GDPR Compliance – are you covered?
Now the GDPR Compliance deadline of May 25th 2018 has passed what does this mean for you.
What is GDPR?
The General Data Protection Regulation, or GDPR is a significant and wide ranging piece of legislation to be passed relating to technology and the internet.
Although this was decided by The European Parliament and the UK have chosen to leave the EU, it still very much applies to all businesses here.
The main points of GDPR concern the privacy rights of everyday users and the data they create online, and will affect businesses of all sizes due to their effect on how companies gather, store, and look after their data. Under GDPR, companies will also need to give explicit notice when collecting the personal data of their customers. This will mean that consent will need to be explicitly given, and that companies will have to detail the exact purpose for which customers’ data will be used. This personal data will also need to be encrypted by default as part of a process known as pseudonymisation, meaning that it can’t be linked to a specific person without being accompanied by extra information.
Personal data applies to a wide range of information – effectively anything that could be used to directly or indirectly identify a person online. This could include names, email addresses, images, bank details, posts on social networking websites, medical information, or even a computer IP address. Users will also have the right to know exactly what details a company or organisation holds about them, and also request that any of this information be deleted if they feel their rights to privacy are being infringed as part of the new ‘right to erasure’.
Companies that suffer data breaches, whether accidental or as part of a cyber-attack, will need to disclose this event to the relevant authorities within 72 hours of it happening, although there’s no requirement to notify users unless instructed.
Who does GDPR apply to?
Put simply, if your business offers goods or services to anyone living within the European Union, GDPR will apply to you. This means that companies outside Europe will also need to ensure they’re compliant with the rules, as they could also be subject to fines if found not to be up to speed. If you have mailing lists for newsletters or promotions, and some of your prospects or customers are EU citizens, GDPR applies to you.
How do I become compliant?
If you deal with customers within the EU, you’ll need to ensure that the way you gather, store and use their data is GDPR-compliant.
For starters, you’ll need to identify exactly what data you currently own, and the means by which you acquired it. Many organisations may be unaware of the sheer mountain of information they own on their customers – just as their customers might be unaware how much info they have shared. All the data will need to be properly secured to ensure it remains protected, so it’s definitely worth instigating new policies to limit access to the most precious data to a few key team members.
You should also be frequently backing up your data, as under GDPR customers are able to request to view exactly what information you have on them at any time.
If your business carries out large-scale data practices, you will also need to appoint a Data Protection Officer (DPO). A DPO will be able to take responsibility for much of the heavy lifting when it comes to GDPR, including overseeing compliance and data protection.
Lastly, you’ll need to ensure that all your employees are clued up about what exactly GDPR means. The rules aren’t just the prerogative of the IT department, but could affect everyone in your organisation.
So what happens if you are not GDPR compliant?
If you did not comply with GDPR from the set deadline date (25th May 2018) you are putting yourself at risk of damaging fines ranging from €20 million to 4% of global turnover. Even though your site may be maintained / hosted by a different company, the responsibility falls under the ownership of your business – not those who supplied the site. Therefore you are accounted as responsible for any breaches; it’s not worth taking the risk.
How can WTBI help?
If you still need to make your website compliant we can help with your online compliance and put you on the right track.