Preparing for the General Data Protection Regulation (GDPR)
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation aimed at helping to strengthen data protection for EU citizens and residents both within the EU and the wider world.
Anyone who collects and processes personal data (defined by the GDPR as a Data Controller) will be required to comply with the new regulations.
The GDPR comes into effect on 25th May 2018.
Provable consent must be explicitly given to the data processor by the data subject before their data can be processed. Additionally, the data must only be used for the purposes that consent has been given. EG if someone contacts you through your website with an enquiry of some kind, that does not give you permission to add them to your email marketing list.
Verifiable consent must be given by a minor’s parent or guardian before their data can be used.
Consent must be able to be withdrawn by the data subject at any time.
Under the GPDR a data subject has the right to erasure of their data. This means that if an individual asks you to remove their data from your systems you have to comply.
The maximum sanction for non-compliance with the GDPR is £17 million or up to 4% of your annual worldwide turnover (based on figures from the preceding financial year), whichever is the greater.
Does your website contain / offer any of the following?
• Customer contact forms to enquire about products or services
• Customers can buy products or services on your website
• Users can comment on blog posts or post to forums
• Your website monitors website visitors/traffic
• Users can sign up to a newsletter or subscription
• Customers can register and create a user profile of any kind
• You have any logging tools/applications running
If so, your website is processing personal data and you must comply with the GDPR, irrespective of your size or business sector.
The GDPR provides the following rights for individuals:
• The right to be informed
• The right of access
• The right to rectification
• The right to erase
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.
• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.
• Explicit consent requires a very clear and specific statement of consent.
• Keep your consent requests separate from other terms and conditions.
• Be specific and granular. Vague or blanket consent is not enough.
• Be clear and concise.
• Name any third party controllers who will rely on the consent.
• Make it easy for people to withdraw consent and tell them how.
• Keep evidence of consent – who, when, how, and what you told people.
How can you make your website GDPR compliant?
Take a personal data audit
A personal data audit will help you to identify all of your data processors. List them as first party and third party data processors.
For each data processor consider the following:
• What is the reason you have the data?
• What is the data being used for?
• How are you storing the data?
• Is there a need to retain the data?
For each of the third party data processors, check their respective privacy policies and make sure that they are GDPR compliant.
12 steps to take now
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
2. Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. Individuals’ rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
4. Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
5. Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
6. Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
8. Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
10. Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
11. Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.