First, we’d better clear up what GDPR actually is. We’ve all been inundated with emails recently from companies pleading with us to allow them to “keep in contact” – leading to the term trending on Twitter and a plethora of memes poking fun at the widespread panic. We all received the emails, but what does it actually mean for us in the future?
WHAT IS GDPR?
In short, GDPR stands for General Data Protection Regulation; a set of regulations that took the EU over three years to negotiate.
GDPR replaces the Data Protection Directive (1995) which was responsible for setting the minimum requirements, within the EU, for data processing. It gives the regulators more power to enforce the strict guidelines, from Friday 25th May 2018, with hefty fines of up to £17.5m.
The New York Times explains that “The data regulation law centres on two main principles. The first is that companies need your consent to collect your data. The second is that you should be required to share only data that is necessary to make their services work.”
PURPOSES OF GDPR
The EU Commission describes the goal of GDPR to be:
Ultimately, GDPR is for the consumer – for their data protection. Consumers will find that their communication with businesses and organisations becomes more transparent; privacy policies and statements about consent less ambiguous. Consumers can no longer be forced to give access to their information to access a service. The customer can rest assured that if their trust is abused there are now high fines as a consequence. The EU commission states: “The changes will give people more control over their personal data and make it easier to access it. They are designed to make sure that people’s personal information is protected – no matter where it is sent, processed or stored – even outside the EU, as may often be the case on the internet.”
Does your business use data relating to individuals which allows you to identify them? Most businesses do and all of them, regardless of size, have to be GDPR compliant. Even if your business is separate from the EU, if you have any business ties to the EU you must be compliant. Even a small craft business, selling personalised baby clothes, on their Shopify website will have to comply, they need to be aware of what details they hold about each customer – do they email them offers or newsletters? If so they’ll have to carefully follow the GDPR regulations in order to ensure their compliance and avoid hefty, potentially ruinous fines.
WHAT CONSTITUTES ‘PERSONAL DATA’ IN GDPR?
Any information collected that allows the identification of an individual or belongs to them. This includes: names, home or IP addresses and data collected by mobile apps i.e. location data. Some data is seen to be more sensitive and therefore requires further protection and has to be processed using different, specific circumstances; this includes: data that reveals a person’s race or ethnicity, their political views, their religion and sexual orientation.
Organisations, like Facebook, who widely use sensitive data, now require the appointment of a data protection officer.
Article 25: Data Protection by Design and by Default
‘Privacy by design’ is now known as ‘data protection by design and default’ and has become a legal obligation. It ensures that businesses focus on privacy and data protection as a priority in everything they do. Their objective should be refocused on ensuring that data is intrinsically protected in their systems and designs, not protected as an afterthought.[/vc_column_text][/vc_column][/vc_row]
CHANGES WEBSITE OWNERS SHOULD KNOW ABOUT
- Despite being European legislation, GDPR will have a major impact throughout the world. Companies in the USA who trade or provide services to the EU will have to comply in the same manner as EU companies as the data of the European consumer must be protected. The eyes of the world will be on Facebook as they have been widely criticized in the past for their use of personal data and the recent Cambridge Analytica scandal. Many American companies have been severely unprepared for the changes, like Instapaper – even withdrawing its services to European readers until they catch up with the demands of GDPR.
- The financial penalties for non-compliance are severe. Any company not compliant with the new rules can have their global revenue fined by as much as 4%. This could have a potentially disastrous impact on small-medium businesses.
- Policies can no longer be vague or unclear. No longer can you have 200-pages of terms and conditions – with a signature – after it’s been skipped altogether! You must set out the consent you are asking for separately from the terms and conditions. You also need to have separate areas for consent of a different nature, for example permission to contact a client through email, telephone etc. Checkboxes alone are also a no-no.
- Systems must be put in place that allow an organisation to quickly access, identify, edit or delete data belonging to individuals. These can be requested by individuals and these requests must be dealt with and responded to within 30 days.
- The “right to be forgotten” is a major element of GDPR. Individuals can withdraw, previously given consent, for their data to be used. This right must be transparent, not buried in the small print. A major part of compliance is going to be the ability to respond to these requests through changes to infrastructures.
- Data controllers have a 72 hour window to report a breach in data protection for example when data is lost or stolen like the data breach of Uber in 2016 which: “affected some 57 million customers, including both riders and drivers, revealing their names, email address and phone numbers. That affected group included 50 million riders and 7 million drivers; around 600,000 driver license numbers for U.S. drivers were also included in the breach, according to a new report from Bloomberg. Uber did not report the incident to regulators or to affected customers, but instead paid $100,000 to “hackers” to get rid of the data in order to keep the breach under wraps.”
WHAT TO DO TO ENSURE YOUR WEBSITE COMPLIES WITH GDPR
- Ensure your data storage methods are secure and that you know how to erase clients’ data if requested. You must also be able to provide a free, electronic copy of the data you hold about an individual at their request.
- Make sure that all users of your website agree to your (transparent) plans to use and store their data and keep a good record of these agreements.
- Check that your cookies, checkout process and any sign-up documents are compliant.
- It is vital that all personnel who handle personal data are trained to understand the changes in the law and how to implement them.
- Be aware of who is responsible for GDPR compliance; if the marketing team think the IT guys are in charge and vice versa – it could turn out that no one is.
- Don’t share clients’ information without just cause and permission.
- If a 3rd party is responsible for the handling of your personal data be confident that they are GDPR compliant and can reassure you that all measures are being taken to avoid breaking the law.
- Seek professional help if you aren’t confident that you can implement the changes required to ensure compliance.
Cider is a Software Development Company based in the heart of Silicon Valley. We combine business domain knowledge and technology expertise of more than 50 development studios spread around the world. We specialize in custom web development, as well as customization of CMS based websites. We have experience in building websites across different verticals: from eCommerce to Healthcare .
We will be happy to help you analyze current state of your web property and move it to next level together. Reach out to us for a FREE Quote!