What is GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation aimed at helping to strengthen data protection for EU citizens and residents both within the EU and the wider world. Essentially it is the protection of individual’s data from commercial enterprise or from individuals involved in data corruption.
Hang on, what about Brexit?
First of all, when the GDPR comes in to effect the UK will still be a part of the EU. Secondly, the UK will adopt all EU legislation immediately after Brexit. During this time, currently being called The Great Repeal Bill, the EU laws will be rewritten inline with Britain’s new position outside of the EU. Thirdly, unless you are planning on denying access to your services, products etc. to any EU citizens or residents then you will need to comply with the GDPR or face the consequences.
When does the GDPR come in to force?
The GDPR replaces the data protection directive from 1995. It was adopted on 27th April 2016 and comes in to force on 25th May 2018.
So, what are the consequences of not complying with GDPR?
The maximum sanction for non-compliance with the GDPR €20,000,000 or up to 4% of your annual worldwide turnover (based on figures from the the preceding financial year), whichever is the greater.
I don’t process any personal data but my Google, MailChimp, SendGrid, SalesForce etc. etc. system does
The GDPR would call these systems third party data processors. They are processing the data controller’s data on their behalf. Most (but certainly not all) of these systems are run by US-based companies who should be going through the process of becoming GDPR-compliant at this very moment if they have not already done so. US companies should also be Privacy Shield compliant. The US Privacy Shield framework has been co-developed by the US Department of Commerce and the European Commission to provide mechanisms to protect the flow of personal data between the EU and the US.
So, how can you make your website GDPR compliant?
- Take a personal data audit
A personal data audit will help you to identify all of your data processors. List them all with either a 1 or a 3 to help you track which are first and which are third party data processors.
For each data processor consider the following:
- What are you using the data for?
- Where is the data being stored?
- Do you still need the data?
Remember, data is a liability to you so, unless you need to keep the data, we recommend deleting it.
As we’ve already mentioned, a big part of GDPR is communicating to your users about how and why you’re collecting and using their data. So tell them. Be clear and concise and give them a way to request a copy of it or have it deleted if they wish. Take a look at our own data policy to see how this looks in action.
Designate a Data Protection Officer (DPO)
A DPO is an individual or individuals designated by the Data Controller to be responsible for monitoring internal compliance of the GDPR within the organisation. This could be a specifically trained employee within the data controller’s organisation or a position that is out-sourced. Unless you are carrying out large scale processing of personal data a suitably informed in-house member of staff should be perfectly sufficient for this role.