First, I’d like to apologise for taking so long to get this blog out to you all as this is a really important subject. Luckily, being a small business, getting yourself ready for the new laws and legislations won’t take too much work. I would like to make it clear that this blog will include guidelines only; we cannot yet be completely sure of some facts yet as the law has not yet been enforced.
So, what is GDPR?
General Data Protection Regulation – GDPR will bring outdated personal data laws across the EU up to speed with an increasingly digital era. The previous data protection laws were put in place during the 1990s and haven’t been able to keep pace with the levels of technological change. It is a new regulation that comes in to force on 25th May 2018 and it has two key principles.
- Allowing EU Citizens & Residents more control over their personal data)
- A Unifying Regulation for international businesses across the EU
This applies to all businesses that have possession of personal data of EU citizens. You should also be aware that Brexit and the UK leaving the EU does not affect the GDPR start date and the UK’s own law will directly mirror GDPR. So, in short everyone must adhere to it.
There are lots and lots of media attention surrounding GDPR and it is all quite overwhelming. Don’t let this scare you! Elizabeth Denham, the UK’s information commissioner, who is in charge of data protection enforcement, says she is frustrated by the amount of “scaremongering” around the potential impact for businesses. “The GDPR is a step change for data protection,” she says. “It’s still an evolution, not a revolution”. She adds that for businesses and organisations already complying with existing data protection laws the new regulation is only a “step change”.
GDPR Checklist for UK Small Companies
We have put together a checklist for small UK companies but please remember that this applies to all data held. This will even include all past, present and current employers & suppliers ect.
- You should document what personal data you hold,
This includes how you required it, who you share it with. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with.
It is essential you are clearly stating what information is held, how you collect it and what happens with that data both offline and online.
- Users need to be able to request their data
GDPR is essentially giving the right to know what data is held on an individual but it is also giving the right to say what can be done with personal information. You need to be able provide data and deal with requests to delete data, how you handle this needs to be made clear in privacy policies.
- Prepare to meet access requests
All requests of data must be dealt with within one-month. Your users have to right to their data, Deletion of data, right to object and the right not to be subject to profiling.
You need to review how you get consent off users to use their data whether this is for marketing or contacting.
Firms with over 250 employers must have a nominated Data Protection Officer (DPO) or employ one to handle and oversea that data is always being used and stored correctly.
Breaches in data must be reported to the ICO within 24 hours if possible or within 72 hours
Failure to comply could mean serious fines the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice but the GDPR will be able to fine up to €20 million or 4 per cent of annual turnover (whichever is higher)
Are you still holding on to old data?
GDPR requires companies not to hold on to old data for longer than necessary or process it without the user’s consent. You need to be aware of what data you have, why you have it and if it’s no longer needed.
What defines consent?
Consent has got a lot tighter, you can no longer have pre-ticked checkboxes for contact forms & newsletters, no more “small print” under submit buttons. Their now needs to be two unticked checkboxes clearing stating “i DO give permission” & “i do NOT give permission”
Consent is also required for any data you currently hold if you acquired it via pre-ticked checkboxes or any other means.
So how can you get your site ready?
- Audit your site
Go through your site. You need to be making sure any software, platforms, frameworks, plugins are also GDPR compliant. and make reference to their compliancy.
– i do not want to revice promotial material.
– i do want to receive promotional material
- If you store customers details in an online database make sure they are fully encrypted and secure and deleted after a certain time frame.
- Make sure your hosting & site is secure and all plugins, frameworks and systems are up to date.
Of course, this is just a rough overview and GDPR law will change depending on your company and how you deal with data, so we recommend hiring a GDPR Officer to audit your company or contacting a lawyer. Do not take this as legal advice and we cannot be held responsible for any actions or repercussions.
We have put together a list of useful blogs so you can get a better understanding on what GDPR is and how you go about dealing with it.
A handy tool
ICO –Data Protection self-assessment
GDPR for Woocomerce
This is our idea of being compliant, we have no legal background and you should contact a lawyer. You also need to be GDPR compliant throughout your whole company, not just online. We take no responsibility regarding GDRP compliant and an audit of your site should be carried out by yourselves, these are simple steps to prepare you for it.