Yes, we know, we know! We’ve torn our heads out from the sand, and we’re working on it!
On 25th May, the new GDPR enforcement comes into place. The General Data Protection Regulation (GDPR) is all about data protection for EU citizens. It’s to give them more control over their rights on how people use their personal data. I have found reading about GDPR quite tedious and I wanted to write something that was not quite so “oh kill me now.”
Could I make it useful, and fun to read? Probably not. But hopefully easy to understand!
And by the way the image above which we made just goes to show how we can laugh through our tears.
What does personal data mean?
It’s all the things that can be used to identify someone – their name, address, email address, ID or social security number, location and IP address. In addition, “sensitive personal data” – race, religious beliefs, sexual orientation, health status and political beliefs – needs to be considered carefully.
Eek! 20 million!
Much of the GDPR builds on the existing Data Protection Act 1998. Really it’s so that citizens don’t have to worry about people spamming them, selling their data, or using it for fraudulent purposes
Now, there are new “enhancements”.
For example, they recommend having someone appointed officially to be a Data Protection Office – so there is definitely someone accountable. I bet that’s a job everyone wants!
Another new thing that is pretty intense is the risk of a large fine – either £20 million, or 4% of the global yearly turnover, whichever is higher! Yes, really!
So, it’s not something we can ignore. In fact, one of the rules is that key people in your company/organisation need to have awareness of these changing laws and identify any areas that could cause issues with compliance of GDPR. Are you a key person in your company? Well – that means you!
Changes you’ll need made on your website
It’s quite normal for a website can ask for information for people – in the contact form, newsletter sign up form.
Usually this just includes the basic personal data (name and contact information). This is information people voluntarily give you when filling in forms like contact forms, enquiry forms and newsletter subscription forms.
In addition, because of “cookies,” websites can collect visitor data relating to their location (via their IP address).
There are several things that need to be done on your website
- Wherever you might be taking information from people on your website – eg their name, email address, phone number – you must have very clear boxes saying whether they want or don’t want you to contact them via any methods.
- You cannot use pre-ticked boxes or any other method of default consent.
- You need to have a privacy statement on your website, so that you can explain to people how different parts of your website might collect different data. If you have a form, a live chat widget, if you’re doing AB testing, if you’re taking payments, or if you have a feedback form – all of these things need to be acknowledged.
- Another thing related to websites?
Documenting all the things
You need to start making a list – who is it you hold data for – where is it stored, who else has access to it, how long have you been keeping it for, and how is it kept secure? How are people kept informed of the fact that you keep it?
And for each piece of data, you need to identify which out of 6 reasons (or “lawful bases”) you are keeping this information.
- Consent: Someone has given you permission to have their information –
Example: when people sign up for a newsletter,or fill out an enquiry form to ask you to contact them – you need to make it clear why you are taking this information and get express permission on how you are allowed to contact htem.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Example: When someone gives you their payment information in order to purchase something
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Example: By law, UK businesses have to keep expenses records for 5 years after the end of January tax submission.
(d) Vital interests: the processing is necessary to protect someone’s life.
Example: a restaurant can keep someone’s allergy information to make sure they are safe – as long as they have consent.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Example: This will cover public institutions like schools hospitals and government
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Example: Personalising a website’s content – such as recommendations – to improve the user’s customer experience.
A privacy notice should be created, and displayed on your site. In this you have to clearly explain what the intended purpose is for the data you hold, and also what the “lawful basis” is.
Everyone in the company should understand what data you hold about people, where it came from and who you share it with.
Tired and annoyed yet? You can find out more from the ICO in this PDF:
And if you want to get together an have some GDPR tasks done we are happy to do some coworking so we can make it fun!
We also are speaking to lots of experts who work with SMEs and help with this so please ask if you’d like recommendations.