Now that we’ve partied and we’re trying to get on track with diets or healthy eating, it’s also time to come to terms with the GDPR. As a digital agency that has helped many businesses set up online shops and Apps, we feel it’s important to bring this topic to your radar.
So what is GDPR?
GDPR stands for General Data Protection Regulation and it is a legal framework that aims to harmonise data protection across the EU member states and raising the bar for data protection. It’s all about ensuring that data about individuals is better managed and that individuals have more rights related to the data that business store about them. Hefty fines have also been set in place in case of non-compliance.
What’s the story behind it?
Since the inception of the original Data Protection Directive in 1995 that dealt with the privacy of data, online business has bloomed and boomed. It’s difficult to believe that the directive is over 25 years old and this is why fine-tuning was needed. In 1995, few could have predicted the extent to which technology has connected all levels of society and to which depth.
As the online world races further into the future, rigging and connecting consumers with businesses through websites, APPS and other digital tools, it’s imperative to appreciate that GDPR is about putting people’s data first as it is meant to be. Some of us within the industry, have felt the need for an update for a quite a while and GDPR is meant to set us in a world where the future is more secure. In short with the GDPR in place, people should have fewer anxieties about ‘what’ data is stored about them by the various business with which they have a relationship, communicate or transact, how it is used and what eventually happens to it. The new GDPR is the result of 4 years of discussion and in May 2016, the GDPR came into force for all EU member states, giving a 2-year window for business to coming into line. That window closes on 25th May 2018, and then the GDPR is here to stay.
Why it’s relevant to your business?
Technically if you are a business operating within the EU, servicing or employing EU residents, then it’s safe to assume that GDPR is relevant to you. Naturally, if you process data for your EU customers related to the services that you offer them and monitor their behaviour then you need to comply with the GDPR.
What are the Key Aspects?
1. An organisation storing data needs to be clear about what data is storing, why it is storing that data, the kind of data, the processes that data goes through and other aspects pertinent to the data itself. It is crucial to keep in mind that an organisation can store different types of data sets and these need to be distinctively recognised. Other crucial points related to the data itself include the principle that personal data is to be processed lawfully, fairly and in a transparent manner, whilst ensuring that data is accurate at all times. Similarly, a business should not be keeping more data than is needed and for longer than is needed. A business needs to understand what is sensitive data, personal data and confidential data.
2. Accountability and compliance to the GDPR is heavily dependent on the role of the data controller and data processors. The roles of data controller and a data processor are different in that a data controller keeps and process information whilst a data processor might process information without having control over that data. Under the new framework, both have responsibilities.
3. Individuals have a right to access their data and at any point in time they can request access to the data that the organisation stores about them. This data has to provided free of charge and within a month. The new GDPR gives users more control over their data along with the power to request that data be erased.
4. The GDPR highlights security measures both in terms of technical measures (like encryption) and organisational measures that need to be in place to safeguard the data. Failure to have these mechanisms in place means non-compliance.
5. There are fines for non-compliance. Businesses should be aware that GDPR is a serious matter for the EU and the heavy fines are indicative of this. However, it is to be noted that the EU has already stated that when it comes to fines its intention is to be lenient, and before fining a business it will consider the efforts already in place by the particular business.
All businesses need to ensure that by May 2018 they are compliant and the first task is checking if your organisation needs a data protection officer. This is tied to understanding our obligations. The second step is walking the path with an expert to ensure that the right policies, technologies, best-practises and contingency plans are all set up and in place. For example, one particular aspect to consider is if you need to regain fresh consent about the subscribers in your organisation’s mailing list.
In terms of websites the following is a list of things that you might need to audit:
• The kind of opt-in you are using in forms and subscribing to newsletters
• Easy facility to opt-out
• In case you are an online store taking payments or bookings you need to ensure that your web processes respect the GDPR rules in terms of personal data being captured and stored.
As individuals, the GDPR is a great milestone because it safeguards our privacy further and from the point of view of a business the ramifications can be felt as somewhat stringent but ultimately this is the way that business will have to be done across the globe not just on an EU level.
In the coming months, Keen will be processing an audit to assure compliance of processes and third party services used for digital solutions. Our team may be reaching out to address required changes so everyone gets well geared up before May 2018. We encourage all our clients to get informed about the topic and take the necessary actions within their organisation.