The General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. It was designed to unify the data privacy rules throughout Europe. The purpose being to ensure that all Citizens of the EU had a consistent level of protection and control of their own data privacy. The unification ensures consistency throughout the region.
The process of introducing the GDPR throughout Europe has taken almost four years. It will be enforced and therefore become law throughout Europe on 25th May 2018. Despite the UK’s exit from the EU, the GDPR will still be enforced in full throughout the UK.
The GDPR is not only about your own website - it will also apply to organisations located outside of the EU if they provide goods or services to, or monitor the behaviour of, EU data subjects. For instance, if your website is integrated with a third party software provider that’s located outside of the EU, that software and the provider will also need to be GDPR compliant for you and your business to ensure compliance. Within the GDPR the conditions for consent have been strengthened, as companies will no longer be able to use long, illegible terms and conditions full of legalese. The request for consent must be made in a clear, easily accessible form. Consent must be distinguishable from other matters and requested in plain language. It must also be as easy to withdraw consent. Explicit consent is required for processing all sensitive personal data. What does this actually mean? Nothing short of “opt in” will suffice!
Personal data is any information that relates to a real person that can be used to directly or indirectly identify that person. Examples include photos, email addresses, bank details, posts on social networking websites, medical information, and computer IP addresses. This means that tracking cookies which use identifiers such as IP addresses come under the definition of using personal data.
Your first step should be to carry out a data audit of the personal data you manage and process. This will help you understand and identify all of your data processing points. We suggest that you list them and consider the following for each:
If you are using a third party solution to process and manage data such as Mailchimp, Salesforce or Freshbooks, you will need to check their respective privacy policies and make sure that they are GDPR Compliant.
