A GDPR overview for our clients
This is a guide on GDPR intended to help our customers understand the new regulations, and what they need to do to ensure that their website is compliant. It is not a comprehensive guide to the GDPR, nor is it a substitute for legal advice on the specifics of how the GDPR affects your business.
What is GDPR?
The General Data Protection Regulation is an EU regulation which comes into force on the 25th of May 2018. It is a regulation which aims to improve data protection for everyone within the EU, by introducing stronger guidelines on data usage, and stiffer penalties for mis-use or mis-handling of data. It replaces the Data Protection Act, which had been in force since 1998. And yes, the changes will still come into place regardless of Brexit.
With a large scale data breach happening almost daily, it’s clear that there’s a need for better regulation around the handling of personal data, so we’re pleased to see this change. And we’re working with our clients to understand what we all need to do, in order to ensure compliance.
Who’s who under GDPR?
The legislation talks about ‘controllers’ and ‘processors’ of data. In the context of our clients, the controller is the owner of the data (you) and the processor is the organisation that manages or stores your data (us). We both have responsibilities under the new regulations.
What are the penalties?
The GDPR is designed to bring more effective penalties to bear – to the tune of up to €20 million or 4% of your global annual turnover, whichever is greater. That’s the headline. However, the ICO (the organisation responsible for policing the GDPR in the UK) has been clear that it would prefer to educate and support organisations with compliance rather than fine for non-compliance – and that therefore fines will be a last resort.
Does it affect me?
Almost certainly. If your business collects, processes or stores data from any individuals within the EU, then the new regulation will affect you. Hopefully you’ll already be aware of the various ways in which the GPDR will affect your business – here we want to look specifically at how it affects your website.
So how does the GPDR affect my website?
If your website processes any personally identifiable information (sometimes referred to as PII) – even if that’s just via enquiry form submissions stored into a database, you’re handling personal information and the GPDR applies. So the chances are, changes will need to be made.
What changes will I need to make?
For the majority of our clients, the personal data being processed is marketing information. While it's not highly sensitive, it categorically falls within the remit of GDPR, so you will need to understand the new regulations and ensure you're compliant.
For example, you will need to audit the data you hold, understand the lawful basis for collecting any data, and ensure that there are methods in place for retrieval and deletion of personal data in line with the GDPR. You may need to reduce the amount of data that you hold, or the length of time you hold it for. You will also need to update your website's privacy policy to reflect the new practices.
All websites will also need to be reviewed in terms of their technical data security measures. In particular it is likely that older websites will need some technical changes, such as migrating from HTTP to HTTPS. We will be able to advise on these specific elements on a case-by-case basis.
Who do I talk to for help with this?
We can't offer legal advice on GDPR, but per our obligation as a data processor we will be working with our clients to ensure that the websites we build and manage are compliant. We will be contacting our clients in due course with specific recommendations, but if you have any questions, please get in touch: katie@freshleafmedia.co.uk