With the recent news coverage of the new GDPR (The EU General Data Protection Regulation), a new compliance law taking effect in May this year, many businesses and website owners are asking, how does this affect me?
Firstly, what is GDPR?
Essentially the law that protects data privacy was established in 1995 and the technological landscape has moved on exponentially since then. The updated law is taking into consideration the devices we use and the information we are accessing. As well as what information is now available about us as individuals & organisations.
There are three main areas to be aware of;
The law will protect all those living within the EU, this includes those businesses that are outside the EU but process data of EU citizens.
GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.
There will be a tiered system to fining those that breach GDPR. This can be up to 4% of global turnover or €20 million, whichever is greater.
A website will not be allowed to hide behind a lengthy legal page, full of jargon within the scope of the GDPR. The consenting process will need to be very clear, use simple language and be in an easily accessible form. It also states that it should be just as easy to withdraw your consent. The consent must not be a pre-ticked box, and must be explicit in what the data will be used for and how it will be processed.
The law is going to protect all information that can identify an individual, either on its own, or used with other data, including names, physical addresses, email addresses, but also data such as IP addresses, behavioural data, location data, biometric data, financial information, and much more.
This means that if you simply have a contact form on your website, this will affect you. Sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection. You should not store data of this nature within your website.
You cannot just store data because you want to. You need to explain the requirement in storing the data and how long you will be storing it for.
Expansion of rights under the GDPR.
There are some points that the law will expand on what already exists, these are;
- Right to be forgotten; an individual may request that an organisation should delete all data on them immediately.
- Right to object; an individual may object to certain data uses.
- Right to rectification; it may be requested that data be updated about an individual if it is incorrect. Or that it be completed.
- Right of access; individuals may request to know how data about them is being processed.
- Right to portability; individuals may request that personal data held by one organization be transported to another.
The update to Data Protection has been long awaited and we think it is a step in the right direction to not only raise awareness about data stored about ourselves as individuals but also as businesses and what we use it for. We will be sending out more information over the next couple of months but in the meantime you should be thinking about how your business and website requests, stores and processes data.