On 25 May 2018, the General Data Protection Regulation (GDPR) becomes enforceable for all countries within the European Union. This means that all organisations will have to comply with these new regulations, or risk hefty fines.
This is the biggest change for 20 years in data protection laws. It affects users living within the EU, and the companies that deal with them (even businesses outside of the EU).
If your company offers products / services to users in the EU, then you need to be aware of what the GDPR is.
What is the GDPR?
GDPR is new legislation that gives people more control over their personal data, and also ensure that this data is kept protected.
Essentially you will have the right to access, change, delete your personal data – and have more control in how that data is processed.
Companies will have to adhere to stricter guidelines concerning getting consent from users to use their personal data. So if you want to use that data for any advertising or marketing purposes, your users need to give their consent.
You will also have the added responsibility of ensuring that all the personal data is kept secure, or face heavy fines.
If one of your users requests that you delete their personal data from your records, you need to be able to action that immediately – your users have the “right to be forgotten”.
Why the change?
The UK’s current data protection act was set up way back in 1998. How the world uses and accesses data is very different today, and these new regulations promise to make Europe fit for the digital age.
Huge companies like Google and Facebook have gained access to the personal data of all their users. What the GDPR is set to do, is give us a say in what these companies (and others) can do with that data – and fine those who misuse it.
This can hopefully build trust in the emerging digital economy, and also give businesses simpler guidelines in which to work.
What this also does is bring the UK’s data protection regulations more in line with the rest of Europe, almost creating a standardised set of rules across the continent. With this single law (as opposed to 28), costly administrative burdens will be removed – potentially saving over €2.3 billion a year.
What is deemed “personal data” by the GDPR?
Basically personal data counts as any information that can be linked to a specific individual.
For eCommerce stores, customer details like their names, their telephone number and their personal email addresses (a general email address like email@example.com is not seen as personal data, but their exact business address is, like firstname.lastname@example.org).
If for some reason your company stores the IP addresses of your users, it also counts as personal data because it can be linked back to them.
What counts as personal data, taken from https://gdpr-info.eu/art-4-gdpr/:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Does this affect your organisation?
There are two parties that need to work within the new regulations – the data controllers and the data processors.
- Controller – This is the party that is in charge of the data. They say why and how your personal data is used – this is the actual business or organisation.
- Processor – A processor is a person / company that has access to the data, and how it is processed. This includes marketing companies using that user data as part of any advertising campaigns.
Companies that don’t provide proper data protection for personal data can be fined heavily under the GDPR regulations – by up to 4% of their global turnover, or €20 million Euros (whichever is the greater amount).
And just because the processors and controllers are located outside of the European Union, they still have to adhere to the guidelines if they are working with data that belongs to residents of the EU.
What do you need to do?
You’ll need to assess your current setup, and see if you need to take action.
- Your website is most likely using third party applications to perform specific functions (payment gateways, plugins, or maybe the site theme). Find out of these parties comply with the GDPR regulations.
- Can your users access, edit, export or delete their data? This is a core part of the new GDPR regulations.
- Make sure that you have the necessary consent needed to process your users’ data.
If you’re not sure about any of these points, or need further information on how to comply with GDPR, talk to a lawyer. Because each business is unique, there might be other aspects to consider.
Your company might need a dedicated data protection officer to ensure that all aspects of GDPR are being adhered to.
After Brexit, does the UK have to comply to GDPR?
GDPR is mandatory for all EU countries from 25 May 2018, and the UK only officially leaves the European Union on 29 March 2019.
The UK government only triggered Article 50 in March 2017, which means that leaving the EU should take place within 2 years.
If you’re still unsure of what is needed, please contact us for an assessment of your web operations, and we can make recommendations.