The GDPR (General Data Protection Regulation) is a set of rules reforming privacy and security regulations that takes effect on 25th May, 2018. There are severe penalties for breaching the GDPR regulation and these can reach as high as 20 million euros or 4% of turnover. We can either look at this as a pain in the backside or as an opportunity
Why GDPR regulation necessary?
GDPR defines personal data as anything that can be used to directly or indirectly identify the person. Names, photos, email addresses, bank details, posts on social networking websites, medical information or even IP addresses.
Since then, Internet usage has become a great deal more widespread, and technological advances such as cloud storage and social media have changed the way data is processed and transferred. The rules needed updating, they needed to be uniform, and they needed to be applied more rigorously.
- Appoint one of your directors to be accountable. This person should be suitably competent to handle the technicalities involved, and it’s worth considering where you want the accountability to fall – with IT, legal, marketing or elsewhere.
- Ensure you have safeguards in place: procedures to ensure data is confidential, accurate, available when necessary, backed up and encrypted.
- Ensure your suppliers are GDPR-compliant. Any service provider you use to process data has to comply with GDPR standards – and ensuring they do is on you.
- Ensure your customers, clients or website users have explicitly consented to their data being stored. This is a significant change, and most current measures are not sufficient. Your records need to prove that users have agreed to you storing their data – and failing to disagree is not enough. Crucially, users will also have a statutory right to have their data erased permanently from your records – so you’ll need the capacity to do that too.
- Ensure you’re explaining to users, in plain language, what data you’re holding, how long you’re holding it for, and how users can withdraw their consent. Your policy has to be simple and appropriate, as well as containing all the required information.
- Report breaches. Under GDPR, any breach of data protection must be reported to the Information Commissioner’s Office within 72 hours. You’ll need a robust process for detecting, reporting and responding to data breaches.
- Be prepared for more access requests. As people become more aware of their data privacy rights, they are likely to query the data you’re holding, and you’ll need to turn those requests around in good time.
- Ensure that any IT / Marketing related project has relevant process in place to screen against GDPR regulation. E.g. Agile project with user stories or IT projects with necessary risks highlighted and mitigated against
Key steps for preparation
- Awareness, create necessary user stories for Agile projects / Make it part of requirements for all new projects. Log as Risks in projects that and make sure its mitigated
- Keep track of all personal data you hold and where it came from, from a website perspective this could be:
- Contact Us Forms
- Even signups
- User Registration
- Orders / Donations if ecommerce enabled
- Sharing / comments on blogs
- Update your privacy statement, incorporate how rights will be adhered too
- Check for the following rights are addressed for individuals
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability; (NEW)
- the right to object;
- the right not to be subject to automated decision-making including profiling
- If storing data particularly in the cloud or with external suppliers make sure data is:
- Encrypted at rest and in motion, use https when submitting details.
- The encryption keys should be managed by the organisation and the the SaaS vendor
- Evaluate each SaaS offering to make sure it complies with GDPR