The General Data Protection Regulation (GDPR) is on its way. Are you ready? Whatever industry you’re in and no matter how small or large your business, you’ll need to ensure that your company is GDPR compliant.
What is GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 27 April 2016. It becomes enforceable from 25 May 2018, after a two-year transition period. The GDPR aims primary aims are:
- The legal right of people to access, correct, delete or transfer personal information held about them on any company system
- The requirement for citizens to provide explicit consent for their personal data to be held, after which companies must save this consent
- The legal obligation for organisations to inform the relevant data authorities and consumers, within 72 hours of breaches to data security
In the UK, GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that fail to comply with the rules, and for those that suffer data breaches. It also ensures data protection law is almost identical across the EU.
What needs to change?
Once the legislation comes into effect, you must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it needs to be deleted.
All websites that contain contact forms now need to have a policy page that details what you are going to do with the information you acquire, how you are going to store the information, the steps you are taking to protect the information and detail when you are going to delete the information. The contact forms need a specific opt-in button with a link to this policy page that confirms the user is consenting to your storage of their personal information.
While we can help to ensure that your website conforms to GDPR best practices the legislation relates to much more than just your online presence. The new laws relate to every part of your business that records personal information about people.
You can read more about the GDPR rules here. https://www.eugdpr.org/ and here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
What do I need to do?
The GDPR guidelines require you to know what data you hold, where it is and how your company processes and uses the data. You will need to perform a Data Audit to obtain this information. Your first step should be to carry out a data audit of the personal data you manage and process. This will help you understand and identify all of your data processing points. We suggest that you list them and consider the following for each:
- Why do you have the data?
- What are you using it for?
- How is it being stored?
- Do you still need the data?