You may have heard about “GDPR” – the General Data Protection Regulation that will become enforced from 25th May 2018. How organisations and websites collect and store data is a huge part of GDPR, so here’s our no-nonsense explanation of what GDPR is, how it applies to your organisation, what the effects of it will be, and what you must do to ensure your website is GDPR compliant.
GDPR will have a direct impact on all businesses that operate within the EU – but what is it, and how does it affect your business?
- The GDPR (General Data Protection Regulation) is a piece of EU legislation that unifies the various members' data legislation - in the UK’s case, the Data Protection Act (DPA)
When is it happening?
- GDPR takes effect on 25th May 2018.
- It’s unaffected by Brexit. Once Britain leaves the EU this may change, but GDPR will be in place for the foreseeable future.
Will it apply to your organisation?
- It directly affects organisations with an EU presence
- Organisations without an EU presence but who have EU residents as clients should still understand the specific details of GDPR in order to ensure compliance. As per the GDPR, “Where no EU presence exists, the GDPR will still apply whenever: 1. An EU resident’s personal data is processed in connection with goods/services offered to him/her; or 2. The behaviour of individuals within the EU is monitored.
What are the main points of GDPR?
The focus of GDPR is data – and this takes two forms, Personal Data and Sensitive Personal Data.
Personal Data is any information relating to an identified person, or that can be used to identify a person. This includes:
- Home/Work Address
- Home/Work Phone Number
- Home/Work Email Address
- IP Address
Sensitive Personal Data is any information that can be used to profile a person. This includes:
- Political opinions
- Sexual Orientation
- Union Membership
- Mental & Physical Health
- Criminal Record, whether as a perpetrator or a victim
- Filed Work Grievances, whether as a perpetrator or a victim
In short, the GDPR applies to all data from which a living individual could be identified, whether directly or indirectly. Businesses must be far more transparent about what data they’ll be using, how they’ll be using it, and where it’ll be stored. They must also be sure that every act of data processing has a lawful basis.
Lawful Basis – The possible bases identified in the GDPR are:
- Consent – reserved for data processing that is not “necessary”
- Contractual Interest – data processing necessary for carrying out a contract the user entered, e.g. processing client data to ensure payment is received for a service
- Compliance with legal obligations – e.g. submitting employee data to HMRC to prove tax compliance
- Vital Interests – data processing to protect the interests of the user. This only applies to life or death situations, e.g. sharing fatal employee allergy information with paramedics
- Public Interest – data processing to protect a public interest set out in law, e.g. reporting a crime recorded on company CCTV
- Legitimate Interest – data processing that is in the interests of the data controller, so long as it does not conflict with the interests of the user. You will need to inform the user of this process and they may object at any time. Expectation forms a key part of this – with the aim that a user would not be surprised to find out a controller was taking the action.
For Sensitive Personal Data, the lawful bases become a lot more stringent:
- Consent – with the same restrictions on regular personal data applying
- Employment law – the data is necessary to comply with employment, discrimination and equality laws
- Vital Interests - where the user is physically incapable of giving consent, with the same restrictions on regular data applying
- Not-for-profit – the data processing is in relation to a body that is associated with the company and that the user is a member of, e.g. trade union, charitable foundation
- Public Info – the data in question has already been made public by the user
- Legal defence – the data processing is in relation to legal proceedings, whether obtaining legal advice or preparing a case for court
- Public interest – data processing to protect a “substantial” public interest set out in law, with the user’s rights safeguarded as much as possible
- Medicine – data for the purposes of diagnosis, preventative or occupational health care
The most immediate point to concentrate on is Consent – as this will directly impact how data can be obtained, how it can be stored and whether you’ll be allowed to keep it. It’s particularly relevant as it’ll change how you gain permission to store the data of visitors to your website.
Consent – gaining consent on an “opt-out” basis is no longer possible when it comes to personal information. Under GDPR, individuals will need to give their consent to each different way an individual’s data is processed by a business. Consent must be:
- Opted-in to by the individual – pre-ticked opt-in boxes are no longer acceptable
- Granular & Specific – individual consent options must be available for every different way a piece of data will be used. For example, if you intend to email and phone clients, the user will need to be able to opt-in to both methods of communication, either, or none.
- Clear – burying the terms of consent in legalese is no longer acceptable. The uses of data must be clearly stated from the start of your relationship with a customer.
- Fair – consent can only be given by people over 16 years of age, or by the guardian of someone under 16.
- Stored – a full record of all consents given must be maintained.
- Removable – there is no set time limit in which consent can expire, but individuals can withdraw their consent at any point.
It’s a lot to take in, but you should ensure that your requests for consent are prominent, clear, and easy to understand. They should include:
- Your organisation's name
- The name of any third parties who may be accessing the information
- Why the information is being requested
- What the information will be used for
- An understanding that consent can be withdrawn at any point, and how this can be done.
How will GDPR affect your business?
There’s no doubt that GDPR is going to have an impact on how your business is run, as it is an all-encompassing set of regulations that covers anyone who’ll be visiting your website, as well as anyone you may have under your employ. It’ll affect all of them in slightly different ways, as follows:
- In short, customers will have more rights
- They’ll know from the off what you intend to use their data for
- They’ll be able to withdraw their consent for you storing that data at any point
- It’ll be far easier for customers to request access to all the data an organisation holds about them
- They’ll also be able to instruct an organisation to delete all records relating to that customer, as per their “Right to be Forgotten”
- Will need to be informed exactly what you’ll be using their data for
- Will have a right of access to that data at any point
- Can request that any data they feel is inaccurate or incomplete be rectified
- Have a right to be forgotten (under very certain circumstances)
- Will have the right to “block” or suppress processing of personal data – essentially meaning that they are allowing you to store data but not to process it
- Will have a right to “data portability”, meaning that they’ll be allowed to move, copy or transfer their personal data easily from one IT environment to another.
- Anonymous Website Users:
- If a user is browsing your site anonymously, you should still give them the option to opt in or out of cookies, but it’s unlikely that any information is going to be stored that contains Personal or Sensitive data.
- Third party analytics systems such as Google Analytics and Hotjar are very clear that their software will be fully GDPR compliant by May 2018, so will not require stating on a site if used.
Data Governance Obligations
Having to document your processing activities is a new requirement under the GDPR. What exactly needs to be documented depends on the size of your company:
- If you have 250 or more employees, all your processing activities must be documented
- If you have less than 250 employees, you need to document any processing activities that:
- Are taking place on a regular basis
- Could result in a risk to the rights and freedoms of individuals
- Involve the processing of special categories of data, such as criminal conviction and offence data
A major part of the new GDPR regulation is the increased transparency surrounding personal data breaches. Failure to report a data breach correctly could result in a fine of up to 10 million euros, or 2 percent of your global turnover – so a potentially costly price to pay for something that can be avoided with prior planning.
- What is a Data Breach?
A data breach is a security incident that affects the availability, confidentiality or integrity of personal data that you have stored. This includes the accidental or unlawful destruction, loss, alteration, disclosure of or access to personal data, and includes breaches that are accidental and breaches that are done maliciously. In the event of a security breach, businesses then need to establish whether a personal data breach has occurred as part of this and whether the breach is one that needs reporting.
- When does a breach need reporting?
If a breach has involved personal data, you need to look at the information and see if the breach could impact on the rights and freedoms of those whose data was affected. If you think it could, you must notify the relevant authority. If you think it’s unlikely, then there’s no need to report it – but you must document your reasoning clearly for posterity.
- Who do we report the breach too, and when do we need to report it?
If you feel that the breach could impact on the rights and freedoms of those whose data was involved in the breach, you’ll need to inform the Information Commissioner’s Office (ICO) within 72 hours. If not reported within the 72-hour timeframe, you’ll have to provide your reasoning as to why, which could leave you open for fines. Do bear in mind that ICO are aware that investigations into data breaches could well be ongoing – so allow you to provide the information in phases, provided it is done as swiftly as possible and given a high priority within your organisation. If you believe that the data involved in the breach is likely to result in a high risk to the rights of those whose data was involved, those whose data has been breached must be informed as soon as possible to allow them the opportunity to mitigate any potential effects that the data breach may have on their lives.
- What information do we need to provide when reporting a data breach?
You’ll need to provide:
- A description of the breach, including:
- Categories of data concerned
- Approximate number of individuals concerned
- Approximate number of data records concerned
- Name of data protection officer or relevant contact
- Your thoughts on the possible consequences of the data breach
- Detailed descriptions of the measures proposed and taken to deal with the breach, including mitigation of adverse effects
- A description of the breach, including:
Further Points to Consider
If your organisation is based in the UK you'll need to report to ICO, but organisations from outside of the UK may have to report to other bodies, depending on their location. In addition, current notification obligation laws relating to data breaches still apply, so may affect your business if it follows the Privacy and Electronic Communications Regulations, Electronic Identification and Trust Services Regulation, or has incident-reporting obligations under the NIS Directive.
How do you ensure that your website is GDPR compliant?
May is fast approaching, and to comply with GDPR, you’re going to need to ensure that both your website and business are collecting and storing data in an appropriate manner. There are various points you’ll need to consider, and actions you’ll need to take, which we’ve listed below:
Data audit and inventory
In order to ensure your compliance, you’ll need to complete a Data Audit. The data audit should cover all the information you collect and store as an organisation, and for each category of data, should answer the following questions:
- What is the data?
- Why is the data held?
- What is the data used for?
- Basis for processing data (e.g., where was consent gained for this)
- Who holds the data and who can access it?
- What security controls are in place?
- How long is data kept for?
- Is this covered by our privacy notice?
- Are any actions required?
Transfer of Data – Territory Restrictions
If you outsource any of your work to areas outside of the EU, you need to be aware that GDPR will prohibit businesses from transferring personal data to countries that don’t have adequate data protection. The list of countries outside of the EU which it considers to have adequate protection is relatively small, so it’s worth checking to ensure that your business will remain compliant.
- Implied consent is no longer enough – visiting a site doesn’t count as consent, and nor does the “By using this site, you accept cookies” message that many sites use. Consent must be given through a clear action by the user.
- Sites must provide an opt-out option – and it must be as easy and as straightforward for users to withdraw content as it was to give it.
Under GDPR, the privacy information companies need to provide has become a lot more detailed, and it must always be concise, easy to understand, and free of charge.
The list of information you’ll need to provide is lengthy and it’s worth reading the documentation from the Information Commissioner’s Office in order to ensure exactly what you’ll need to provide. However, key points you’ll always have to cover are:
- Identity and contact details of the person controlling the data
- Why the data is being processed and what the legal basis for doing so is
- The interests of the data controller, and/or the third party the data will be sent to
- Any recipients of the personal data
- Details of data transfer to other country and safeguards put in place
- How long data will be stored
- How a user can request data be removed
- How a complaint can be made regarding the data
Data Protection Officer
For the clear majority of organisations, ensuring that you have a Data Protection Officer will be extremely important for GDPR compliance. The Data Protection Officer can either be someone engaged from outside of your company, someone shared with other companies or a current employee, but they should have a good understanding of GDPR, knowledge of your organisation’s business sector, and be able to oversee the culture of data protection within your business. In addition, they should be a good communicator, as in the event of a breach they’ll be the one dealing with both the ICO and the public.
Data Breach Protocol
To ensure that any potential data breaches are dealt with as efficiently as possible, you’ll need to get strict data breach protocols in place. Points for this protocol should include:
- Knowing how to recognise a data breach
- Allocating responsibility for breaches to a dedicated person or team
- Ensuring staff know when to escalate a security incident to the appropriate person to determine whether a breach has taken place.
Remember that all data breaches involving personal data should be reported to ICO within 72 hours, so time is of the essence. A good Data Breach Protocol can help you act swiftly and surely in the event of a data breach, halting the spread of the data and lowering the risk of any potential repercussions.
How Zodiac Media can help you
With a huge amount of experience in the IT industry, Zodiac Media are up to date in GDPR legislation and will be keeping a close eye on changes and clarifications to GDPR as it rolls out in May. We’re here to help you understand GDPR, and to ensure that your business complies with GDPR requirements, which we can do in just some of the following ways:
We can assist you in carrying out an audit of your customer data. Not only will it enable you to be GDPR compliant, but will also aid you to streamline your data processes, increase your security and future-proof your business.
Onshoring of Development to Approved Territory
With the territory restrictions that GDPR brings into place, businesses are going to have to be incredibly careful about where they outsource work to. As a London based development agency we’re ideally placed to take on any development, support or hosting work, with our small size and tight focus meaning we can deliver “big agency” work at a fraction of the cost.
Simple Updates to Cookie and Privacy Policies
The vast majority of organisations are going to have to change their Cookie and Privacy policies in order to be in line with GRPR. We’re able to assist with the wording and fine detail of these notices, as well as building them onto your website in order to offer your customers the clear and straightforward information they’re required to have before they access the site.