What is GDPR?
The GDPR is the most detailed regulation on data privacy since the introduction of the 1995 EU Data Protection directive.
The new, pan-European regulation will replace the 1995 directive and is set to empower individuals and protect their rights in a more comprehensive and consolidated manner. This regulation is not designed to cripple companies and countries, but it has been authored in such a way that anyone who fails to comply will be censured very quickly and severely.
The GDPR has already been enacted (April 2016), but it will not be enforced until May 2018. For that reason, we would not foresee a long grace period, so compliance should be a priority before the deadline.
Fines for non-compliance can go from €10 million or 2% of turnover for lesser transgressions and up to €20 million or 4% of global turnover, depending on the seriousness of the situation.
The basics of the GDPR are not themselves inherently complex, but they do need to be considered due to the complexity of data. The first thing to understand is that as the GDPR is an EU Regulation, not a Directive and thus, is uniform across the EU, rather than being written into each member state’s statute law in a fashion that allows for variations.
British companies are still expected to be compliant as the regulation will come into force before Brexit. This regulation protects EU citizens so if a British company is advertising in Euros or doing business across the EU, even after Brexit, they will need to be GDPR compliant.
GDPR and my Website
GDPR might sound like an insurmountable task, but in reality there are some quick fixes which can easily be taken. These will make a large dent in terms of achieving GDPR Compliance.
When understanding whether your website is subject to the GDPR, the following items should be considered:
- Are EU citizens a target for your product or service e.g. does your website feature Euro pricing details?
- Does your website collate and store identifying information or online identifiers such as IP addresses via analytics?
- Is there a subscribe function on the website?
- Is there a comment section to the website?
- Do you allow for users to log in with third party apps?
Where to Start with GDPR Compliance?
GDPR will come into force on May 25th 2018, and while that may seem like a long time away, you need to take action towards compliance now.
We would recommend that you start by educating any member of staff that uses data to fulfil their tasks. If a member of staff uses data or has access to data, regardless of their status or department within the company, they are considered to be Data Controllers or Data Processors under the GDPR. With this in mind, training must be provided to help staff understand their roles and responsibilities. Every single member of staff should be educated on the GDPR and how it affects their role. You many want to appoint a Data Protection Officer who will be responsible for understanding and monitoring all data protection activity.
Your organisation collects a lot of data and not all of it is used. You should conduct an audit to map out how the website collects data and what data flows into the company. This will help you understand what data is being collated centrally. For example, if you enable CVs to be sent via your website, it’s vital that the HR department understands what is required of them.
3. Clear Policies
Create and update your Privacy and Cookie policies to clearly state what data is collected and why. A big part of GDPR is letting people know their rights, so consumers must easily understand how their data is going stored and processed.
It should be easy to give or withdraw consent under GDPR and silence, pre-ticked boxes or inactivity will not be accepted as a form of consent. Provide an easy opt out mechanism and ensure that individuals can explicitly agree / disagree to tracking.
5. Necessary Data
There is a lot to be said for understanding what data you are collecting, why it is stored and for how long. Marketing teams can sometimes fall foul of this due to the desire to segment their audience, however, if it does not serve a purpose then it should not be requested in the first place.
6. Data Requests
Provide a process that satisfies the data subject’s request for personal data. In the event of such a request, it is vital that the documentation is delivered in a timely manner, in a commonly used electronic format. Unlike freedom of information requests, companies can not charge for a request.
7. Reporting breaches
If your site is breached and data compromised, it will be compulsory to report the breach where personally identifiable information is compromised. This would generally be to the local Data Protection Commissioner’s office within 72 hours of discovering the breach.
It’s hard to control what you can not see and your digital footprint may contain more third party code than you realise. It is vital to understand how the third application runs, what data it does store and does it do this securely. Services such as MailChimp, LinkedIn and Campaign Monitor are generally run by US-based companies who should be going through the process of becoming GDPR-compliant at this very moment if they have not already done so. US companies should also be Privacy Shield compliant.
The US Privacy Shield framework has been co-developed by the US Department of Commerce and the European Commission to provide mechanisms to protect the flow of personal data between the EU and the US.
We have seen many organisations struggle on the first hurdle and this often occurs due to legacy systems, siloed information across teams and departments. If you have a plan and you’re on the road to compliance, then you’re on the right track. If you have yet to launch your plan or perhaps your organisation is paralysed by the sheer enormity of the task, we have a range of solutions and a team of specialists that can help. Call +353 1 522 7690 or email firstname.lastname@example.org