The GDPR legislation came into play on 25th May 2018 and we wanted to make sure you have all the information you need. The Information Commissioner’s Office (ICO) are responsible for looking after the information rights of the public and therefore will oversee GDPR.
What is GDPR?
GDPR is something which is as important today as it was back in 2018. GDPR is The General Data Protection Regulation and European Privacy Law, it is an important legislation which ensures the protection of all EU citizens’ personal data. Whether you are an organisation in Europe or the rest of the world, as long as you are using, processing and storing any personal data which can identify a EU citizen then it is the law to comply.
GDPR specifies a list of guidelines which allows individuals to have more control over their data.
What is personal data?
The personal data which is covered in the documentation is broad and includes both personal data and sensitive personal data which may be held about an individual.
Personal data
Any information relating to a person such as name, locations, ID number, IP address etc.
Sensitive personal data
Data which is about an individual’s race, ethnicity, sexuality, physical or mental health, religion, political opinions or any criminal offences.
Consent is key
Consent, in this case, is referred to the request to store the individuals’ data. It is crucial and ensures that you are putting your users’ privacy first. Asking users for consent will increase their trust in you and this is extremely important when their personal data is involved.
If you hold data of any under 16s then you need to request consent from parents or guardians. The Information Commissioner’s Office (ICO) state that if there is chance that an individual, under the age of 16, has data obtained via online services then consent will be needed. This is particularly important in terms of online profiles and if marketing material is being sent.
The rights for individuals
All of your users should have the following rights when it comes to their personal data:
- Right to be informed – This right is particularly focused around being transparent about the data of the individual and how it is being used.
- Right of access – If an individual is wanting to access the data that you hold about them then they have the right to do so.
- Right to rectification – If an individual believes that their data needs changing in any way then they are allowed to request it be done so. You have one month to complete this.
- Right to be forgotten – Deletion or removal of any personal data can be requested by the individual.
- Right to restrict processing – An individual has the right to block the processing of their data if they wanted to.
- Right to data portability – Individuals can request to obtain and use their data across other services.
- Right to object – Individuals have the right to object to any processing/direct marketing.
- Rights related to automated decision-making including profiling – The right of subject access allows an individual access to information about the reasoning behind any decisions taken by automated means.
What happens if I don’t comply?
The ICO has outlined some serious consequences if organisations don’t follow the GDPR rules. An organisation could have to pay 4% of their annual income or 20 million euros (whichever is greater). These penalties highlight the importance of ensuring your organisation is ready for GDPR by 25th May 2018.
What do I need to do?
If you are a part of the public sector then you are more likely to have an internal information governance team who will deal with this in the appropriate manner.
If not, we would strongly recommend doing research into the specifics of the new GDPR specification, the ICO website outlines all the major points in detail, it’s important to be aware of which new rules you could be affected by.
For organisations who deal with a large amount of data storage and processing, it may be necessary to appoint a Data Protection Officer in order to oversee the changes for GDPR compliance.
How to handle breaches of data
If your organisation has a breach of data and an individual’s data is compromised, the GDPR guidelines stipulate certain actions which should be taken. Data breaches happen through an unauthorised access of data (which includes the passing of data into the wrong hands):
- If there are any breaches you must notify the supervisory authority (ICO) within 72 hours
- All affected individuals must be notified
- Everything must be documented even if it’s not going to be reported
- It is important to ensure that your organisation have robust breach detection, investigation and internal reporting procedures in place
Mixd’s approach to GDPR
We have been following the progress of GDPR for a little while and have been investing time into developing compliant solutions for our clients. This means allowing our clients to capture users’ data with the best practices towards security and privacy. We’ll be reaching out to our existing clients and recommending individual website reviews where we’ll be able to give you our feedback and suggestions for GDPR compliance.
If you’ve got any questions about GDPR compliance for your website, contact us.