With the GDPR a lot of folks are focusing on just their website, but GDPR covers more than that. It's a business issue, not an IT one. It affects IT, for sure, but it goes way beyond that. However, for most businesses, it's their website that will be the first port of call for potential customers. So it needs to be right so it sends the right message. More and more customers, as time goes by, will become savvier about what their rights are and what is expected from consumers of their data. Yes, it's can seem quite a painful paradigm shift.
In the end, it simply makes good commercial sense to be seen as a business that can be trusted by being one that cares about their customers and their data.
The truth is there is that, right now, there is so much misunderstanding about the GDPR (General Data Protection Regulation). This is causing confusion and panic. Take a breath and just get started. You may not get it all done by the time it comes enforceable from on 25 May 2018, but that's not the end of the world. Having a clear plan of your intentions (even if after 25 May) will go a long way with the regulators if you're targeted. So get started, and plan what you're going to do.
I'm not a lawyer, but I have had a lot of experience dealing with GDPR for a number of organisations. That said, every organisation is different and I always insist that they each still seek legal advice regarding their GDPR intentions/plans to confirm that they are in fact legally correct in their case. So you need to ultimately do that too!
GDPR is a big subject, but for the most part not nearly as difficult as many people think. I hear all the time, "I just need someone to tell me what to do". Well, a short while ago Mike Killen (of Sell Your Service) asked if he could video an interview with me for his clients to cover just that. That is, just give some straight and practical advice. I was happy to do so, and that video is below.
One point of note: Mike specialises in selling sales funnels to clients, and also training his clients to do the same with their clients. So this video was targeted at funnel builders, however, in reality, everything covered applies pretty much to any website. So, if you're one of those "just tell me what to do" people, then this video is for you. I hope you find it helpful.
If you’re truly serious about getting ready for GDPR, make sure you check out our GDPR checklist (see below). It’s a great infographic that identifies the main areas that you need to focus on (not just the IT stuff). Of course, if you have any questions or comments about this post, please feel free to add them to the comments section at the end of this post.
Disclaimer: This post is not legal advice. So ensure you check your specific GDPR circumstances with a lawyer.
TL;DR: The GDPR is a regulation that activated and became applicable on 25 May 2018. It changes how businesses globally handle the personal data of European individuals (whether online, digitally, or with hard-copy). This affects non EU-based sites and businesses too. You need to make your business and websites GDPR compliant, otherwise, you could be facing some serious fines!
To be honest, small, medium, big or huge businesses – it doesn’t really matter; all sizes of businesses should be scared. The reality is that bigger businesses are more likely to be able to tolerate any fines levied if they fall foul of the GDPR (and they can be huge).
But I’m getting ahead of myself.
Well, to answer that we need to know what the GDPR is. This next bit of background adds a little necessary context, but bear with me.
GDPR stands for General Data Protection Regulation. And the GDPR will replace the Data Protection Directive (DPD) of 1995.
A brief history lesson is this:
The GDPR allowed for a two-year transition to allow businesses to get ready for it. This means it became applicable on 25 May 2018.
For those that care, unlike the DPD, which was a Directive, GDPR is a Regulation. Which means it's already law. It doesn't require national governments to pass any enabling legislation (as was necessary to make the DPD law, by passing the DPA). In other words, and like it or not, it’s live now.
The GDPR is an EU law made up of a bunch of Articles. They cover things like scope, definitions, liabilities, remediation’s, penalties etc. All of the member states of Europe have a Supervising Authority (SA) that will advise and enforce the GDPR in their region. In the UK, the SA is the ICO.
Whilst all member states have agreed to the GDPR, each member state can add to it if they wish for their region. Germany is one such member state. The GDPR is tough as it stands but Germany is adding a bunch of extra rules, making it even tougher. So if you have data stored and / or processed in Germany, you may have even more hoops to jump through.
The full 88-page Regulation can be read by all and sundry by visiting the Europa website.
There’s also lots of other helpful (and easier to read) information surrounding GDPR on the ICO website. Definitely worth checking out.
So why would the ICO come knocking at your door? Well, if you have been wronged (from a data perspective), the ICO are the organisation you complain to. For example, you're still getting emails after unsubscribing from a list. Or you have asked an organisation what data they hold about you - and you get no response. The ICO has stated that they intend to process 100% of all complaints made.
It is worth noting that it matters not whether the UK is in or out of the EU. The GDPR will still apply. That said, post-Brexit there will likely need to be some tweaks to how it is applied.
The GDPR is not too dissimilar to its predecessor, the DPA. The DPA concerned itself with how organisations, businesses or the government use personal information. Under the DPA, those responsible for using data of this type are required to adhere to strict rules (known as data protection principals).
Ok, fair enough.
The GDPR takes those principals further and wider. Meaning the ICO
If businesses ignore this law, they can be fined up to €20m (Euros) or 4% of their global annual turnover (whichever is greater). In some cases, a business can actually be shut down!
Compliance will need a lot of time and effort from businesses. Many, many businesses are only now just beginning to realise what a mammoth exercise this is. And time is running out...
Of course, that all sounds like doom and gloom - and for businesses, it isn't going to be
funor a cheap exercise. Yet, we mustn't overlook the huge positives that the GDPR will bring to us as individuals. For us, the GDPR is actually an immensely good thing indeed. And very long overdue.
The rules are pretty complex, and it is easy to find them overwhelming. It’s mostly common sense really. The rules fall into six main principles.
Personal data must be:
Personal data under the GDPR is defined as data that can be used to identify a European individual. This is regardless of where – globally - that data resides. Personally identifiable data includes obvious things things like:
Perhaps less obvious (but now well and truly in scope) are things like:
The list is pretty extensive should you go look at the regulation. Pretty much anything is fair game as personal data if a European individual can be identified by it.
Three other key definitions that crop up throughout the GDPR that you will need to be familiar with are:
Bear in mind that a person, organisation, or agency can be both a Controller and a Processor.
The scope of the GDPR is defined in two ways - Material and Territorial:
Personal data that is:
Using personal data:
As you can see, the definition of what is personal data is much broader than before. And the GDPR has a much greater territorial reach. A global company that has EU personal data stored in the US, for example, is in scope and is liable!
The GDPR still applies when the source of the data was public domain (and so was freely available). Largely, the rules here are to do with the use of the data, and whether explicit consent becomes necessary. Using such data for profiling is an example where the GDPR has a greater effect than before.
Just a few of the key rules that fall out of the six main principles, described earlier, you'll need to get to grips with are:
If you haven't started to act then you need to start now.
This is an immense undertaking for the majority of businesses. It will require many (if not all) existing business and IT processes to be reviewed and changed. It will affect business websites and how they collect and / or process data. It also affects all agreements / contracts where personal EU data is shared. This is whether it’s just for consumption or for onward processing.
And finally, businesses will need to have agreements drawn up with entities within their own organisation if such data crosses country borders. And those agreements will actually need to be logged with the SA for that country.
Below this post you can download our check list on how to go about getting compliant for the GDPR.
If you need help with GDPR, please contact us through the form on our contact page.