If you are a business owner or even just a regular employee, then you will likely have already heard quite a bit about GDPR. These new regulations are all over the media right now, as companies of all sizes rush to ensure that they are fully compliant before the 25th of May. With such a large piece of legislation coming into place, though, it can be tricky to get your head around just what GDPR will mean for your business. Fortunately, though, that’s where we come in. As a web design studio, we’ve been working hard to help bring all of our clients’ sites up to speed, and therefore know more than most about what GDPR means in practice. To help you understand the matter a bit better, we have put the following article together which explains the main elements of GDPR. Read on, and you’ll discover how these regulations will directly impact upon your organisation- and the steps you need to take to remain within the law.
Ensure That Everyone is Fully Aware Of the Necessary Changes
The first thing to do with GDPR is to make sure that all of the core members of your team are fully up to speed with the changes in the law. After all, if a core decision maker isn’t aware of how these new regulations will directly impact your business, then they could well end up making mistakes which might be extremely costly in the long run. You should begin by taking a long, in-depth look at your current policies with regards to customer data and consider precisely where you need to focus your compliance efforts. It may be that you only have some small changes to make, or alternatively, it could be a time-consuming process to ensure your company is GDPR-compliant- even more reason not to leave things until the last minute.
Keep Your Data Records Accurate and Easy to Access
One of the key aims of GDPR is to make things more transparent with regards to what data companies hold about individuals, and who you share that data with. For that reason, you’ll need to start making detailed, easily-accessible records about personal data. These records should cover not only the data itself but also where you obtained it from and where it might end up. Businesses are now also required to take steps to ensure that all the information they hold on individuals is fully accurate and up to date. If you find that some information is incorrect, and you have already passed this on to another organisation, you will now need to get in touch with them so that they can update their records accordingly.
Review Your Privacy Policies
As we mentioned earlier, there’s a lot of overlap between GDPR and the existing Data Protection Act. One crucial area where they differ, though, covers privacy policies. Whenever you collect any personal data about an individual, you already need to tell them who you are and how you might use the information that they are giving you. With GDPR, though, you’ll also have to make clear that you are operating fully within the law when processing this data. What’s more, you’ll need to tell people how long you will keep their data on record for- whether it’s a fixed period or indefinitely- and point them towards the Information Commissioner’s Office (ICO) if they want to make a complaint about how their information is being used. You can’t mask this information in complicated language, either- it all needs to be as clear and simple as possible.
Know Your Rights- And Your Users’
Individuals already have the right to access the data that you hold about them, to be informed about any changes to your data policies, and to have that data erased upon request. One new right that they have under GDPR, though, is the right to so-called “data portability”. This essentially means that users can ask for all the data that you have on them in a machine-readable format so that they can then pass this on to another company in full. They are also entitled to ask you to do this directly, so you would send the other company the requested data. However, you will need to be careful when it comes to data portability, as it might be the case that information about other people is included within it- and you’ll need to be careful not to infringe upon their rights by passing it on to other organisations.
Be Clear on Consent
Possibly the biggest change that you will have to make under GDPR is the way in which your users consent to have their data used. From the 25th of May onwards, you’ll no longer be able to use the soft opt-in method, where a consent box is automatically ticked, and it’s up to the user to untick it if they don’t agree. Instead, individuals have to clearly and actively give their consent. Tick boxes can still be used, but data use consent must be a separate box from the agreement to comply with your terms and conditions. You will also have to take steps to ensure that you can verify that an individual has given their consent. Since this is a particularly crucial part of GDPR, it is probably best for you to let the professionals take care of updating your consent methods on your behalf.
Make Subject Access Requests a Priority
Right now, organisations have up to 40 days to comply with a data access request. With GDPR, though, that timeframe is being cut to one month, and in virtually all cases you will now have to offer this information free of charge. You can still refuse some requests if they are patently unfounded, but you’ll want to ensure you can back up this decision if required. When you deny a request, you still need to tell the individual that you are doing so and pass on the contact information of the ICO within that same one-month period.
Should your organisation face numerous legitimate access requests at one time, then it might prove difficult for your staff to keep on top of all these requests. Regardless of how many requests need to be processed, you still only have a month to respond to each one in full. You might therefore want to consider setting up an online system that allows users to quickly see the personal data that you hold on them, without the need for any input from your end.
Know Where You Stand When Processing Data
Take Steps if You Process Children’s Data
Currently, children are covered by the same data protection laws as adults. From now on, though, they will have distinct rights about how their data is collected and used by organisations. Should your site provide “information society services” to children under 16, then it may be the case that you need explicit consent from their parent or guardian to process any information about the child. That being said, the UK government is currently considering lowering this age to 13 at a later date. Regardless, if your company collects any data about children, then you’ll need to take steps to ensure you can prove that parental consent has been given and that your data collection policies are written in language that even a child can understand.
Be Prepared to Tackle Data Breaches
For any company that collects data about individuals, data breaches are a serious threat and therefore shouldn’t be treated lightly. Instead of simply hoping that this won’t happen to you, every organization will need to think long and hard about how they will detect and deal with any data breaches that may occur. For instance, from now on you will need to report any data breaches to the ICO if they are likely to result in any breaches of individual’s rights or freedoms. If confidential information is involved, or if the individual could lose money due to the breach, then it needs to be reported- and if the risk of these consequences is high, then you will have to inform the individual directly.
Of course, when you are rushing to handle a data breach, you may find it difficult to determine whether or not you need to inform the ICO or the user themselves. Instead of waiting until things go wrong, it may be a better idea to make this clear within your data breach policy. Make sure that you can detect a data breach quickly, too, or you could end up getting fined for not taking the right action.
Prioritise Data Protection in Every Project
Whenever you are going to be handling personal data of individuals, it’s always a good idea to make your data protection policies a key part of such projects right from the start. Since GDPR makes data protection an even more critical issue, though, it is highly recommended that you always consider these regulations before you act. Rather than leaving such measures until the final stages of a project, you’re now required to demonstrate that you have carefully thought about data protection and integrated it from an early stage. In some cases, such as where new processing technology is being used or if individuals will be directly affected by the processing, you’ll also have to carry out a Data Protection Impact Assessment and liaise with the ICO about how you will ensure the processing remains GDPR-compliant.
Consider Registering a Data Protection Officer
Now that data protection is such a crucial concern, you’ll want to make sure that there is someone within your organisation who is responsible for this. It will be their task to look through all your policies to check they are GDPR-compliant, and to work with key decision-makers wherever personal data will be an issue. In most cases, this will be an informal position within your company, but there are some instances where you will need to formally register that employee as your Data Protection Officer with the ICO. As well as public authorities, any company that systematically monitors individuals on a large scale will also need to appoint someone to this position. It is also necessary if your company deals with particularly sensitive categories of data, such as criminal convictions or health concerns. You should note that you don’t necessarily have to appoint someone inside your company as a Data Protection Officer- an external advisor may also be able to assist you.
Multinational Companies Take Note
Finally, GDPR isn’t just limited to the UK- it’s an EU-wide regulation, and therefore demands special attention if your organisation operates in more than one EU member state. Should this be the case for you, then you will have to document your “lead data protection supervisory authority”- the country which forms the main base of your operations. If this is the UK, then you can simply follow the steps listed above. On the other hand, if your lead authority is elsewhere in the EU, then you’ll have to make sure you stay within the rules of that particular country as well.
GDPR is Complicated- But Soapbox Will Guide You Through
On the more technical side of things, our team can also easily set up an SSL certificate for your site. This makes it much more difficult for hackers to access your data, and therefore makes a data breach far less likely. Finally, to allow individuals to easily access their data, we’ll create a database that stores the information in an easily accessible format. All you have to do is send this file along, and they will have everything that they need.
So, don’t get caught out with the new GDPR laws. Instead, let us take care of all the hard work for you, and keep your website fully up to date. Call us today on 0141 429 1356, or pop in for a cup of coffee and a chat to discuss your options.