Are you ready for GDPR - it will impact you

By : Administrator
Published 15th December 2017 |
Read latest comment - 29th May 2018

If you are a business owner or marketeer, then I would be surprised if you haven't heard about the changes to the Data Protection laws on the 25 May 2018.

The current rules will be replaced with General Data Protection Regulation (GDPR) and depending on the type of business you are it could have quite an impact. But if you have a good data protection policy in place already, then hopefully the transition to GDPR should be fairly painless.

One of the biggest problems I've found is trying to find useful clear and concise information. There has been lots of publicity about big fines and beating us with a stick, but little on what you actually need to do. So I've pulled this information and summarised it directly from the official ICO website and the information is correct as of December 2017!

At the bottom are links to ICO resources so you can learn more if needed.

Accountability

Document what personal data you hold, where it came from and who you share it with.  If you have inaccurate personal data and have shared this with another organisation, then you will need to tell the other organisation so it can correct its own records.

Communicating privacy information

The first principle of data protection is that personal data must be processed fairly and lawfully. You should currently have a privacy policy that explains what you do with peoples data, but GDPR will have further requirements.

Analyse why you are collecting data, any possible impact and explain this in your privacy policy.

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

Any information you provide to people about how you process their personal data must be:

  • concise, transparent, intelligible and easily accessible
  • written in clear and plain language, particularly if addressed to a child;
  • and free of charge.

Privacy information needs to be communicated at the point of collection as well as in a privacy policy. eg:

  • Where you need consent from an individual in order to process their information you need to explain what you are asking them to agree to and why. 
  • Individuals need to be able to have a choice not to give their details.
  • There also needs to be the ability to withdraw consent and allow individuals to easily remove any data or information and for you to give confirmation this has been done.
  • Allow the ability for individuals to see any information held on request.

Consent

Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity.

In real terms, this may mean telling a potential customer that they cannot proceed with their transaction if you are unable to hold their data. Or ensuring there is an unsubscribe/remove me button on communications or your website that gives a visual confirmation that information has been completely removed once selected.

Other things to watch are email newsletter lists and communications. If communications are essential to allow the functionality of your product or service, eg a password reset, then be transparent and explain this. But consent will be required before allowing any marketing or promotion activities.

Children

For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. If your organisation offers online services (‘information society services’) to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.

Data Breaches

Make sure you have the right procedures in place to detect, report and investigate a personal data breach.

You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most cases.

Data Protection by Design

GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’.  In other words, you need to look at how you collect and store data. eg, have an opt out button or link to your privacy policy before a submit data button. If you are storing personal data, ensure that it is encrypted and secure.

Data Protection Impact Assessments (DPIA)

A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:

  • where a new technology is being deployed
  • where a profiling operation is likely to significantly affect individuals
  • where there is processing on a large scale of the special categories of data.

Personally I don't think this is a cause for concern for any smaller businesses

Data Protection Officers

Regardless of requirements, you should designate someone to take responsibility for data protection compliance .

Under the GDPR, you must appoint a DPO if you:

  • are a public authority (except for courts acting in their judicial capacity)
  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking)
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

The GDPR does not specify the precise credentials a data protection officer is expected to have.

It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.

Reading that, I personally would say most smaller businesses wouldn't need to officially point a DPO, but it would certainly pay to be fully aware of data protection compliance and makes sense to assign that responsibility to someone if not yourself.

Summary

GDPR is happening, it's getting rolled out on the 25 May 2018. But if you have pretty decent data protection policies in place then it shouldn't be too much of a cause of concern. The impact will be felt by larger companies and those that deal in large volumes of data.

But there are significant changes and most of us deal with personal data at some level, so pay attention, don't ignore it and see what applies to you.

Unfortunately a lot of the information is confusing and the ICO themselves still haven't finished writing documentation. But over the coming months hopefully we will get a lot clearer step by step guides, particularly for smaller businesses.

Let me know what you think, any questions, anything I've misinterpreted? 

Sources:
Guide to the General Data Protection Regulation (GDPR) - ICO
Preparing for GDPR - ICO (PDF)
Privacy notices, transparency and control - ICO


Steve Richardson
Gaffer of My Local Services
My Local Services | Me on LinkedIn
Comments

Yes I've seen this before. Still not exactly sure of my predicament as I do online shopping a name and address is sort of needed ..Although I do take as little as possible


Thanks,
Andy-C | Pewter World

This is definitely food for thought, you seemed to have given a good overview here. I was trained in data protection years ago but a lot has changed since then. If you're planning on building a database of customers to send a blog to, or doing any email marketing it does seem you need to be very careful that people definitely sign up to it, not just by default. 


Yes I've seen this before. Still not exactly sure of my predicament as I do online shopping a name and address is sort of needed ..Although I do take as little as possible ”
 

If you are capturing their name and address, maybe an email as well then this is personal info. Or is it your payment gateway which captures this, in which case it's not technically you, ie you don't hold that information on your actual website, the transaction is passed to a third party (sagepay, worldpay, paypal etc).

These are the sort of questions site owners need to be asking themselves, particularly eCommerce stores. Due to the volume of data we hold and collect, we've also have a lot of questions to ask ourselves 


Steve Richardson
Gaffer of My Local Services
My Local Services | Me on LinkedIn

Na just name, address, tel and email .. the credit card details gets passed to onto them , all I have is their first 4 digits then xxxxx and the transaction id ...It's all stored on a database and as far as I know the only way would be to delete their details once completed ..I asked the question on the Zencart forum and no one seems to care


Thanks,
Andy-C | Pewter World

Na just name, address, tel and email .. the credit card details gets passed to onto them , all I have is their first 4 digits then xxxxx and the transaction id ...It's all stored on a database and as far as I know the only way would be to delete their details once completed ..I asked the question on the Zencart forum and no one seems to care
 

You still need to account for the fact that you store these details though. You could delete afterwards, but you may need to contact them again sometimes. 

I have names, addresses and phone or emails for invoicing purposes in my cloud accounting system. I guess I need to check their security but I'm assuming it's pretty good. 


That's exactly what worries me , what if I need to contact them .. I don't suppose ssl is good enough either , wouldneed to be encrypted or password protected with another password 


Thanks,
Andy-C | Pewter World

That's exactly what worries me , what if I need to contact them .. I don't suppose ssl is good enough either , wouldneed to be encrypted or password protected with another password ”
 

Its more about justification and permission. Do you need to hold that data? If you do, not a problem, does the customer know this, understand and agreed? Can they easily have any of their information removed if requested, and will you store it securely?

Most of this will be covered off in privacy pages and opt in/out buttons. It's taking a step back and justifying why you capture and hold data. if you don't need my details then don't ask for them. If you do, then reassure me you'll look after them and not flog them on or spam me to death.


Steve Richardson
Gaffer of My Local Services
My Local Services | Me on LinkedIn

Thought I would bring this up again as the date is drawing nearer and I need to start getting this implemented on my website

From my understanding . I need to redo my terms conditions to include GDPR , have a box check or something like that to say they would like me to remove their details after completion if they want. My admin side is SSL (is this good enough).. I already only take the basics and phone number is optional.I don't give away email or address to anyone apart from my suppliers who needs them. I'll have to contact them and see if they keep them or remove them though

What I can't do yet is have anyway for the customer to remove their account   as that is core editing or have to get someone to build it for me. Looking at completely removing newsletter or turn it into removing their details if it is at all possible.

Would this be enough ,dare I ask, although I'm sure there is


Thanks,
Andy-C | Pewter World

Don't forget... document and media destruction is a key part of being GDPR compliant. When getting rid of old documents and files make sure you look for an ISO 27001 accredited shredding firm that offers a full audit trail and certificate of destruction. Cross cut shredding and getting your documents shredded on-site will ensure the most compliance as this will significantly reduce the risk of a data breach.

For more info on getting ready for GDPR and data destruction take a look at out blog posts here.


Thanks,
Tom Gilruth

This Thread is now closed for comments