With about a week to go till the enforcement of the General Data Protection Regulation (GDPR), business owners and web developers are in a flurry to ensure that they are all compliant with the new laws. Failure to comply may expose your business to fines and lawsuits, and of course no business or website owner wants to be in that position.
In an effort to help clear up the new regulation, we’ve summarized the important points to consider if you are a business or website owner so you can stay ahead of the regulation.
Consider these 5 items to decide if you should be concerned about the new regulations.
1. What is GDPR?
The GDPR was adopted by the European Parliament in April 2016 and imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. The GDPR applies no matter where you are located.
The regulation was adopted with the intent of providing users with transparency into what type of data is collected from them, as well as regulations on how that data can be collected, used, and managed.
2. How does the General Data Protection Regulation affect my website or business?
If your business or website collects any personal information regarding your visitors, then you will likely need to be prepared to make some information security audits.
Businesses and website owners are required to comply with the following user’s rights according to the GDPR:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making including profiling
If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy. This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion?
2. Do i need to be concerned about DGPR?
If you are still scratching your head, trying to decide if you need to make updates to your website and data policies consider this: “Do I collect any of the following information from my visitors?”
- Visitor’s Name
- Email Address
- Home address
- Credit card details or other payment information
- Age
- Gender
- Marital Status
- Ethnicity
- Mental or Physical conditions
- Political Affiliations
- etc…
3. I collect identifiable data. What do i need to do to be in compliance?
To comply withe the GDPR, you will want to do an audit to determine exactly what data you collect. You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
You should document what personal data you hold, where it came from and who you share it with. The GDPR requires you to maintain records of your processing activities. It updates rights for a networked world. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it cancorrect its own records.
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice.
Persons have the right to request access to the data that you have collected, and can request that you destroy any records you may hold. You should update your procedures and plan how you will handle requests to take account of the new rules:
- In most cases you will not be able to charge for complying with a request.
- You will have a month to comply, rather than the current 40 days.
- You can refuse or charge for requests that are manifestly unfoundedor excessive.
- If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.
- If your organisation handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly. You could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. You should put procedures in place to effectively detect, report and investigate a personal data breach. You may wish to assess the types of personal data you hold and document where you would be required to notify the ICO or affected individuals if a breach occurred. Larger organisations will need to develop policies and procedures for managing data breaches. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
4. What could happen if I am not compliant?
In the case of a data breach, or failure to comply with GDPR, companies can be fined up to 4% of annual global revenue, or €20 Million, whichever is more. This fine is not necessarily levied only after a breach. It could come from a failed audit. There is a lower tier penalty for lesser infractions that caps out at 2% and €10 Million, which could come as a result of simply failing to produce appropriate records for the enforcement authority.
Wrapping it up
So, does the GDPR affect you and your business? In short, yes it does. Remember that your website is likely accessible to anyone in the world. That’s where the old ‘WWW’ prefix comes from. It’s the WORLD WIDE WEB. It’s entirely likely that someone from the EU will access your website and potentially store data on your systems. Ignoring this regulation would be a mistake for any business or website owner.
Not sure where to go from here?
Contact us and let us help you audit your website and data collection systems to determine the best course of action for your business.