So what is GDPR?
General Data Protection Regulation (GDPR) was implemented in May 2018, under the EU Government. It was created to give EU citizens more control over their personal data that’s being held by retailers, social networks and other third party organisations. The previous act, implemented in 1998, meant that companies failing to comply with the regulations could face a fine of up to £500,000. Under the new regulations, companies could face a fine of up to £20 million or 4% of the company’s annual turnover, the Information Commissioner’s Office (ICO) will fine whichever figure is higher.
A new law was required due to the growing use of free social networks, such as Facebook, people do not directly pay for these sites, but their data is collected in exchange for payment. Apps can then use this data to create targeted ads for you.
Every business should be compliant with GDPR, it has extraterritorial effect, which means that even non EU countries are affected. Most countries in the world have data that belongs to the EU stored on its servers, so these countries must be compliant with the new regulations. For a business to process data under GDPR, it must be done lawfully, transparently, and with a specific purpose.
How can you make your website compliant?
First, you should make sure that you understand the data that you’re collecting. Such as name, address, bank details & IP addresses. There is also data known as ‘sensitive’, which refers to religious views or health details. You must understand where you’re receiving the data from, and how you’re going to use it.
Ensure that your policies are GDPR compliant. There’s loads of help available on how you can achieve this, but it’s important if you want to avoid a data breach and a huge fine.
If you’re relying on personal data for marketing purposes, you’ll need to make sure that you provide consent in a clear and explicit way. People must be opting ‘in’ to this service.
Subject Access Rates have changed, therefore you have to give all customers the opportunity to access their personal data. They must be able to rectify it if necessary and erase it all too. Time frames are put into place, generally the deadline is one month from the original request date.
Fair Processing notices mean that you must outline exactly what you’re doing with people’s personal data, it must be clear to each individual.
Make sure your staff are fully aware of GDPR and what to do in the event of a breach. Breaches must be reported within 72 hours. Training should be provided to ensure all staff members understand GDPR.
If you need any assistance with GDPR, we’re happy to help, don’t hesitate to contact us.