What is GDPR and Are You Ready?

GDPR otherwise known as The EU General Data Protection Regulation will come into force next year on the 25 May 2018. It will be the de-facto policy for data privacy for all UK and EU businesses. It will replace the long standing Data Protection Act.

The remit of GDPR is quite simple, it’s basis is to broaden the rights of individuals data and give access to it, whilst businesses who handle such data ensure it is secure.  The idea is for you to be more in control over you own data and for organisations to adhere to the policies. Failure do to so could result in hefty fines for companies.

If all or part of your business operates in the online space, such as eCommerce or taking individuals data in some way shape or form, then you will need to demonstrate you have taken adequate steps to ensure you followed the new guidelines. 

So, the question remains what should your business be doing to ensure you’re compliant. Below are a few pointers which should give you some clarity. Remember these should be in place by the 25th of May 2018, therefore it’s wise to start implementing these now, so you don’t fall foul of the new legislation. It also makes good business sense to get the ball rolling so there is minimal interruption to your business.

Look at your existing process

If your organisation collects and uses customer data, then you must assure that the data is kept securely.

Regardless of where you outsource certain parts of handling client data to third parties, such as merchant payments, digital marketing, collating data from social networks for login type activities, this now no longer is the responsibility of the third parties policy and doesn’t absolve you. If that data flows through or touches your supply chain, then you are obligated to follow the legislation to ensure it is secure. The idea behind this is to understand and secure leakages throughout the data flow process.

As an organisation you will need to share your processes as part of the supply chain to show you are compliant with the GDPR legislation.

Giving Access to Data

If asked, organisations will need to give data subjects access to their data quickly, and more importantly with ease. As a company you will need to offer the data via secure download without any delays, and yes the download process has to be secure too!

Also, if the data has been handled by any other organisations, you will need to explain why this was necessary. The flow of data across your business will also play an integral part of the GDPR legislation.

If your order processing department passes on information to the warehouse and they pass on details to a third party logistics company, then you must ensure the data is passed on securely, and this must be demonstrated. Likewise, if the data is passed internally to the accounts department, then that too has to be done according to the new legislation. It means you will need robust internal processes to avoid leakages.  

Privacy From the Get-Go

If you’re an online business, eCommerce or a web platform that takes personal details, such as card payments, email addresses, physical addresses, you will need to clearly state how that data is used and stored and who is responsible for it.

GDPR will enforce you to tell if asked by a client who, what, why, when and how is responsible for their data. This includes storage and the processing of it.

Data Transparency

Companies will need to demonstrate how they protect data from a technological point of view, and the individual who is volunteering their data will have to give explicit consent when handing it over. In terms of eCommerce or online activities, companies will have to show a policy note at the checkout, or at some point of the data collection process where individuals have physically checked a box.

Also at anytime individuals can remove their data, which means when it comes to auto renewals or subscription type services, online businesses will have to provide the mechanisms for this to be done easily.

 Automatically Checked Opt-Ins

If your website automatically checks a box or it is pre-checked, then this will fall fowl of the GDPR legislation. As I have mentioned earlier, you have to obtain explicit consent.

 Accurate records

The backend of your eCommerce store will need to keep accurate records of all consents, where possible; what was initially consented and the method.

 Data Breach Policy

If your business has been subjected to a hack or data breach, then you must inform your subjects within 72 hours. It should clearly state the steps you are taking and how long it will take to resolve the issue. If you are delayed in any way, then you must inform the individuals of this.

In addition, its vitally important you have an internal policy which follows the correct procedures if this situation should occur, it should also be tested on a regular basis to identify stress points for weaknesses and improvements where necessary. Again, you will need to demonstrate these tests have taken place.

 What are the Implications of Non Compliance

Quite simply, you get slapped with a hefty fine, and rightly so in my opinion. The fine could be up to 4% of your turnover or a staggering 20 million Euros.

Its vitally important you are prepared for GDPR, and if a breach does occur, you must ensure you follow the set procedure. Your process must be robust and you have demonstrate these.

Individuals will have the right to sue should anything untoward occurs.

Lastly, the ‘B’ word. Brexit. It’s happening, whether we like it or not. GDPR is a EU directive, so does this mean UK businesses will fall under the legislation. The UK government has come out and said they will be implementing GDPR. This is a good thing after all. It’s about making sure that every citizens identity is protected and we have the legislation in place to ensure there is accountability.

If you feel your business needs GDPR or you want to understand the implications online then please feel free to get in touch with us. We can help you ascertain what you need to do to minimise business interruption.