GDPR
The EU General Data Protection Regulation…arriving May 25th 2018
The GDPR, which comes into effect on May 25th 2018, is “biggest shakeup of personal data privacy rules since the birth of the internet”. It’s the result of three years of negotiation between the EU member states, and affects anyone with customers or clients in the European Union, if you own a website, run a mailing list or collect other kinds of personal data.
What is the GDPR?
The GDPR requires businesses to protect the personal data and privacy of EU citizens, through some important changes to existing privacy laws. Firstly, it includes a more specific set of requirements for website, mailing list and database owners. Secondly, it is not only consistent across the EU, but also expands geographically by applying to any company who collects data on EU citizens, even US-based ones like Facebook. Thirdly, it gives real teeth where previous regulations may not have had them, with the ability to penalise non-compliant companies up to €20m or 4% of global turnover.
In case you don’t have time to read and interpret the actual GDPR legislation, we’ll try and summarise the points most important for our typical customers: law firms, barristers’ chambers and other businesses who run websites, mailing lists and customer databases. We’ll also point you at tools and other resources to help you make sure you’re compliant, and tell you where we or our partners can help if you need it.
GDPR in a nutshell, for website owners
- The GDPR sets requirements for how businesses collect and manage ‘personal data’, which includes contact details, location, IP addresses (used by website analytics), demographics, political views, health data and anything else that can be used to identify an individual.
- If you collect any of the data above – which you almost certainly do, and very certainly should if you market your business online – you need to have policies in place to allow your customers to request, edit or delete their data.
- You should only collect data that is deemed ‘necessary for the specific purpose of processing” – so for example, don’t ask for postal addresses or phone numbers if you don’t need to call or post to people.
- You should only keep data for the length of time that you need it, and fully delete it after that point.
- If you email customers and contacts (which again, you should), you need to be able to prove that each individual has given you explicit consent to receive those mailings. Some of your old mailing lists may not be usable, until you ‘repermission’ them – get your subscribers to give consent to continue to receive mailings.
- All of your third-party suppliers (e.g. web hosts, mailing list services, CRM tools etc) must be compliant for you to be compliant.
- If you suffer any kind of data breach, you are required to report it to the relevant authorities and to those whose data has been breached. You must have a policy in place in advance of this ever happening.
- Companies that handle “large data” on a regular basis need to appoint a Data Protection Officer (DPO).
- The GDPR applies to any organisation that delivers services to customers in the EU, not just organisations headquartered within the EU.
- Britain will still be governed by the GDPR after Brexit.
Need help?
The GDPR is onerous, no doubt. You may be able to handle all its requirements in-house, but there may still be time, effort and cost involved; a PwC survey estimates that more than 75% of US-based companies expect to spend more than $1m on the exercise. Ouch!
Our partnership of three expert firms aims to help small to medium sized firms in the legal and professional services industries become compliant with a minimum of cost. Here are three ways we can help.
Policy drafting
Many of our clients are lawyers and may be well able to take care of new, GDPR-compliant website policies in-house. But for those who would welcome a head-start, data privacy specialists Herbert & Ball LLP can provide you with templates for: website privacy policy, cookie policy and terms of use. You can take these and tailor them for your own organisation. Or, if you prefer a complete done-for-you service, Herbert & Ball can work with you on fully customised versions. See their GDPR Privacy Policies microsite.
Website forms & mailing lists
Any small business is likely to run a website contact form, Google Analytics, mailing list, registration forms, event booking system, CRM and several other methods of collecting data online from your customers.
WordPress experts Square Eye can help you in a number of ways: to audit your website and mailing list strategy, identify the areas that need to be changed to become GDPR-compliant, update forms across your website, and help you verify that your mailing lists can continue to be used, or if not, to help you ‘repermission’ them through automated series of emails.
Organisation audits
Larger organisations with all sorts of online and offline data may welcome an expert review of your customer data, to help you understand what you already have, and the plan how it can be used in future to be GDPR-compliant. Legal IT specialists SproutIT offers a Gap Analysis to do just this: see our GDPR Cheat Sheet to explain what’s involved.
And for organisations involved in ‘large scale’ data processing who don’t have a suitable Data Protection Office in-house, check out our DPO As A Service.