Gdpr explained and steps you can take today
16th May 2018
posted 16th May 2018
You may be aware that rules on data protection are changing. From 25th May 2018 the General Data Protection Regulations (GDPR) are coming into force. This article is intended to provide a general overview of what GDPR is and provide some basic steps you might like to take to help you move closer to meeting your new legal obligations. As a small disclaimer, we are not able or qualified to provide legal advice and this article should be understood with that in mind.
When Is GDPR Coming Into Force?
From May 25th 2018 new rules are coming into force regarding the storage of an individual's personal information. The new rules fall under what is called GDPR which stands for the General Data Protection Regulations.
What Is Personal Data?
The first thing to be clear on is what exactly personal data is. Personal data is defined as anything which can be used to uniquely identify a person. This could be a name, telephone number, email address or something more technical like an IP address (your internet connection's unique address). If you store this information digitally or otherwise, you fall under the remit of the GDPR rules. So even if you only keep a paper list of a customer's contact details, GDPR applies to you too.
Does Brexit Mean I Don't Have to Comply?
There is no clarity at present on this point. What is clear however is that the rules will become law in the UK on the 25th May and even if they were to be abandoned in due course, before that happens you must comply. From the information we have, it seems highly likely that these regulations will stay in place in the UK as they represent the highest of standards in data protection. Even companies like Facebook intend to implement GDPR rules for its users across the globe even though they are outside the jurisdiction of the EU. Another important thing to note is that these rules must be followed by any company dealing with EU citizens. This means that even if you are based outside of the EU e.g. if you were located in the US, you must comply with these rules.
What are the New Rules on Data Protection?
The new rules as you would expect are pretty complex but as an overview the new rules we're talking about are as follows:
If you hold any personal information, the new rules say you should only be doing so if you are doing so for one of the allowed reasons. If the data is kept for any other reason than one of the allowed reasons, you should not be storing it. We won't go into full detail of the different reasons but the most common are 'Consent' and 'Contract'.
Consent
Consent essentially means you asked the person, told them what you wanted the information for and they have positively given you the OK. E.g. registering for a newsletter where you have provided a clear opt in checkbox.
Contract
Contract is whereby the personal information you collect is collected as part of a contract you have with the individual e.g. collecting addresses of people who buy from your store.
How Do I Become Compliant?
The question everyone is asking us is how do they become compliant with the new rules. The problem is that every business will have its own specific set of things it will need to do depending on the different ways it collects and stores data and also the justification for doing so.
While we can't provide you with a an exhaustive list of things to do to guarantee that you will be meeting all your legal requirements, here are some things you can do to at least show you have made efforts.
Add a Privacy Policy to Your Website
Your Privacy Policy should outline what information you collect and why you are collecting it. For example, if you save your customer's names and addresses tell them this and say why. If you are unsure what to say when it comes to why, ask yourself the question 'why don't I delete this right now?'. If there is no reason not to, then you should really then delete it there and then! If you find you have a reason not to delete it then that is the reason to put in your policy.
You should also mention who, if anyone, you share their data with. For example, if you use an external email marketing service like Mailchimp you will effectively be sharing your clients information with them. You might for example say 'We share your email address and name with Mailchimp so we can send you emails relating to our services such as current promotions'.
Ideally this document should be legally drafted by an expert - However, it is better to have something rather than nothing should a complaint ever be made against you.
Add Confirmation Tick Boxes to Forms
There are certain rules within GDPR regarding providing the individual with a formal 'opt-in' method, such as a tick box, when submitting a form. Depending on the reason you are collecting the information, the requirements will differ. However an explicit tick box will demonstrate clear 'opting in' to the data collection. This could, for example, be a message which says 'by ticking this box you accept our privacy policy'. Some argue this is not sufficient, so it might be wiser to go further again and next to the tick box explain why you are collecting the information. For example, 'I consent for you to use the information I provide in this form to send me marketing messages such as your latest promotions'.
Secure Your Website
You can make the communications between your website user and your website more secure using SSL security. This means that any personal information communicated between the website and the user will be encrypted. Users will see a green or yellow padlock symbol next to their website address in the browser. This not only helps you demonstrate you are securing the data you collect, but can also reassure customers and act as differentiating point when compared with your competitors. You can read more about this in our SSL Security blog article.
Inform Users About Cookies
All websites use cookies which enable the website to run smoothly. These cookies can be defined as 'personal information' depending on their use. You should ideally conduct a cookie audit and include information on the cookies used on your website in your privacy policy. All the websites we produce use some basic cookies and if you use third party add-ons such as booking systems and Google Analytics, many more additional cookies will be being saved. We recommend at the very least mentioning the services you use and ideally itemising the cookies.
If you are an existing customer you can visit our information about stored data page to find out what information we store on your behalf which will help you when producing your privacy policy.
There's no doubt that GDPR is adding an additional burden on businesses, however despite the work it adds for us all it should generally be welcomed as these rules help to keep all our data secure. There are huge fines that can be applied for those who do not comply although we expect these to be reserved for the largest of companies. For smaller companies who don't have access to expensive legal advice we recommend taking actions now to meet your obligations as best as you can and not to ignore the new rules.
If you are an existing customer please contact us for information about adding SSL to your website, upgrading your cookie declarations and adding a privacy policy page to your website.