LATER THIS MONTH, NEW EUROPEAN GDPR REGULATIONS COME INTO FORCE, WHICH WILL AFFECT THE WAY THAT YOU STORE AND PROCESS THE PERSONAL DATA OF EU CITIZENS. TO BE COMPLIANT, THERE ARE SOME IMPORTANT CHANGES THAT YOU’LL NEED TO MAKE TO YOUR WEBSITE.
Let’s start by reminding ourselves what GDPR is all about…
The EU’s General Data Protection Regulation (GDPR) is designed to give people more control over how organisations use their data. The regulations overlap with with The Privacy and Electronic Communications Regulations (PECR), which cover the use of cookies and electronic marketing communications, e.g., email. The legislation affects any company that stores and processes the data of EU citizens. Each EU country has a different body overseeing compliance. In the UK, GDPR will replace the Data Protection Act 1998 and will be enforced by the Information Commissioner’s Office (ICO), which have the power to impose hefty penalties up to €20million or 4% of annual turnover (whichever is higher) for organisations that fail to comply with the rules. The fines also extend to organisations that suffer serious data breaches.
GDPR doesn’t just affect large companies. If you have a website or hold any personally identifiable information (including name, email address, phone numbers, etc) for your clients, suppliers, partners, and / or employees located within the EU, you have to be compliant. GDPR does not apply to non-personal or commercial data, eg sales@ email addresses.
In a nutshell, it means you have an obligation to:
- Be clear about the lawful basis upon which you are storing or processing the personal data of EU citizens and only use it for the purpose for which consent was given. There are 6 types of lawful basis (consent, contract, legal obligation, vital interests, public task or legitimate interest).
- If you don’t have a lawful basis upon which to store and process personal data you will no longer have the right to use it after May 25, 2018 and the data, should be erased
- Ensure you get (or, in the case of older data, have) agreement, in a GDPR-compliant format, from the EU individual for you to store the data and communicate (via privacy notices and help text) how you will process the data collected, including the rights of the individual to access, remediate or erase the data.
- If you are collecting personal data for more than one purpose, gain separate consent (unbundled and freely given) for each purpose and have a clear, audit-able process for recording (and storing) the date and method of consent.
- Only hold the data you actually need and only store it for as long as you need it
- Keep the information secure and, in the event of a serious data breach, notify the ICO (or applicable body in other EU countries) within 72 hours
- If you process the data of under 18’s, have systems in place to verify individuals’ ages and obtain parental or guardian consent for any data processing activity of individuals under the digital age of consent (in the UK, the digital age of consent is 13 years old and over; in other EU countries, it is 16).
For the purpose of this article, we have focused on the implications of GDPR for your website. Please be aware that you probably also store and process personal data in places other than your website, such as your email marketing software, CRM software, accounting software, payroll software, in offline printed formats and more. We strongly recommend that you familiarise yourself with your obligations under GDPR for data held elsewhere.
Lets get started!