IMPORTANT NOTE: Unlike some companies who have written about this topic recently, we are not running a GDPR course, and so we will not be exaggerating the issues to scare you into parting with your cash. This is merely an advisory post for Designer Websites clients, many of whom have been asking us about the new law that will soon be in effect.
If you're a business owner, odds are you've already heard about the General Data Protection Regulation (GDPR) that will soon be in effect throughout the European Union. This new regulation is fairly complex, and many different claims are being made about it - not all of them accurate.
With that in mind, we want to do what we can to help you understand the new laws and what they mean for your business, particularly your website. You've probably got a lot of questions about the GDPR, and today we're going to attempt to answer some of them.
Please note that this post is for informational purposes only and should not be mistaken for professional legal advice. Designer Websites Ltd will not be held responsible for any other organisation's failure to comply with the GDPR or any other piece of legislation.
- What is the GDPR?
- When will the new law take effect?
- Where does the GDPR apply?
- Why does my organisation need to be GDPR compliant?
- Who is responsible for ensuring that my organisation is compliant?
- How can I make sure I'm ready for the new law?
- What steps do the ICO recommend?
- Are Designer Websites GDPR compliant?
- Do I need to do anything about my website?
- Can Designer Websites help with GDPR compliance?
- Useful links
1. What is the GDPR?
The GDPR (General Data Protection Regulation) is an EU regulation that aims to improve data protection for individuals within the European Union. The regulation will give individuals more control over their personal information and how it is used.
Under the GDPR, organisations that process people's personal data will be expected to keep that data secure, be transparent about its use, and report data breaches promptly when they occur.
Here in the UK, the new data protection law will be enforced by the ICO (Information Commissioner's Office). An in-depth guide to the GDPR can be found on their website.
2. When will the new law take effect?
The GDPR was adopted in April 2016, but it is not yet in effect. It will be enforced from 25 May 2018 onwards. Your organisation will need to be compliant with the new law by that date.
3. Where does the GDPR apply?
The GDPR is an EU regulation, and thus it will apply to all EU member states. This will include the United Kingdom, even after Brexit.
The GDPR also applies to any organisations who process the personal information of individuals within the EU. For example, Facebook and LinkedIn are both based in the USA, but since they hold personal data on EU citizens and residents, these companies will be expected to comply with the new regulation just as if they were based inside the EU.
4. Why does my organisation need to be GDPR compliant?
Once the new law is in force, your organisation will be required by law to comply with the General Data Protection Regulation. After 25 May, if you are found to be in violation of the GDPR, you will be breaking the law, and may thus be subject to a number of sanctions.
That said, the ICO have made it clear that they view fines as a last resort, and will only use them to punish companies who "systematically fail to comply with the law or completely disregard it". Information Commissioner Elizabeth Denham has stated the following:
"The ICO's commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR...we intend to use [our increased] powers proportionately and judiciously. And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand...the GDPR gives us a suite of sanctions to help organisations comply - warnings, reprimands, corrective orders." [source]
So don't panic when you see people using scaremongering tactics and telling you that you'll be fined millions of pounds if you aren't GDPR compliant by 25 May - this is simply not true. The important thing is that you're making a reasonable effort to comply by being transparent about your data collection practices and keeping people's personal information secure.
5. Who is responsible for ensuring that my organisation is compliant?
Short answer: you are. If it's discovered that your organisation is not complying with the GDPR, it's your organisation that will be held to account.
The long answer is a little more complicated. The new regulation makes the following distinction between what the EU call 'controllers' and 'processors':
- Controllers determine the 'purposes and means' of processing personal data (e.g. if you collect information about your customers and use that information to either communicate with them or make decisions about them, then you are a controller).
- Processors are the ones who actually handle the data on behalf of a controller (e.g. companies like Sage, Salesforce, Infusionsoft and MailChimp are processors because they provide a service that involves processing data on behalf of controllers).
It is quite possible that you are a controller and a processor of some personal data.
Both controllers and processors have some responsibilities under the GDPR. Processors must keep accurate records of the data itself and of processing activities; they are responsible for keeping people's personal data secure, and will be held legally liable in the event of a breach. However, controllers may also be held liable if they use a processor without ensuring that the processor is GDPR compliant.
Since virtually all organisations process some personal data themselves - even if it's just their own employee records - nobody will be off the hook when the GDPR comes into force on 25 May. So now let's answer the most important question of all...
6. How can I make sure I'm ready for the new law?
The most important thing is to demonstrate that your organisation has made a reasonable effort to comply with the GDPR and protect the rights of the individuals whose personal data you store and/or process. As you've already seen, the Information Commissioner's Office will only be issuing fines to the very worst offenders - they're more interested in helping businesses to understand and comply with the new law in order to protect individuals' rights as best as possible. In fact, if this whole thing has you feeling completely lost, you may want to make use of the ICO helpline (open 0900-1700, Mon-Fri).
So what exactly will you need to do from 25 May onwards? Well, the right approach will differ from one organisation to the next, but here's a good rule of thumb: before you collect or process someone's personal data, make sure you...
- Have a clear reason - and a lawful basis - for doing so. Know why you're collecting other people's information, and know whether that reason is defensible in the eyes of the law. Under the GDPR, there are 6 valid legal reasons for organisations to collect personal data: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Details on all 6 lawful bases can be found here; for the majority of businesses, the most applicable basis will either be consent (the individual consented to you collecting and processing their information) or legitimate interests (you have a valid business reason for collecting the data, and you are not infringing on the personal rights of the individual).
- Are only collecting what's necessary. You should only ever collect/process personal data if it is necessary to your stated goal. For instance, you might reasonably collect a customer's name and contact details so that you're able to reach them, but that's no reason to also collect information on their race, nationality, date of birth, etc.
- Know how long you will be holding on to that data. The GDPR doesn't allow organisations to keep people's personal information indefinitely just because. Once you know why you're collecting personal information (see first point), you should also assess how long you'll need to keep the data in order to meet that goal. This doesn't necessarily need to be a specific number of days or months - it could just be 'for as long as that person remains a customer' or 'until that person unsubscribes from our newsletter'.
- Will be able to keep this data secure. This may mean installing security software or making organisational changes to ensure that only authorised personnel are able to access the collected information.
- Will be able to respect the individual's rights to access and erasure. Under the GDPR, individuals have the right to view all personally-identifiable information that an organisation holds on them. In addition, they usually have the right to request that this information be deleted. Ensure that your data subject(s) will be able to make these requests, and that you'll be able to honour them in a timely manner - requested information will need to be supplied within 1 month of receiving the request, and while there are certain circumstances under which you can refuse to delete personal data (see 'When can I refuse to comply with a request for erasure?'), you will generally need to comply with deletion requests as quickly as possible too.
7. What steps do the ICO recommend?
The ICO have put together a helpful list of 12 steps that organisations should take ASAP in order to prepare for the General Data Protection Regulation. By now, you hopefully have a reasonably clear idea of what your responsibilities will be under the new law, but if you're not sure what actions you now need to take, this list is a great place to start.
So let's go through the 12 recommended steps in a little more detail:
1) Make sure everyone's aware of the new law.
Speak to the key decision-makers within your organisation and ensure that they understand the new law and what it requires of them.
2) Document all personal data you currently hold.
You probably already have at least some personal data on record. Now is a good time to review:
- What data you hold
- Where it came from
- Whether you still need it
- How you're using it
- Who has access to it
- Whether you have a lawful basis for keeping it
An information audit may help with this step.
4) Make it easy for individuals to make information requests...
As we've already covered, data subjects have the right to know what information you have on them. Try to make it as easy as possible for data subjects to submit information requests - for instance, you might put a contact form on your website for this purpose, or set up a dedicated email address for right of access requests.
Larger companies may choose to provide an automated system to allow their customers to view, update and delete their own personal information manually. However, developing a tool like this would probably be overkill for small/medium-sized businesses who do not expect to receive many requests.
5) ...and ensure that you're able to respond to these requests.
In addition to the above, you need to make sure that your systems allow you to quickly retrieve and, if necessary, delete people's personal information when they request it. Ensuring that this can be done in a timely manner will help you to comply with the GDPR, and it will save you valuable time if and when a request is submitted.
6) Identify a lawful basis for your data collection / processing.
Remember, there are 6 lawful bases for processing data - make sure you understand them, and identify which one applies to your activities. Bear in mind that you can't change your mind later (e.g. if you collected a customer's contact details on a 'consent' basis because they agreed to receive promotional information from your organisation, you cannot use those details for other purposes on the basis of 'legitimate interests').
Your choice of lawful basis should be documented in your privacy notice - see step 3.
7) Check how you establish consent.
If you collect people's personal data on a 'consent' basis (see above), you need to:
- Give individuals a clear way to give - or withhold - consent
- Make it clear what individuals are consenting to
For instance, if there is a form on your website that requires people to enter their contact details, you need to be EXPLICIT about what you plan to do with those contact details. If you're going to send promotional emails, say so. If you plan to share the individual's details with your partner companies, make this clear.
Consent should never be the default option. Here's something you've probably seen quite often on the Internet:
☐ Tick this box if you do not wish to receive promotional emails from us.
In this example, users are automatically consenting to receiving emails until they tick the box. Under the GDPR, this sort of thing will not be allowed - the message above would need to be changed to 'Tick this box if you wish to receive promotional emails from us' or something similar. Make sure you're ASKING for consent instead of giving the option to withdraw it.
8) Think of the children!
Children under the age of 13 cannot legally consent to the collection and processing of their own personal data. A parent or legal guardian must consent on their child's behalf.
If you think that children may interact with your organisation, it may be necessary to implement some kind of age verification system on your website and/or set up a simple way for parents and guardians to consent to data processing activities.
9) Know how to respond to a data breach.
If a security breach allows unauthorised personnel to access the personal data that you hold, you will be expected to respond to the breach properly. Make sure you have an established procedure in place for detecting, reporting and investigating data breaches. (Remember, if you're based in the UK, breaches must be reported to the ICO within 72 hours.)
10) Familiarise yourself with the guidelines.
You're already reading up on the General Data Protection Regulation, but now is also a good time to familiarise yourself with other relevant guidelines, especially the ICO's code of practice for conducting privacy impact assessments.
11) Designate a data protection officer.
While everyone in an organisation has a role to play in keeping data secure and complying with the law, you should appoint (formally or informally) a data protection officer to take overall responsibility for compliance and security.
12) Determine your lead data protection supervisory authority.
If you solely operate within the UK, your data protection supervisory authority is the ICO (Information Commissioner's Office). If you hold information on individuals in other EU member states, you should identify the authorities for each of those countries and determine which is the 'lead' authority for your organisation.
8. Are Designer Websites GDPR compliant?
Yes, we are. In fact, we have always been compliant; from the very beginning, we were always extremely careful to store / process customer and staff details securely.
When an enquiry is submitted via our website, we do not store the submitted information in a database - we simply receive an email containing the content of the submitted form. These emails are deleted after 12 months.
9. Do I need to do anything about my website?
As stated earlier, all businesses - and all business websites - are different. We can offer some general guidance to help you ensure that your website is GDPR compliant, but please remember that it is your responsibility to familiarise yourself with the new law and ensure that every part of your organisation is following it.
With that said, we recommend the following:
- Stop making consent the default option. If you use pre-ticked checkboxes on your web forms (or require the user to tick a box to opt OUT of something), you will need to stop doing this before the GDPR comes into force. Ensure that users cannot consent to anything through a lack of action - for instance, users should have to tick a box when they DO wish to be added to your mailing list, not when they want to be kept off it.
- Make sure you have consent for any data you already hold. If you have collected people's personal details in the past, you should make sure they are still happy for you to keep hold of them. For example, you may need to make it easier for people to unsubscribe from your mailing list if they no longer wish to be on it.
- Ensure that people are able to view and delete their personal information. As we mentioned earlier, you may wish to set up an automated system that allows your customers to manage their own personal data, but a contact email address is sufficient if you're not expecting a lot of requests. Just make sure that anyone looking to access their personal data has a clear way to do it.
10. Can Designer Websites help with GDPR compliance?
It is ultimately your responsibility to comply with the GDPR law, but if you need any help from the Designer Websites team then we will of course assist you wherever possible.
11. Useful links