By now, you’ve probably heard about GDPR, but if you haven’t and you capture any type of customer data on your website, it’s something you need to be aware of.
GDPR (General Data Protection Regulation) will come into effect from 25th May 2018. It brings all variations of the current data protection laws across Europe under one roof; essentially simplifying things for sellers, but also toughening up the laws. If you live in the EU, this will apply to you. If you sell into the EU, this will apply to you - Brexit or not…
A lot of the regulations follow the Data Protection Act (DPA), but there are some key additions that it’s definitely worth jotting down, especially when the fines set out will be up to €20m of 4% of the global turnover - whichever turns out to be higher.
The key changes have been outlined by the EU General Data Protection Regulation body, and here are some of the main ones you need to be aware of:
It applies to E-YOU:
Many people think that because we’re leaving the EU, they won’t need to comply with the new GDPR, but if you trade at all in the EU, or collect any data of anyone in the EU, you need to comply.
What you keep:
You need to document what personal data you hold, where it came from and who you share it with.
Why you keep it:
Your customers should be able to find out who you are, how you’re going to use their information and why you keep it. You’ll need to be able to tell them how long you keep their data for as well, and this should all be in clear, easy to understand language.
Your customers need to give consent to have their data collected now, but there are ways to conceal consent with things like “Tick this box if you don’t want to be contacted”. That won’t be acceptable any more.
Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in - consent cannot be inferred from silence, pre-ticked boxes or inactivity.
When there’s a breach:
You need to inform the ICO (Information Commissioner’s Office) when there is a breach if it’s likely to affect the rights and freedoms of your customers. You’ll also have to notify your customers directly in this case too.
Get a DPO
You need to get yourself a Data Protection Officer - someone who will take responsibility for being compliant with the GDPR. They need to be in the know with all aspects of the new regulation, and should be able to enforce this within your company.
Remember you’ve got until May next year to act on these new regulations, but it’s a good idea to start thinking about making the changes now - especially in larger organisations where it might take some months to unify everything and get the new processes into effect and running smoothly. The ICO have also released a handy guide on what to do to prepare for the changes. You can read it here.
There’s been a lot of bad press around the GDPR reforms, and it’s naturally sent people into a panic. But a lot of the hype is just that - hype. This post from the ICO is great in myth busting the most panicked about points when it comes to GDPR. Our Partners UK Fast are also running Webinars for it’s clients to help bust through some of the chatter.
If you’re unsure at all if it’s something you need to comply with, it’s always safer to check, and it’s never too early to start implementing the new processes - you’ll simply be ahead of the game.