The General Data Protection Regulation or GDPR came into legal effect on the 25th of May 2018. It exists to protect people’s data and give people better control over what other people and companies can do with their personal data.
The General Data Protection Regulation is part of EU law and not only functions to protect people’s data within the boundaries of the EU but also addresses exporting personal data out of the EU and EEA areas. GDPR protects the citizens of the EU even from forces outside of it meaning that any company dealing with countries within the EU has to adhere to GDPR.
You can access the entire General Data Protection Regulation here! http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
So What Is GDPR?
If you own a website or collect customers information via any means, you need to place appropriate technical and organisational measures in place in order to protect people’s data. Any data collection must be disclosed by your company and must state how long the data is being stored for and if it is being shared with any third parties. Data subjects have the right to request a portable copy of the data your company collects and to have it erased under certain circumstances.
Any business that handles data and information in any form needs to place safeguards in place to protect data and stop it being made publically available without explicit consent from the person whom the data is being collected from. The person has the right to revoke their consent to their data being collected and stored at any time.
Let’s say you have a customer who signs up to your emailing list. They need to have the ability to unsubscribe from this e-mailing list in every email they receive.
If your company engages in the regular processing of personal data, you will be required to employ a data protection officer to manage your GDPR compliance. Any data breaches must be reported within 72 hours. You can be fined up to 20 Million Euros or 4% of your company’s annual turnover, whichever is greater.
Is There An Easy Way To Be GDPR Compliant?
Becoming GDPR compliant is exceptionally complicated and hard, and not everyone can specialise in it. It is speculated by many experts and consultants that there is no true way for a company can be completely GDPR compliant, and considering that complications even exist for organisations of such magnitude they can afford tech lawyers and data protection specialists. It can seem incredibly daunting and absolutely impossible for a smaller business. Just because it seems impossible however, doesn’t mean you cannot take steps to protect your customer’s data. Data Protection is a priority and you should still do your best to keep any data you store protected.
A Few Basic Steps
Bear in mind that these steps are merely good practise and will not completely protect you from GDPR however by taking these steps, you will have made a conscious effort to abide by GDPR. This means that the authorities will be much more lenient with your business if you are found to not be GDPR compliant, or you suffer from a data breach.
GDPR And Your Website
Your Website is an important consideration when it comes to GDPR. It’s regarded as good practise to inform people going on your website what manner of data you are going to be tracking. This can include Cookies, Google Analytics, Facebook Pixels and any other forms of tracking information that stores personal data. You must inform the visitors the types of data you are storing, why you are storing their data and how long you are intending to store it. You should also let your visitors know if this data will be accessible by a third party. If you collect as little data as possible, you will be at reduced liability if for some reason a data breach does occur.
You are going to want to look into Data Encryption, as it will be an integral part of data protection for your company. The SSL (Secure Sockets Layer) certificate will help protect the data stored on your website’s server. For more information about getting an SSL certificate if you don’t have one already, check out our blog here! (Acquiring An SSL Certificate With Namecheap!)
If you have working forms on your website you might want to consider adjusting the forms you use to collect customer data. Any checkboxes should be unchecked by default. The reasoning behind this is that a user must actively opt in without this being prompted by the web owner. This should maintain compliance with GDPR rules.
If a data breach occurs on your website you will need to know how to deal with the breach and which authorities to contact. The ICO can help us with this. https://ico.org.uk/for-organisations/report-a-breach/
So Am I Compliant Yet?
A lot of people think: Ok I’ve secured my website and I’m up and running and GDPR compliant! It’s not just you website but the whole of your company! You’re going to want to create a Data Map of the data flow within your organisation so you can see where the data flows and figure out if there are any issues.
Data Maps are incredibly useful. Here are 5 steps for Data Mapping a simple Contact Form.
The Source is where we acquire the data from. We need to be very careful about acquiring third-party data, and personally I would recommend against it as we have no real way of knowing that the data collection was consented to. For the purposes of the exercise though the Source will be the contact form of our website.
Then we look at Personal Data. What data are we collecting? I recommend collecting as little data as possible on customers and only information required from customers. If you are dealing with something simple like a contact form, we won’t be needing any sensitive data such as their ethnic origin, sexual orientation, religion etc. We might not even need a phone number. We need to take only what we need to provide a service to the customer.
Then we look at the Reason: We need to respond to a potentially interested customer. So we have a reason to collect this person’s basic details, not necessarily any sensitive data on the subject.
So how is the data Handled? It’s stored on our website database, and responded to by admins using our emailing system. Knowing how it’s handled is key because if there’s a breach we can work out where it occurs. Their information is stored, retrieved by the admin and responded to by email.
Disposal: This is short term data, required to be responded to and nothing more. If we delete the data in 30 days, that’s fine. We won’t need to keep this kind of data because it’s not a big record.
So what does our data map look like?
- Source: Contact Form on Website
- Personal Data: Full Name, Phone Number, Email
- Reason: Required For Customer To Be Contacted Back
- Handling: Website Database, Admins, Emailing System
- Disposal: Removed Within 30 Days
Then we have a few questions: Was consent to have their data stored obtained by the subject? Was the Subject over the age of 13? Is the data required by your organisation? Is this sensitive personal data?
When the subject enters their information onto your website, they should have the ability to check a box consenting to their information being stored by your company. So if they have given consent, you are allowed to store their data. The checkbox can also check to see if the subject is over the age of 13. We have to accept that a person on the website may lie, however we are not responsible if they claim to be for the purposes of this exercise. The data on our contact form would be required for you to contact your customer back, so it’s acceptable to take the information you are asking for in Personal Data. None of the data is sensitive data, however we should still do our best to keep this data protected.
Data Mapping can also apply if you are storing information in an external hard drive for example… Let’s think about medical records. I’ll give a slightly abridged example of storing something more complicated.
- Source: Digital Form Completed Online.
- Personal Data: Full Name, Phone Number, Email, Ethnic Origin, Sensitive Information involving subject having a Heart Attack.
- Reason: Records required for customer’s medical treatment.
- Handling: Customer Database on Main Computer, Admin, External Hard Drive
- Disposal: Data Kept Indefinitely due to containing medical history. Data will be edited and updated where necessary.
There would realistically be a lot more information but for the purposes of this example, I’m keeping it basic. Subject consented to data being stored and was over 13. We have written consent. This was signed for and scanned, a copy of the signed documents are saved with the data for easy access. Data is required by our organisation and is sensitive data so must be protected. Storing data in this way is not a good idea and wouldn’t normally be recommended, however I have seen some companies storing customer data in this way.
Anyone who handles data at your business should have a good understanding of GDPR and what is required of them in regards to data protection. It’s important for all staff to be aware of the importance of data protection and to receive training in the basic principles of GDPR.
Getting To Grips With GDPR
The General Data Protection Regulation applies to your entire company. Any aspect of your company that processes customer information in any form will need to be looked into. So how do we go about understanding GDPR?
Personal Data: This is any information relating to a Data Subject which can be used to directly or indirectly identify a person.
Data Subject: This is a person, customer or a staff member who’s personal data is processed in any format by a controller or processor.
Data Controller: This is the entity that determines the conditions, purposes and the means of processing personal data.
Data Processor: This is the entity that processes the data on behalf of the data controller!
You will want to read up on the principals here. (http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf) These principals cover the processing of personal data, focusing on data processing, processing personal data, the rights of your customers when it comes to the handling of their data and if they wish to have it deleted and the necessary measures a company should take to be GDPR compliant, take special care to familiarise yourselves with Articles 5, 6, 12-22, 25 and 32, but make sure to read the whole thing. It’s long, confusing and chaotic, but sadly very necessary.
Data Protection isn’t Easy
Following GDPR is complicated even for big businesses. Whilst it isn’t easy to understand, it is always important to put measures in place to protect your business information and the personal information of your customers.
If you have issues with your Data Protection, the authorities are not immediately going to shut you down, however they are likely to ask you to make some required adaptations to help keep your customers and your businesses data secure. By following the steps we recommend you will not be completely GDPR compliant but you will have made a start on getting your business tuned in to the General Data Protection Regulation.