GDPR - What You Need to Know

15 Jan 2018 by Laura MacDonald

As we get our affairs in order for 2018, there’s one question on the lips of every website owner in the UK: “what is GDPR and what do I need to do?” Many businesses are finding the details murky, but we’ve prepared the basic breakdown on what you need to do before May 2018.

GDPR or the General Data Protection Regulation is a new set of EU regulations. The regulation was adopted by the European Parliament and the European Council on the 24th of May, 2016. Following the publication of the regulation in the EU Official Journal (May 2016) businesses throughout the EU were given the deadline of 25th of May, 2018 to comply. Once the deadline passes, GDPR will replace the UK 1998 Data Protection Act.

GDPR is undoubtedly the biggest update to data protection laws within the last twenty years. The regulation will come into effect to essentially modernise the current data privacy protection laws and grant greater protection to individuals on how their digital data is handled. Given the rapid way that technology and the online world has expanded over a relatively small period of time, GDPR is widely considered a welcome and timely update, with the original Data Protection Act no longer fit for purpose.

GDPR body content

Despite the general consensus of an agreement by IT professionals that GDPR is an imperative change and companies must prepare accordingly, there is an unsettling lack of clear and concise information regarding the manual actions that businesses must undertake by May next year to be compliant.

With the approach of Brexit, many are wondering if preparing for GDPR is even necessary.

However, even sticking to the currently predicted timeframes, GDPR will still come into effect before the UK fully exits the European Union. Additionally, the UK government have expressed the intention of bringing GDPR into UK law, in order to ensure data protection laws are sufficient to provide users with adequate protection.

How does GDPR affect my business?

Any company that “controls” or “processes” data will be held accountable under GDPR, including those who do not have a presence in the EU, but process personal data of European residents.

Logistically, this means that within your organisation, all employees that control or handle the affected digital data in any respect must be given time to undertake due diligence and prepare accordingly to ensure that when the regulation comes into effect, your business isn’t caught out.

Businesses have had, and still have time to prepare, so it’s unlikely that the UK enforcer, the Information Commissioner’s Office, is going to look forgivingly on businesses that plead ignorance in the event of a data breach after GDPR is in effect.

The fines for not complying are substantial - so it’s not a chance risk that any company should be taking. Depending on the infraction that occurs, businesses could be looking at severe monetary penalties beginning between 10 million euros or two percent of a company’s global turnover (whichever is greatest.) In serious cases where there are measurable consequences, this could be doubled.

GDPR EU flag

What action does my company need to take right now?

The Information Commissioner’s Office Guide to GDPR isn’t a light-read, and there’s no easy or succinct way to summarise everything that you need to do, without familiarising yourself with the entire legal framework.

Throughout the guide, there are a number of “grey areas” which means that without a doubt, it is going to be essential to instruct a legal professional or team to review the documentation and consequently carry out a full data audit of the data “controlled” or “processed” under your business. As part of this audit, companies should assess their website to document where user data is captured.

The finer points of GDPR means that moving forward, there will also likely be the need for the creation of new roles within your company, such as a Data Protection Officer, who will become the main point of contact for users and the person responsible for delegating incident response plans.

There are eight individual rights highlighted within the General Data Protection Regulation that your business will need to pay special attention to:

Right to be informed,
Right of access,
Right to rectification,
Right to erasure,
Right to restrict processing,
Right to data portability,
Right to object,
Rights related to automated decision making including profiling.

These rights are likely to affect every organisation in some way and are likely to require immediate changes to your business - some more obvious than others - such as updating your privacy policy to fully cover any changes to your online processes as a result of GDPR. However, only a full audit and risk assessment will be able to uncover necessary changes and considerations like:

Updating online forms to allow users to give explicit consent to store data (for instance, by requiring the user to check an "I accept the terms and conditions" checkbox and not pre-checking it)
Prompting existing users to agree to the new terms and conditions, who have given implied consent historically.
Planning for a contingency with online basket checkouts - will users be able to proceed if they do not give consent to store data?
Having a set action plan in place if a user requests to have all data pertaining to them deleted. How will your company respond? Does your current website CMS offer the ability to do this?

Taking action is required now so you have ample time to make the necessary preparations - it’s important to bear in mind as we grow closer to the GDPR deadline, there is likely to be a scramble between companies, developers and agencies to ensure the appropriate updates are made before time is up.

Need to make necessary website updates as a result of GDPR? Let us know as soon as you can.