The new General Data Protection Regulation, known as GDPR will become enforceable from 25th May 2018. This regulation dictates the procedures for the control of personal data and the consequences and notifications required for data breaches. So of course applies to websites as well as all other areas of an organisation.
Consequences of non-compliance include fines of up to 20M euros or 4% of global turnover, the risk of legal action and of damage to brand and customer trust.
“Consumers and citizens have stronger rights to be informed about how organisations use their personal data.”
Elizabeth Denham, Information Commissioner, January 2017
Key points about GDPR
Personal data – This applies to ‘personal data’ – any information relating to an identifiable person who can be directly or indirectly identified.
Consent – All individuals must be provided with accurate information such as the data you are collecting and processing and why. Individuals must give consent to have their data stored and this must be freely given, informed and unambiguous.
Right to be forgotten – Individuals have the right to request that their personal data is deleted or removed, where there is no compelling reason for you to continue to process it.
Notifications of breaches – All organisations must report data breaches to the ICO within 72 hours, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Special categories of data – There are new provisions for certain data such as for children and genetic, medical and biometric data which are more stringent.
GDPR Audit
Check what you do now with personal information
- Are you are registered with the ICO?
- What personal data do you store at the moment? For example…
- Leads
- Customers
- Networking
- Suppliers
- Staff
- How did you obtain this personal information?
- How long have you held this information?
- Who do you share it with, for example suppliers?
- How is it stored (paper or electronic)?
- If electronic, where do you store this information?
- What software or system?
- What security do you have?
- Do you use passwords?
- If online in the ‘cloud’ where is it stored, in the EU or outside the EU?
Check your processes
- Do you have a lawful reason to hold the personal data? Article 6(1) of the GDPR sets out the six possible reasons for the processing of personal data to be lawful. They are:
(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- Do you need all this personal data?
- What are your processes for recording and managing consent? Do you need to make any changes?
- Refresh existing consents if they do not meet the standard
- Do you have a process in place to detect, report and investigate a data breach?
Review your policies
- Privacy by design – if necessary do a privacy impact assessment.
- How are you keeping the personal data secure?
- Review your website privacy & cookie policies.
- Review your consent wording.
- Review your wording on communication with contacts.
- Review contracts and terms with customers and suppliers.
Summary of GDPR Actions
You should now know and have written down…
- What data you have?
- Where it is?
- Who has access?
- How it is processed?
- What are your data protection responsibilities?
“When it comes to data protection, small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers. But small organisations often process a lot of personal data, and the reputation and liability risks are just as real.”
Elizabeth Denham, Information Commissioner, January 2017
GDPR Website Audits
If you are using open-source software such as WordPress for your website then it is particularly important that you are aware of any security vulnerabilities and patch them straight away. Proactive website maintenance will be vital. Already the ICO has fined a couple of organisations where data breaches were caused by open-source software not being kept up to date.
If you would like help with a GDPR Website Audit then please get in touch on 01442 877483.
Useful Links
There is lots of information about GDPR online, start with the ICO…
ICO FAQs for GDPR
https://ico.org.uk/for-organisations/sme-web-hub/frequently-asked-questions/
Government guide to GDPR
https://www.gov.uk/data-protection-your-business
EU Guide to key changes
https://www.eugdpr.org/key-changes.html
Disclaimer: I am not a lawyer and none of the information I provide, write, or consult on should be taken as legal advice. We provide this resource for your information only. Every business is different, and it is important for you to carefully consider your compliance obligations to these laws, which may include consulting a solicitor.