General Data Protection Regulation
Wednesday 15th November 2017
The General Data Protection Regulation (GDPR) is a regulation issued by the European Parliament to strengthen and unify data protection for all individuals within the European Union (EU). Crucially, unlike a directive, it does not require national governments to pass any enabling legislation so it will automatically come into force on 25th May 2018.
While it's tempting to hide under the duvet and hope it all goes away, it's extremely important that everyone considers how it will affect them and their business - which it almost certainly will. Although it is going to require extra work by many companies this will, in the long run, be A Good Thing (unlike the ineffective cookie law), giving individuals clearer understanding and control over their personal data. If you're reading this blog and you live in the EU, your privacy rights are being protected and enhanced by these laws.
The key facts to remember are:
- It comes into effect on 25th May 2018
- It applies to anyone processing the personal data of anyone in the EU - even if your company is based outside the EU
- The UK government has confirmed it will implement GDPR so this will apply to all UK companies even after Brexit
- The maximum penalty for serious non-compliance is an eye-watering 4% of turnover or 20 million euro, whichever is higher
- Almost all websites will need some changes and many websites will require extensive changes.
The key points of the GDPR are as follows:
- Right to access – this is a key change which will impact many websites: visitors have the right to request a free, electronic version of their personal data. The format is not specified but it should probably be something universal like a CSV or XML file (click here for our IT jargon-busting glossary)
- Right to be forgotten – another key change: visitors have the right to request their data to be erased (or anonymised) if it is no longer relevant or if they want to withdraw consent. There are caveats for data that needs to be retained for legal reasons, and there need to be practical considerations.
- Transparent and explicit consent – visitors must take affirmative action i.e. deliberately ticking a box to consent. Pre-ticked boxes cannot be used.
- Data minimisation – companies should only collect the minimum information they need about a visitor, and certain types of information are particularly sensitive (see the special categories of personal data). If you do need to collect this data, make it clear why you need it and how to visitors can opt out in future.
- Right to be informed – visitors have the right to know why you are collecting data, how it will be used and what types tracking you use. It needs to be clear what they're consenting to and why. The page with this information needs to be in easy to understand language, and it needs to be easy to find on your website.
- Rights about automated decision making and profiling - in simple terms, if a website makes a significant decision about a person based on an algorithm or calculation using their data, they must have the option to speak to a human. This might include applying for credit or for a job, and any websites that use such third-party services will need to be aware.
- Right to restrict processing - visitors have the right to keep using a service but not have their data processed. It's a useful right to have but in most cases, people will probably just opt for the right to have their account deleted.
- Privacy by design – data protection should be built into websites from the ground up. For us, this includes:
- websites should use HTTPS
- websites should be well written to minimise the risk of hacking
- no personal data should be transmitted by email
- website admins also have a responsibility to manage their CMS, never sharing logins and removing old logins straight away
- Data Protection Officer - if your company is storing or processing large amounts of data, or sensitive data, or if data storage and processing is your core activity, you may be required to appoint a Data Protection Officer (DPO). Companies should check whether this applies to them.
Our advice to website owners is to make an audit of all the information they currently collect and store via their website and consider:
- What is the minimum information you need – are you collecting anything extra?
- Why do you need it and how long do you need to keep it for - can you justify your data protection decisions and policies?
- What changes do you need to make to the way you collect data?
- What third party systems or plugins do you use - do these comply with GDPR? For example bookings, email newsletters, surveys etc.
- Do you need to appoint a Data Protection Officer?
ICO register of Data Controllers
Under UK law, every Data Controller who is processing personal information to register with the Information Commissioner's Office (ICO), unless they are exempt. The cost is £35 per year and you can complete this short ICO questionnaire to see if your company or organisation should be registered.
We're working with our clients' websites to ensure that they all comply with GDPR in time for the deadline May 2018.