You’re probably hearing more and more about the GDPR and the compliance that’s necessary from the 25th May 2018 onwards. There’s a few things you’ll need to know before then; if you’re an organisation that’s not complying after the deadline, you could be served with a fine.
The GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens.
Disclaimer: The information in this article is for general guidance only and does not constitute legal advice. We will work with you to meet the deadline for compliance but it is your responsibility to make sure you understand the changes and what your responsibilities are.
So what’s changing?
There are a number of new rules being brought in with the GDPR. The key ones are:
- If you store personal data, an individual has the right to access that data and information on how it’s being used. There are a few exceptions but essentially, you will need to provide this data free of charge, within 30 days of a request being made.
- Individuals have the right to change their personal data if it’s incomplete or inaccurate.
- Individuals can request that you remove their personal data if they withdraw consent, if it was used unlawfully, or if there is no continued reason for it to be used.
- Individuals can request that you do not use or process their personal data; this still enables you to store it.
- The GDPR will be tougher on data breaches and you will need to have a procedure in place to detect and deal with any breach. Any data breaches need to be documented, even if the ICO, the relevant supervisory authority or the individual have not been notified.
GDPR affects anyone who stores or processes data about EU citizens. The Information Commissioner’s Office (ICO) breaks this down into two categories: Data Controllers and Data Processors.
What is a data controller?
A data controller is the party that collects the data and is responsible for how it is processed
What is a data processor?
A data processor stores the data on behalf of the data controller. With a website or application, this will typically be your hosting company.
If your website or application is hosted with adigi and you’re collecting and storing data via that website, our hosting supplier (UK Fast) will ensure that data protection compliance is fully integrated to any data processing activities that they are responsible for.
If you have access to any data processed through your website (i.e contact form submission emails, Content Management System access or integration with third-party systems) you are also responsible for that data and how it is used, processed and stored by any other systems you use in your business.
It will be your responsibility to audit your internal processes for handling data and who has access to that data.
What you need to do by 25th May 2018
Make sure your Privacy Policies are up to date and presented in a clear and concise manner. You should include the following information:
- Details on how long you retain data for (if applicable)
- Clear information on an individual’s rights i.e an individual has the right to complain to the ICO if they have any concerns regarding how you’re handling or collecting data
- Information explaining your lawful basis for processing personal information
You can find out more information about this on the ICO’s website
- Make sure your privacy policies are easily accessible – i.e a link in the footer
- If you are capturing data on behalf of or sharing data with third parties, you must make this clear and name which third-parties you’re passing data to.
- Review any data protection compliance you need to undertake to cover the processing and use of data away from your website. If necessary, appoint or assign a Data Protection Officer (DPO), who is responsible for your business’s data protection compliance.
- Depending on what data you’re capturing, how much data you’re storing and what it’s being used for, you may wish to include a popup or notification bar on your website that tells your visitors that your policies have been updated, asking them to review this information as necessary.
- Make sure you are using opt-in, rather than out-out wherever you are capturing email addresses for marketing purposes
If you do any form of email marketing, you will need to make sure that any subscribers on your mailing list wish to keep receiving emails from you if they haven’t already given consent or you do not have a record to prove the initial consent they provided.
The easiest way to do this is to send an email out to all your customers asking them to confirm their subscription:
If you have enough evidence to prove GDPR compliant consent, you don’t need to do this.
If you use our email marketing systems, any subscriber data imported into your lists is logged with the date and time and method of consent but for any data you’ve imported yourself, you still need to provide evidence of consent, should an individual request it.
If in doubt, our advice is to re-validate your subscriber data as described above.
What should I do next?
Once you’ve reviewed this information and have decided what changes you need to make, please get in touch to discuss any amends to your website or email marketing strategy as necessary.
The ICO has provided a checklist so you can make sure you are ready for GDPR. We recommend that you refer to this, in addition to the information we have provided here.