As you may have already heard, the General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. It is likely you have also received emails encouraging you to re-consent to subscriptions or had many sales calls offering services you didn’t even know you needed… but how prepared are you for it yourself?
Why is the legislation changing?
The new law will replace the Data Protection Act 1998 (DPA) and is designed to address the DPA’s failings. It is being introduced to provide better protection for ‘data subjects’ (ie. real people) and their personal or sensitive information. In the last 12 months alone, there have been far too many cases of companies who have had a data breach, such as the report on the NHS Cyber Attack I wrote about a short time ago. Many in the information industry also believe there are those who exploit loopholes to sell on, or use inappropriately, information they were given in good faith. With GDPR, this will not be acceptable.
Whilst it is still unclear how well regulated the new system will be, it has been stated in the Information Commissioner’s Office (ICO) ‘Guide to the General Data Protection Regulation’ that incredibly severe fines can be expected if a company does not handle data properly.
What is a data breach?
GDPR focuses heavily on consent and privacy as it is concerned with how the individual will be affected by information going astray. If the subject has not consented to data being used, or it is used in a way other than what was defined when data was supplied, this would be classed as a breach.
The severity of the breach depends upon what data has been used and what has happened to it, but it is the responsibility of the business to ensure effective processes are in place to minimise the chances of loss, corruption, misuse, or theft.
What do I need to do to get ready?
You essentially need to review your business and practices to ensure that:
- Any data you collect is secure with the assistance of virus protection, password protection on devices, regular software updates, etc
- That you’ve assessed what data you collect and why, and whether what you have is necessary
- That you have a process in place for storing data, logging removal/updates/subject access requests, and handling data breaches
- That your consent and privacy policies have been updated in line with the guidance
- That you have consent from the data subject to share with any other parties you normally do, and that these parties are also compliant.
What can my website developer do for me?
I’d highly recommend getting in touch with them to ensure that your website is up to date. Security is incredibly important, and the most common breaches are typically the result of out of date plugins, security patches not installed, or lack of regular checks for potential threats. Ensure your site’s security is regularly updated via a maintenance plan or something similar. I also have a blog on why website security and maintenance are essential, if you haven’t seen this before.
If you collect data on your website, such as through subscription buttons and quote forms, you can also ask your developer to update them to make sure they’re compliant. You will need to confirm that these forms are fit for purpose by checking that you’re not collecting data you don’t need, you’re using opt ins (not opt outs), include clear links to policies, and that you’re clear on what you’re using and why. Wherever possible, data collected for analytics/research purposes should be anonymised.
You will also need to add your new, jargon-free consent and privacy policies (with clear information on how an individual can opt out, have data removed, or update their information in future), which your developer can do for you.
The first step
Use ICO’s 12 steps for ‘Preparing for the General Data Protection Regulation (GDPR)’ to help plan anything you need to do in the run up to 25 May. They also have lots of detailed information on the website, if you want to do some background reading.
If you require any more information, or would like to enquire about website maintenance packages, feel free to send me an email at firstname.lastname@example.org, call on +44 (0)1782 954282, or follow me on social media for bite-sized updates on Twitter @stevemarkperry.