GDPR Explained and Steps You Can Take Today
May 16th, 2018
You may be aware that rules on data protection are changing. From 25th May 2018 the General Data Protection Regulations (GDPR) are coming into force. This article is intended to provide a general overview of what GDPR is and provide some basic steps you might like to take to help you move closer to meeting your new legal obligations. As a small disclaimer, we are not able or qualified to provide legal advice and this article should be understood with that in mind.
When Is GDPR Coming Into Force?
From May 25th 2018 new rules are coming into force regarding the storage of an individual's personal information. The new rules fall under what is called GDPR which stands for the General Data Protection Regulations.
What Is Personal Data?
The first thing to be clear on is what exactly personal data is. Personal data is defined as anything which can be used to uniquely identify a person. This could be a name, telephone number, email address or something more technical like an IP address (your internet connection's unique address). If you store this information digitally or otherwise, you fall under the remit of the GDPR rules. So even if you only keep a paper list of a customer's contact details, GDPR applies to you too.
Does Brexit Mean I Don't Have to Comply?
There is no clarity at present on this point. What is clear however is that the rules will become law in the UK on the 25th May and even if they were to be abandoned in due course, before that happens you must comply. From the information we have, it seems highly likely that these regulations will stay in place in the UK as they represent the highest of standards in data protection. Even companies like Facebook intend to implement GDPR rules for its users across the globe even though they are outside the jurisdiction of the EU. Another important thing to note is that these rules must be followed by any company dealing with EU citizens. This means that even if you are based outside of the EU e.g. if you were located in the US, you must comply with these rules.
What are the New Rules on Data Protection?
The new rules as you would expect are pretty complex but as an overview the new rules we're talking about are as follows:
If you hold any personal information, the new rules say you should only be doing so if you are doing so for one of the allowed reasons. If the data is kept for any other reason than one of the allowed reasons, you should not be storing it. We won't go into full detail of the different reasons but the most common are 'Consent' and 'Contract'.
Consent essentially means you asked the person, told them what you wanted the information for and they have positively given you the OK. E.g. registering for a newsletter where you have provided a clear opt in checkbox.
Contract is whereby the personal information you collect is collected as part of a contract you have with the individual e.g. collecting addresses of people who buy from your store.
How Do I Become Compliant?
The question everyone is asking us is how do they become compliant with the new rules. The problem is that every business will have its own specific set of things it will need to do depending on the different ways it collects and stores data and also the justification for doing so.
While we can't provide you with a an exhaustive list of things to do to guarantee that you will be meeting all your legal requirements, here are some things you can do to at least show you have made efforts.
You should also mention who, if anyone, you share their data with. For example, if you use an external email marketing service like Mailchimp you will effectively be sharing your clients information with them. You might for example say 'We share your email address and name with Mailchimp so we can send you emails relating to our services such as current promotions'.
Ideally this document should be legally drafted by an expert - However, it is better to have something rather than nothing should a complaint ever be made against you.
Add Confirmation Tick Boxes to Forms
Secure Your Website
You can make the communications between your website user and your website more secure using SSL security. This means that any personal information communicated between the website and the user will be encrypted. Users will see a green or yellow padlock symbol next to their website address in the browser. This not only helps you demonstrate you are securing the data you collect, but can also reassure customers and act as differentiating point when compared with your competitors. You can read more about this in our SSL Security blog article.
Inform Users About Cookies
There's no doubt that GDPR is adding an additional burden on businesses, however despite the work it adds for us all it should generally be welcomed as these rules help to keep all our data secure. There are huge fines that can be applied for those who do not comply although we expect these to be reserved for the largest of companies. For smaller companies who don't have access to expensive legal advice we recommend taking actions now to meet your obligations as best as you can and not to ignore the new rules.
If you have found this article useful and informative, please share it below :-)