For those of you who weren’t aware, the General Data Protection Regulation (GDPR) will become effective on 25th May 2018.
The aim of the legislation is to strengthen the rights of how personal data is used and protected within the European Union and European Economic Area due to our increasingly data driven world. This means that businesses need to be aware of the changes and put measures in place before the deadline to prevent any penalties being issued against them.
The aim of these legislation changes is to ultimately give control back to internet users regarding their data. They should be able to choose what data is held by site owners, how this data is utilised and have the ability to change their mind over who has access to this data. It will also put more responsibility on business owners shoulders to ensure that any and all data collected is secure and utilised solely for the purpose in which their users believe their data will be used.
Key changes to data:
There are notable changes that need to be met and upheld by business owners regarding data processing and utilisation. Below is an outline of key changes and what this can mean for businesses who collect data through their website.
Breach notification – In the (hopefully) unlikely event that a data breach causes a risk to the rights and freedoms of the people whose data you possess, you must notify said individual within 72 hours of the breach being brought to your attention.
Right to access – Site users (referred to as ‘data subjects’ will have the right to ask site owners (also known as ‘data controllers’) whether their personal data has been processed and the purpose for which it is being utilised. If requested, this individual should be sent an exact copy of any data help by the site owner for free. There can be no charge for providing this information.
Right to be forgotten – Should a site user so wish, they can request that their personal data be completely wiped from the system. This also includes data given to third parties. Every single piece of data needs to be removed, including historical data.
Data portability – This involves any personal data being sent to the site user on request in order for it to be transmitted to another controller.
Privacy by design – This already exists but is not a legal requirement. As of the 25th May, it will be. Any data processed by a site owner must be used solely for the purpose in which it was gathered. For example, digital marketers can only use data supplied by the site owner to advertise the product or service relating to the site owner’s company. In addition to this, the site owner must limit access to personal data only to individuals requiring the data to carry out their work.
What are the ramifications for failing to meet these requirements?
Should a case be brought against you for being in breach of these regulations, the maximum fine that can be issued is €20m or 4% of the organisations annual turnover.
How can you ensure you are covered?
There are few on-site optimisations that can take place to help ensure that you are covered:
Opt in & out button – To begin with, when a site user supplies any information (such as a contact form or a newsletter sign up) there should be an opt in AND out button. If the user does not tick either box, it must be assumed that consent is not given and the data simply cannot be used.
Legitimate interest – Data can still be collected from site visitors seen as having legitimate interest in your services. Having an in-depth knowledge of this will help you better understand how and when these legislation amendments will impact the data you are collecting.
Whilst these legislation changes don’t take effect for another three months, putting practices in place sooner rather than later is excellent for your image as a company that values their customers. It will reiterate that you care for the people who access your business via your website and will help to maintain positive client relationships.