Over the last 12 months, you have probably heard the phrase “GDPR” being discussed with increasing frequency. However, you may still be left with little idea of what it is and how it affects you. To ensure your website is ready for the GDPR when it comes into force on 25 May this year, here is all you need to know.
What is GDPR?
The General Data Protection Regulation (or “GDPR” for short) is an EU privacy law that takes effect in all EU and EEA members states (including the UK) on 25th May 2018. It is an EU regulation that is designed to replace the current miss-match of different laws and regulations that all EU member states currently have in place.
The importance of GDPR compliance
Though it is coming in via EU law, do not think that GDPR will be gone once Brexit occurs. In fact, it is expected that, if anything, GDPR will get more strict once Britain leaves the EU, and the UK is planning on implementing the GDPR into UK law via a new Data Protection Act. For this reason, it is important that you take it seriously, as it is here to stay. Also, there are strict penalties that apply to any business that fails to comply with these new regulations.
For example, failing to comply with the GDPR could see you receiving a fine of up to 4% of your company’s global turnover Or €20 million, whichever is higher. The body that is responsible for monitoring data compliance, the Information Commissioner's Office (ICO), is also having its powers extended and increased. This includes the ability to investigate any company they think may not be complying with the law, and impose harsh fines and restrictions on how you operate.
What can you, as a website owner, do to prepare?
Here are the key steps you will need to take in order to ensure that your website, once of the most public parts of your business, complies with this new law.
1. Before storing or using any customer data, make sure you have a legal basis to process personal data, such as consent, legitimate interest, necessity to perform a contract or a legal obligation.
2. If there is a data breach which could have a significant effect on individuals, then you only have 72 hours to informthe ICO of this.
3. You must allow all customers to easily access their data upon request and within 30 days of the date of the request.
3. Customers must have the ability to take their data from you whenever they wish and to transfer this to a different company.
4. You may need to hire a Data Protection Officer (DPO) if you monitor a large number of individuals (this can include cookies used by your website and web beacons used in email marketing).
5. All opt-in forms must be updated to ensure that the proper GDPR-compliant consent is obtained from users where appropriate.
6. You should review all current paper and digital files to ensure you are compliant.
7. You will need to review all third-party service providers and data processors you use and ensure they are fully compliant with the GDPR.
8. You should only ever collect data where it is relevant and necessary.
9. You will need to have a plan in place in case a data breach does occur.
With the May 25th deadline fast approaching it is time to get to work. The government is expecting all business and website owners to be fully compliant by this date and there is no grace period. No business is too small and there is no exclusions to compliance. Failure to comply could lead to high and unwanted penalties being imposed.
It is important to note that LS25 Web Design are not legal experts in this field and we are working through the process of how we can be compliant for the GDPR as we speak. This article is for informational purposes only and should not be relied upon for legal advice. We encourage you to work with appropriate legal counsel as you explore your compliance.