Is your business GDPR compliant?
On 25 May 2018 processing of personal data by organisations will have to comply with the General Data Protection Regulation (GDPR). This new EU regulation’s focus is the protection of personal data, i.e. data about individuals, and builds on existing data protection laws, setting out the responsibilities of businesses in relation to the personal data they collect, hold, transmit and otherwise use. Essentially it says, “If you want to offer your services or products to customers who are EU citizens, you better make sure you look after their personal data or else!”
NOT IN THE EU? BUT IT MAY STILL APPLY TO YOU!
The GDPR applies not just to organisations within the EU who process the data of individuals but also organisations outside the EU who offer goods or services to individuals in the EU, or who monitor the behaviour of individuals in the EU. Because the EU is a trading partner of most countries, the GDPR’s wider scope means it has implications for many businesses worldwide, and will effectively require them to be compliant if they wish to operate in EU member states either directly or as a third-party for others. For example, if a company based in the United States, or another non-EU country, collects or processes personal data of any employee, prospect, customer, partner, or supplier that is based in the EU, that company will need to be compliant with the GDPR.
KEY FEATURES OF GDPR:
- Individual Rights Significantly expands the rights of individuals and what information they must be provided with regarding processing activities.
- Consent Must be confirmed by a statement or other clear affirmative action. You cannot assume consent or even use pre-checked website boxes.
- Data Protection Officer Might be obligatory. Requires expert knowledge of data protection law. Could be an employee or via a service contact.
- Privacy Privacy considerations must be built-in everywhere and only data strictly required for stipulated purpose can be used.
- Wider Scope Covers your business, plus those who process data for you – even outside the EU.
- Mandatory Breach Reporting Data controllers must tell local supervisory authorities, such as the ICO in the UK, within 72 hours of becoming aware. In serious breaches individuals must be informed.
- Data Portability Individuals now have the right to move, copy or transfer personal data – even to a competitor.
- Penalties Could be up to 4% of annual global turnover, or €20m, whichever is greater. You might be fined even if there is no actual loss of data.
TIPS TO MAKE YOUR WEBSITE GDPR COMPLIANT
- Take a personal data audit to help you to identify all of your data processors. List them all with either a 1 or a 3 to help you track which are first and which are third party data processors. And for each data processor consider what you are using the data for, where is the data being stored and whether you still need the data. For each of the third party data processors, check their respective privacy policies and make sure that they are GDPR compliant. If the third party is not yet compliant, contact them and find out if and when they plan on becoming compliant. In the unlikely situation where a third party data processor is not compliant and has no plans to become compliant by the 25th May 2018 deadline, you should seek to replace them with a similar but compliant provider.
- Detail the personal data audit on your website’s privacy policy page. As we’ve already mentioned, a big part of GDPR is communicating to your users about how and why you’re collecting and using their data. So tell them. Be clear and concise and give them a way to request a copy of it or have it deleted if they wish.
- Strengthen the weakest links. During your personal data audit any weaker parts of your website should come to light. An example could be the non-compliant third party data processor as described above. Other examples could be insecure (unencrypted) email accounts or website traffic. Another example might be contact form submissions that have been saved to your website’s database. These have likely long since been acted on or replied to so they no longer need to be kept. Whatever the weak links are you should aim to strengthen or remove them.
- Employ or designate a Data Protection Officer (DPO). A DPO is an individual designated by the Data Controller to be responsible for monitoring internal compliance of the GDPR within the organisation. This could be a specifically trained employee or a position that is out-sourced.
To ensure your business’ website and emails are compliant, or for help to achieve this, then please feel free to contact i catching design Tanzania today.
(Resources: Sage UK, Fellowship Productions, GDPR Conference:Europe)