What is the GDPR?
The GDPR (General Data Protection Regulation) becomes law in May 2018 – it’s the EU replacement for the DPA (Data Protection Act). It’s a law, not just guidance, and it’s going to affect a huge number of businesses, partly due to the fact that it contains a much more precise definition of “personal data” than the DPA – even including IP addresses. Does your website have a contact form? Do you use a CRM system? Do you store contact or customer data in any form? The vast majority of business owners need to be aware of their obligations under the new law. If you haven’t done anything to prepare for it, you need to start now.
Here are 10 things you need to know:
Brexit won’t affect your duties
Although the UK is leaving the EU, the Great Repeal Bill means that it will also be adopted into UK law in 2019, so it’s here to stay. Even if it’s rewritten after Brexit, it’ll still apply to the data of any EU citizens (regardless of where that data is actually processed), so unless you’re planning to somehow hide your website from the EU and refuse to do business with its citizens, you’ll still need to comply.
You need to seek “active consent”
It’s not enough to allow people to opt out of your marketing communications – you need to actively seek their consent, and you need to be able to document how and when they gave consent.
You need to allow consent to be revoked (the “right to be forgotten”)
People need to be able to opt out at any time, and if they do, you need to completely remove their details from your systems, including backups. This could be a major undertaking, and you’ll need to know exactly where data is stored including any backups and copies.
You need to obtain parental consent
…to process personal data belonging to under 16s, and you need to have in place some kind of age verification so that you know when you are dealing with data relating to a minor.
You need to be explicit about what data will be used and how
When you obtain consent, you can’t say that it’s going to be used for one purpose and then use it for another. You must clearly state what data will be used and how you’ll use it at the point of consent.
You need to be careful if you’re purchasing third party data
There’s nothing to prevent you from using data you purchased – as long as it’s compliant. In real terms, this means you shouldn’t use it unless you’ve got proof of consent, and that consent either includes the name of your company or a clear description of what it does and how it uses the data. Generic “this data may be used to notify you of third party offers” disclaimers are unlikely to cover your use of a list, and the onus is on you to check that the data is compliant (so just trusting that the data supplier is compliant is not sufficient). For more information on this, read the ICO guidance: https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/using-marketing-lists/
You may need to employ a Data Protection Officer
Larger companies processing large amounts of data will be legally required to appoint a Data Protection Officer (see ICO guidance for specific information: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/accountability-and-governance/). It may also be a good idea for smaller businesses, depending on circumstances.
You need to report breaches
If your data is breached, you must make a report within 72 hours to the Data Protection Authorities, and you may need to notify the individuals whose data has been compromised. A breach is defined as “a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. You can read more about reporting requirements here: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/breach-notification/
You need to comply
If you don’t, the maximum fine is 20 million Euros or 4% of your company’s annual global turnover, whichever is higher. Yes, those numbers are correct.
You may need to switch suppliers
Even if you’re not doing the actual processing – e.g. if you’re using a third party to send newsletters or collect form data – you’re still responsible for making sure you deal with compliant suppliers (known as “processors”). Make sure your suppliers are going to be compliant by the 25th May, and if they’re not, you’ll need to start shopping around for an alternative.
The ICO’s overview of the GDPR is essential reading and will give you a much greater understanding of your obligations. Bookmark it now!