General Data Protection Regulation
What is it?
How will it affect everybody
What’s GDPR and how does it affect me?
The term GDPR stands for General Data Protection Regulation. It is a new, EU-wide regulation that comes into force on the 25th of May 2018. By this date every single website needs to be GDPR compliant. The new law is aimed at strengthening the protection of the personal data of all people inside the EU area.
Anyone collecting and/or processing such data will be required to comply with the new regulations. This means everybody who owns a website (or an app), uses any kind of database (both in-house or online), email list, as well as “old-school” paper records.
The big focus of the new regulation is the transparency about what data is being collected and how it’s being used. It is important to inform and get consent from anybody giving you any information about themselves (name, phone, email, private details). A good example is a standard contact form – without an explicit “I agree to…” being checked on – we don’t have the right to collect people’s details and later used them in our marketing campaigns.
It’s not your data!
Under the new legislation, each person has the right to request (see the link for full details) all the data a company or an organisation has on them. This data needs to be presented within 30 days. Each individual also has the right to correct the data we have on record, such as new phone number, address, marital status, new name etc. But the most important of all the rights is the right to be forgotten. This means that when requested, we – as “Data Collectors” – are obligated to remove all data we have on the subject. This includes both electronic and physical items (paper records, questionnaires, forms).
The new regulation also means it will be illegal to obtain and use a list of emails purchased from some untrusted sources, such as list of all the sport club marketing managers, all doctors in Ireland etc. The only people you can send your marketing emails (or any other emails in general) are the people that specifically agreed to be the recipient of your materials. Under the new law, if someone receives an unsolicited marketing email from you, they have the right to sue or report you to Data Protection office.
Hefty fines are coming!
The costs of non-compliance with the GDPR may rise up to €20 million if all steps the authorities investigation are not addressed by a company. The investigators can also stop a company/organisation to collect data at all, which in most cases would force the subject out of business.
The biggest fines will be imposed by the authorities in the events of data breach. Under new legislation, each organisation collecting users’ data have 72 hours to notify the authorities that such an incident took place. A “data breach” does not only cover the hacking of the website, but also unauthorised access to data, accidental damage or deletion, both electronic (a stolen laptop/smartphone with sensitive data) as well as physical records.
Before the new regulation, there was no obligation to report any incidents of data breach to any authorities. GDPR changes the situation dramatically, that’s why we put a great effort into making all of our websites super secure and GDPR compliant.
How can we help you become GDPR compliant
For the last couple of weeks we’ve been studying all the available resources and have attended a seminar organised by Local Enterprise Office because we feel the responsibility to get all of the websites we’ve created GDPR compliant on time.
What does it mean for you?
Well, for starters, we need to make sure your website is very secure. When we launched your website we made sure it’s being protected from any malicious attacks. New GDPR regulations impose much stricter security measures. Our recommendation is to move all our websites to encrypted traffic. This means obtaining an SSL certificate (this little green icon next to the address).
The next step is to review or establish your data protection/privacy policy. This document needs to clearly state what data is being collected, how its being processed, and by whom.
Each website needs to include granular consent requests for all types of communication you’d like to have with your users, members or clients. If the website is using a third party service (both online and physical) to reach them, like an advertising company, your sponsor etc. – this needs to be opt-in as well. None of the requests can be “on” by default.
It’s not only about the website
Collage Creative, while being your web developer, we can only support your GDPR compliance in the online environment. What does it mean?
It means that each company needs to also assess how they deal with the data in the office environment: who has the access to the data, is the data secure (computers with passwords, encrypted backups, file cabinets locked with the key etc.). This is especially important for companies/organisations collecting and processing sensitive data (health records, children’s data, ethnic origins, financial information).
Please follow the links in the last section for more information about this matter.