of “rather shady” business practices by the larger companies out there (who I am not going to name here as I will probably get sued but we all know who you are Facebook!) – now we are all getting the heat as a result of data breaches and immoral business practices.
As a small business, I understand the value of being responsive and available to customer requirements and requests, and thankfully, most of the above concerns are already addressed whenever we build a website. As a service provider, we also do our utmost to deliver a safe and secure service to our clients and in turn, to their customers. This includes providing a range of security related products and services; secure websites with SSL certificates, secured webhosting and wherever possible encrypted communications.
However, as a small business, you can only do your best! Most of the time, that is perfectly fine, but on the odd occasion that someone decides to pick fault with that – it’s good to know you’ve done your homework and implemented what you needed to try to ensure maximum compliance.
In this respect, if you would like to further discuss any of the above, please get in touch with us so that we may assist you with a website and data security audit, and create a compliance plan with you.