In May 2018 a new European regulation will be introduced called the ‘General Data Protection Regulation’ or GDPR for short.
The GDPR is a new data privacy law which will affect how companies collect and handle personal data about their customers.
What is the GDPR?
Simply, the GDPR is designed to give people greater rights over their personal data. These rights include:
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights of automated decision making and profiling
The GDPR puts the responsibility to protect that data on you, the business owner, as the data controller, and to ensure that your customers and website visitors can exercise their rights. In simple terms and as I understand it, business owners are required to:
- tell users who you are, what data is collected, why it is collected and how long it is kept for.
- get consent before collecting any data
- give users and customers the opportunity to access, download and delete their data.
- inform users and customers if any data if received by third parties.
- let users know if there has been a data breach.
What is personal data?
Any information that can be linked to a particular individual, for example:
- Email Address
What is sensitive personal data?
- Race or ethnic origin
- Political views
- Religious beliefs
- Health status
- Sexual orientation
For more information on the definitions of personal data visit the key definitions page on the ICO website.
Who does GDPR apply to?
The GDPR applies to any business or organisation, however large or small, which processes and stores personal data of anyone residing in the EU. The business or organisation does not have to be in the EU itself.
There are two main profiles related to the new regulation.
The controller: The business or organisation offering goods or services that determines the purpose and means of processing personal data.
The processor. A third party that processes the personal data for the controller. Examples could include email marketing platforms and website hosts.
The UK is leaving the EU, will the GDPR still apply?
Yes, GDPR will come in before the UK leaves the EU.
What should my business do?
Check that any third party applications, themes or plugins you use comply with GDPR, e.g. MailChimp, google analytics etc.
Check if you need customer consent to process data, and if you need to change how you obtain the consent to comply with GDPR requirements. For example, all automatic opt-ins on your site need to be removed as customers will need to tick the check box to comply.
Ensure you are able to comply with the rights GDPR provides to your customers.
Complete a data audit to understand exactly what customer data you have, how it is used and how it is stored.
Put together a data policy outlining your policies and procedures for handling personal data.
How to do a data audit?
Here are some simple questions to ask to complete a data audit:
- What data does your business keep
- What personal data is collected? Is any of it sensitive?
- Why is it collected?
- How is it collected?
- Is consent provided?
- How will it be used?
- Will the persons concerned object to their data being stored or used?
- Where is the data stored?
- How long is data stored for?
- Is the data stored securely?
- Do any third parties handle the data and where are they based?
- Is any EU resident data transferred outside the EU? If so, are adequate safeguards in place such as The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
Which areas of my website will GDPR affect?
If you have a business website GDPR will have an impact on the following:
- User comments on blog page
- Terms and Conditions page
- Opt-in forms such as Newsletter signups and lead magnets
- Contact forms
- Website analytics such as Google Analytics
- User Registration
- Product Reviews
- Cart Abandonment
- Any plugins and APIs you are using that can view or access user data.
Further reading and resource: