15 things you need to know about GDPR
The General Data Protection Regulation will come into action on the 25th of May 2018. This regulation is designed to strengthen data protection and privacy for both individuals and businesses within the European Union. It will have an impact on all organisations that collect data whether it be on the web or out in the real world. To make sure you are fully informed about GDPR, here is a list of 15 things that every organisation needs to know.
Greater Security Demands on Business
GDPR brings in tougher data protection regulations for all organisations that collect and process personal data.
Data Protection by Design
From the 25th May, all organisations will be required to implement reasonable data protection measures to protect EU citizen’s personal data and privacy by design. This means that end to end measures need to be planned in advance and put in place so that everything from the collection of data, all the way to it’s safe deletion is taken into account. Part of this includes the requirement for organisations to undertake a data protection impact assessment in order to accurately identify risks to data and outline measures to ensure those risks are addressed and resolved immediately.
Creating a Data Protection Officer role
Any organisation that processes or stores sensitive data or regularly monitors data subjects must create a Data Protection Officer role within their organisation. This individual will have responsibility for overseeing data protection, privacy, and GDPR compliance. All public authorities (police forces, local councils, government organisations) also must have a Data Protection Officer.
GDPR extends beyond the EU
GDPR is by default designed to protect the data and privacy of EU citizens. This means any organisation that holds data on EU citizens is required to comply with the regulation, whether they are based in the EU or not. This will have a direct impact on companies like Google, eBay & Amazon that collect web data from users in the EU. It will also effect many smaller international companies that trade in the EU, for example, app-based companies, game providers and online retailers.
GDPR will continue after Brexit
The UK has always played a leading role in protecting users and their data. The UK’s Data Protection Act was passed in 1984, 11 years before the EU got around to issuing it’s Data Protection Directive in 1995. The UK government is committed to ensuring that the rights and responsibilities encompassed in GDPR are maintained after we leave the EU.
Big Fines for Non-Compliance
The size of the fines which can be given to organisations that do not comply with GDPR is an indication of how determined the EU is to tackle issues with data protection and data privacy. From May, the maximum fine will be €20 million or 4% of an organisation’s annual global turnover, whichever is higher. This can be levied for failing to adhere to core principles of data processing, infringement of personal rights, or for transferring personal data to other countries or organisations that do not ensure an adequate level of data protection.
The issue of transferring data to countries or organisations with less adequate data protection should be a major concern for any company that has a website. If your web host has data centres outside of the EU, it is possible that the information you collect could be stored on less secure servers without your knowledge – and this could mean you are unwittingly breaching GDPR compliance. The same applies if your web host does not provide adequate security even if it is within the EU.
Range of data to be protected
Identifying data
Any information that can be used to identify an individual comes under the protection of GDPR, this includes information such as their name, address or National Insurance number as well as things like CCTV footage, car registration numbers, and RFID chip data.
Web data
GDPR also requires the safeguarding of web data. This includes details of an individual’s location, their IP addresses, and any cookie data.
Demographic information
If you collect any information that classifies individuals, this too comes under the protection of the new regulation. This includes data about gender, race, ethnicity, disability and sexual orientation.
Health, genetic and biometric data
Health, genetic and biometric data has become problematic over the last few years. Insurance companies, for example, can use this information as a basis for setting the costs of health insurance. As biometric data is increasingly used for authentication, keeping it secure is absolutely crucial. For this reason, it too is included in the data protected by GDPR.
Political affiliations
While many people aren’t too secretive about who they vote for or which political party they support, plenty of others are. If you hold data about political affiliations, whether that is their membership of a particular party or just a political opinion gathered on a survey, it needs protection under the GDPR.
GDPR gives EU citizens new rights
Under the GDPR, all EU citizens will have the following rights:
The right of access
GDPR gives EU citizens the right to know the details of any personal data you hold about them and how that data is processed and used. As an organisation, you are obliged to provide this information on request.
The right to be forgotten
People also have the right to be forgotten. This means that if a person requests it, you will be required to cease the processing of any data you hold about them and delete it.
The right to data portability
If you hold data about anyone, they can now ask for that data to be passed to another organisation. This can make things like passing on ‘no claims’ histories from one insurer to another, much easier. However, it also means that customers can use the records you hold about them to get better deals from your competitors.
The right to be informed about data breaches
Some organisations have kept serious data breaches secret for months in order to protect them from bad publicity and other unwanted consequences. Now, customers have to be legally informed within 72 hours. You must also inform any supervising bodies.
The right to data correction
Under GDPR, any data you hold about an individual must be accurate. If it isn’t, they have the right to demand it is corrected.
How can we help?
Here at Square Media, we offer an exclusive Website Security Audit to make sure that your website matches as many of the GDPR requirements as possible, as well as ensuring total security for you and your visitors. If you’d like to hear more about what we offer, don’t hesitate to get in touch with us and we’ll be happy to help!
Square Media is Northamptonshire’s premiere Web Design & Marketing Agency experienced in developing effective content and marketing strategies for forward-thinking companies in the local area. Our team of specialists consistently deliver outstanding results working in a variety of areas such as Search Engine Optimisation, Social Media Marketing Consultancy, Pay Per Click (PPC) and AdWords Management amongst a wide range of other services.