Disclaimer: This post is intended to provide helpful guidance to customers about GDPR, not as a comprehensive solution or legal advice. Each organisation should undertake their own steps to ensure compliance.
Here at EngineRoom towers we don’t seem to be able to to open our inboxes without reading one email or another about the new GPDR law coming into effect on the 25th May 2018. Whilst we bought ourselves into line with the regulations, we thought it might be a good idea to lay it all out in a blog post.
So first off, what is GDPR? Well, it stands for General Data Protection Regulation and simply put is a new EU directive to ensure for consistent data protection laws across the EU. The scary bit is the financial penalty for non conformity, which is either 4% of annual global turnover or €20 million (whichever is greatest). This is very unlikely to be enforced against smaller businesses and more likely a period of education will follow the deadline. Regardless of this I suspect you’d rather not take the chance, so let’s continue.
Although it might be a pain now, GDPR is a good thing and could lead to some benefits for you and your business:
We have broken down the action points for GDPR compliance (as we understand it) below:
Consent for the storage of personal data is one of the cornerstones of the legislation. Essentially, you need to ensure that whenever you are storing personally identifiable data consent is sought, obtained and recorded. Another important point to make is that consent should never be implied and should always be opt-in rather than opt-out. Any opt-in messages should be in clear and pain language.
On a basic level we would suggest taking the following steps:
Do a full review of current privacy notices and ensure that they align with requirements under GDPR before it takes effect. The notices must:
There have been several large scale data breaches in the news over the past few years and unsurprisingly enough one of the main goals of GDPR is to try and reduce this, or at least ensure the parties involved are accountable. To prepare yourself for any possible data breaches you should be:
To ensure you are comfortable with the data you hold, we would suggest you perform a simple audit.
This should contain the following information on each of your data storage and processors:
Elizabeth Denham of the ICO (Information Commissioner’s Office) has said her office will be more lenient on businesses who have been caught out by GDPR, if they have shown “awareness” of it. This essentially means if you make an effort and show willing to be compliant then if you do get investigated and are found to be breaching part of the legislation the ICO is less likely to go down the route of monetary penalties. Therefore saving you that €20 million.
The UK is leaving the EU, does this GDPR still apply?
Yep, afraid so – the UK government has be it clear that regardless of Brexit, GDPR will be implemented in full to ensure the UK aligns with data protection laws across the EU. Regardless of this if you want to do business with anyone in the EU then this will be a requirement anyway.
When do I need to be compliant by?
The deadline for compliance is the 25th May 2018.
Do I need to be GDPR compliant?
Almost certainly yes. The GDPR applies to personal data collected, held or processed. The following excerpt is from the ICO’s definition of personal data:
“The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. … The GDPR applies to both automated personal data and to manual filing systems”
Can you help me with my GDPR compliance?
We will of course help where we can and give advice where possible. However, you will be ultimately responsible for ensuring that you are compliant. Obviously if you need us to do any work on your website to ensure your GDPR compliance then please just get in touch and we can discuss the steps to be taken.
I am PCI compliant, will this do?
No, afraid not. GDPR is very different to PCI. PCI lays out the technical measures required for processing payment. GDPR is not based on the technology used but instead focuses far more broadly on the protection of personal data collected, held and processed.
Where can I find out more?
It’s a bit of a dry read but a good place to look for all of the relevant information is the ICO’s website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
More information can also be found on the EU GDPR website: https://www.eugdpr.org/.