What's GDPR ?
On 25 May 2018, the General Data Protection Regulation (GDPR) will be enforced across Europe, including the UK.
It is a new set of rules governing the privacy and security of personal data laid down by the European Commission.
The new single data protection act will make major changes to all of Europe’s privacy laws and will replace the outdated Data Protection Directive from 1995.
What's the point of this?
GDPR seeks to give individuals more control over how organisations use their data, and it will introduce hefty penalties for organisations that fail to comply with the rules, and for those that suffer data breaches. It also ensures data protection law is almost identical across the EU.
Under the new rules, individuals have “the right to be forgotten”, meaning they will be able to request that businesses delete their no longer necessary or inaccurate personal data.
It is not affected by Brexit as it will be adopted into UK Law.
How does it affect my business or organisation?
The GDPR Identifies two key elements 'Data Controllers' and 'Data Processors'
A 'Data Controller' is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is to be, processed. They analyse the data they collect from individuals and assess whether the information is strictly necessary to carry out their activities. Any information that does not fall into this category must be securely deleted. They respond to requests from individuals for information held and they remove information on request.
In most cases, your business or organisation will be a Data Controller
A 'Data Processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
In the instance of VTSHosting Ltd hosting your website, this makes us your Data Processor.
What should I do as a Data Controller?
Basic website compliance
We are recommending that all websites that handle personal information have the following as a minimum. ICO have indicated that they are less likely to take punitive action against businesses who have demonstrated a significant effort towards compliance.
- Ensure all forms and ideally the entire site where possible are run over https
- Identify and detail any form of tracking used on your site and how it affects a user's right to privacy.
- Update of Google Analytics code to make it GDPR compliant
- Addition of new page detailing your approach to GDPR which will outline
- What data you collect through the site
- Why you collect it
- What you do with it
- How it is stored in a GDPR Compliant webhost (if using VTSHosting Ltd)
- How you would respond in the event of any data breach.
- How people can request a copy of any data stored and how you will respond
- How people can request for their data to be destroyed and how you will be responding.
- Creation of a form to allow people to either request a copy of their data, request amendments of their data or request all or some of their data to be removed.
- Modification of existing forms to ensure that they are GDPR compliant
Website Compliance Service
Our sister company, VTSDesign Web Services Ltd can carry out all of the compliance work specified above for £99 + VAT. Please click here to learn more or to order this service.
Mailing list compliance
If you keep mailing lists and send out mailshots, then under the new regulations, you need to be able to show actual proof of how a person was added to your mailing list and when it happened.
If you are unable to do this, then you must contact everyone on the list that this applies to and request explicit permission for them to remain on the mailing list. Without permission, then you must not contact them after GDPR comes into effect.
Our Mailing List Compliance Service
VTSDesign Web Services Ltd mailing list cleaning service for you where they will contact people on your list and manage the responses and update the list. Click here to learn more or order this service.
What happens if I do nothing?
The fines for non-compliance can be potentially severe
Article 58 of the GDPR provides the supervisory authority with the power to impose administrative fines under Article 83 based on several factors, including:
- The nature, gravity and duration of the infringement (e.g. how many people were affected and how much damage was suffered by them)
- Whether the infringement was intentional or negligent
- Whether the controller or processor took any steps to mitigate the damage
- Technical and organizational measures that had been implemented by the controller or processor
- Prior infringements by the controller or processor
- The degree of cooperation with the regulator
- The types of personal data involved
- The way the regulator found out about the infringement
Regulators have the authority to fine up to 4% of annual turnover for breaches. There is also a reputation issue for having data management issues made public.
- Official government GDPR Resources (ICO - External)
- Official government GDPR FAQ (ICO - External
- Simply Business Guide to the GDPR (External)
- The rights of EU citizens under the GDPR (External)
- VTSDesign Web Services Ltd as a Data Controller
- VTSHosting Ltd as a Data Processor (External)
- Our Site Compliance Package
- Mailing List Compliance Package