GDPR

02/02/2018 by Fran Davison

The GDPR legislation comes into play on 25th May 2018 and we want to make sure you have all the information you need. The Information Commissioner’s Office (ICO) are responsible for looking after the information rights of the public and therefore will oversee GDPR.

What is GDPR?

GDPR is something which is as important today as it will be on May 25th. GDPR is The General Data Protection Regulation and European Privacy Law, it is an important legislation which ensures the protection of all EU citizens’ personal data. Whether you are an organisation in Europe or the rest of the world, as long as you are using, processing and storing any personal data which can identify a EU citizen then it is the law to comply.

GDPR specifies a list of guidelines which allows individuals to have more control over their data.

What is personal data?

The personal data which is covered  in the documentation is broad and includes both personal data and sensitive personal data which may be held about an individual.

Personal data

Any information relating to a person such as name, locations, ID number, IP address etc.

Sensitive personal data

Data which is about an individual’s race, ethnicity, sexuality, physical or mental health, religion, political opinions or any criminal offences.

Consent is key

Consent, in this case, is referred to the request to store the individuals’ data. It is crucial and ensures that you are putting your users’ privacy first. Asking users for consent will increase their trust in you and this is extremely important when their personal data is involved.

If you hold data of any under 16s then you need to request consent from parents or guardians. The Information Commissioner’s Office (ICO) state that if there is chance that an individual, under the age of 16, has data obtained via online services then consent will be needed. This is particularly important in terms of online profiles and if marketing material is being sent.

The rights for individuals

All of your users should have the following rights when it comes to their personal data:

  • Right to be informed – This right is particularly focused around being transparent about the data of the individual and how it is being used.
  • Right of access – If an individual is wanting to access the data that you hold about them then they have the right to do so.
  • Right to rectification – If an individual believes that their data needs changing in any way then they are allowed to request it be done so. You have one month to complete this.
  • Right to be forgotten – Deletion or removal of any personal data can be requested by the individual.
  • Right to restrict processing – An individual has the right to block the processing of their data if they wanted to.
  • Right to data portability – Individuals can request to obtain and use their data across other services.
  • Right to object – Individuals have the right to object to any processing/direct marketing.
  • Rights related to automated decision-making including profiling – The right of subject access allows an individual access to information about the reasoning behind any decisions taken by automated means.

What happens if I don’t comply?

The ICO has outlined some serious consequences if organisations don’t follow the GDPR rules. An organisation could have to pay 4% of their annual income or 20 million euros (whichever is greater). These penalties highlight the importance of ensuring your organisation is ready for GDPR by 25th May 2018.

What do I need to do?

If you are a part of the public sector then you are more likely to have an internal information governance team who will deal with this in the appropriate manner.

If not, we would strongly recommend doing research into the specifics of the new GDPR specification, the ICO website outlines all the major points in detail, it’s important to be aware of which new rules you could be affected by.

For organisations who deal with a large amount of data storage and processing, it may be necessary to appoint a Data Protection Officer in order to oversee the changes for GDPR compliance.

Most importantly, all changes to your current data storage and processing methods must be GDPR compliant by 25th May 2018. This includes all digital/online data processing such as your website.

How to handle breaches of data

If your organisation has a breach of data and an individual’s data is compromised, the GDPR guidelines stipulate certain actions which should be taken. Data breaches happen through an unauthorised access of data (which includes the passing of data into the wrong hands):

  • If there are any breaches you must notify the supervisory authority (ICO) within 72 hours.
  • All affected individuals must be notified.
  • Everything must be documented even if it’s not going to be reported.
  • It is important to ensure that your organisation  have robust breach detection, investigation and internal reporting procedures in place.

Mixd’s approach to GDPR

We have been following the progress of GDPR for a little while and have been investing time into developing compliant solutions for our clients. This means allowing our clients to capture users’ data with the best practices towards security and privacy. We’ll be reaching out to our existing clients and recommending individual website reviews where we’ll be able to give you our feedback and suggestions for GDPR compliance.

If you’ve got any questions about GDPR compliance for your website, contact us.

ICO (2018) Guide to the General Data Protection Regulation (GDPR) Available at <https://ico.org.uk/> [Accessed 11th January 2018].

Leave a comment