April 11th, 2018
In a couple of months’ time, on the 25th May 2018, The General Data Protection Regulation (GDPR) will take effect and extend the requirements of current data protection legislation and have significant ramifications for those who are non-compliant with the new changes.
An important aspect of GDPR is that it applies to all personal data including online identifiers such as IP addresses and cookies. It also expands the definition of what constitutes personal data with the intention of enabling individuals to better control their personal data.
For those that are unsure on what is defined as personal data, it relates to:
“Any information that relates to an individual who can be identified, directly or indirectly, in particular reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.” (ICO 2016)
What does it mean for me?
Individuals that access your website or maybe those that you send monthly newsletters to must have given consent to the processing of his or her personal data. New GDPR laws mean you must be clear in what people are signing up to and keep evidence of how they consented during sign up. No longer can you use pre-ticked boxes for sign up purposes – neither can you be vague in telling them what they are signing up too. The new legislation means you must outline what they will receive upon accepting, whether its newsletters, offers,etc. Above all you cannot use their data without their consent.
We have included a short example of what is deemed acceptable consent for marketing purposes:
‘Joining the XXX competition means you will have 1 entry going towards the prize draw. You will have the opportunity to join our monthly newsletter which means you will receive the latest news and offers’
-Tick here to enter our competition
-Tick here to receive our monthly newsletter
Does this apply to my existing data?
Sadly, the new GDPR legislation includes the use of existing data. If you have no record of when and how these users consented then you cannot use that user data anymore. It is recommended, in preparation prior to GDPR to email your existing database and send out a re-permission list. The result may be a smaller mailing list but your new database will primarily be of loyal customers.
What are the risks?
Penalties until the new GDPR legislation mean that, if you are not compliant with the new legislation, you could receive up to a €20 million fine or a fine of up to 4% of your annual worldwide turnover.
What if there is a data breach?
Organisations that find themselves with a serious data breach (where personal data is compromised) must notify the Information Commissioner’s Office (ICO) within 72 hours.
Do I have to change my data protection policy?
What you can do before the implementation of GDPR
We’ve listed a few key points that you can do prior to GDPR being implemented. This is in no way the full list and we recommend that if you have any further questions in regards to GDPR that you seek legal advice.
- Send re-permissioning emails out to your database
- Ensure your wording for obtaining consent is clear, freely given, informed and unambiguous
- Go back to your terms and conditions, privacy and/or cookie policies and make sure you detail how you collect data at the TOP of the policies, including the names of any third parties used
- Have a method in place to start safely organising how users gave their consent and keep electronic and physical copies.
We recommend consulting with your solicitor on appropriate action to be taken towards reaching GDPR compliance. Should you have any further questions about GDPR and the requirements then we recommend getting legal action in the first instance before the implementation date of 25 May 2018.
We are currently working on a variety of GDPR updates and modifications for our clients, including e-commerce websites. As these changes are incredibly technical and involve high level web development, we would certainly recommend that a team of experienced developers be tasked with carrying out any website changes you need.
If you are concerned about GDPR and want your website to be changed to conform with the requirements, feel free to get in touch – we would be more than happy to discuss your options and requirements.