On 25 May 2018, the General Data Protection Regulation (GDPR) will be enforced across Europe, including the UK.
It is a new set of rules governing the privacy and security of personal data laid down by the European Commission.
The new single data protection act will make major changes to all of Europe’s privacy laws and will replace the outdated Data Protection Directive from 1995.
What's the point of this?
GDPR seeks to give individuals more control over how organisations use their data, and it will introduce hefty penalties for organisations that fail to comply with the rules, and for those that suffer data breaches. It also ensures data protection law is almost identical across the EU.
Under the new rules, individuals have “the right to be forgotten”, meaning they will be able to request that businesses, organisations or charities delete their no longer necessary or inaccurate personal data.
It is not affected by Brexit as it will be adopted into UK Law.
How does it affect my business or organisation?
The GDPR Identifies two key elements 'Data Controllers' and 'Data Processors'.
A 'Data Controller' is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is to be, processed. They analyse the data they collect from individuals and assess whether the information is strictly necessary to carry out their activities. Any information that does not fall into this category must be securely deleted. They respond to requests from individuals for information held and they remove information on request.
In most cases, your business or organisation will be a Data Controller.
A 'Data Processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
VTSDesign Web Services Ltd acts as a Data Controller. Read about our approach to this responsibility.
We also act as a Data Processor as we process personal data that you have collected whilst creating or updating your sites. Find out more about our role as a Data Processor.
In the instance of VTSHosting Ltd hosting your website, this also makes them your Data Processor.
What should I do as a Data Controller?
Basic website compliance
We are recommending that all websites have the following as a minimum. ICO has indicated that they are less likely to take punitive action against businesses who have demonstrated a significant effort towards compliance.
- Identify and detail any form of tracking used on your site and how it affects a user's right to privacy
- Ensure all forms and ideally the entire site where possible is run over https
- Update of Google Analytics code to make it GDPR compliant
- Addition of new page detailing your approach to GDPR which will outline
- What data you collect through the site
- Why you collect it
- What you do with it
- How it is stored in a GDPR Compliant webhost (if using VTSHosting Ltd)
- How you would respond in the event of any data breach
- How people can request a copy of any data stored and how you will respond
- How people can request for their data to be destroyed and how you will be responding
- Creation of a form to allow people to either request a copy of their data, request amendments of their data or request all or some of their data to be removed
- Modification of existing forms to ensure that they are GDPR compliant
Our Site Compliance Service
We can carry out all of the compliance work specified above for £99 + VAT. Please click here to learn more or to order this service.
Mailing list compliance
If you keep mailing lists and send out mailshots, then under the new regulations, you need to be able to show actual proof of how a person was added to your mailing list and when it happened.
If you are unable to do this, then you have to contact everyone on the list that this applies to and request explicit permission for them to remain on the mailing list. Without permission, then you must not contact them after GDPR comes into effect.
Our Mailing List Compliance Service
We can offer a mailing list cleaning service for you where we will contact people on your list and manage the responses and update the list. Click here to learn more or order this service.
What happens if I do nothing?
The fines for non-compliance can be potentially severe.
Article 58 of the GDPR provides the supervisory authority with the power to impose administrative fines under Article 83 based on several factors, including:
- The nature, gravity and duration of the infringement (e.g. how many people were affected and how much damage was suffered by them)
- Whether the infringement was intentional or negligent
- Whether the controller or processor took any steps to mitigate the damage
- Technical and organizational measures that had been implemented by the controller or processor
- Prior infringements by the controller or processor
- The degree of cooperation with the regulator
- The types of personal data involved
- The way the regulator found out about the infringement
Regulators have the authority to fine up to 4% of annual turnover for breaches. There is also a reputation issue for having data management issues made public.
- Official government GDPR Resources (ICO - External)
- Official government GDPR FAQ (ICO - External
- Simply Business Guide to the GDPR (External)
- The rights of EU citizens under the GDPR (External)
- VTSDesign Web Services Ltd as a Data Controller
- VTSHosting Ltd as a Data Processor (External)
- Our Site Compliance Package
- Mailing List Compliance Package