GDPR - The General Data Protection Regulation was published on 14 April 2016, and became an enforceable law by the end of May 2018.
It is a regulation created by the European Union (EU) and therefore does not require national governments to pass any local legislation to make it binding or applicable. It is a law across the EU without needing local legislation.
It is recognised as law across the whole of the EU. All Member States have have a responsibility to make sure that it is enforced within their countries since May 2018.
Here is a summary of the 8 basic principles of GDPR to help you stay compliant. These are:
- Lawfulness, Fairness and Transparency.
GDPR in reality is common sense. As data owners and end users it is in our interest. Companies can still process the data they need to operate their business however they need to be more transparent about it.
- Purpose Limitation
This means that the data collected for a specific reason needs to be explicitly explained to the end user and used only for legitimate purposes.
- Data Minimisation and Accuracy
This is the principle of collecting only the data you require for the operation of your own business. This includes data about suppliers, staff and customers for processing and marketing reasons. Accounting regulations from local authorities usually override GDPR so you need to look at the details and stay law compliant in your own country too.
- Controller Accountability
GDPR requires that you appoint a GDPR officer. Their task is to make sure the organisation is compliant and be a point of contact for anyone that needs to report a concern regarding GDPR data processing.
- Data Subject Rights
It is important that you respect the subject’s rights. They have the right to know what data you hold about them and request this from you. You have provide this for free within a few days.
Data integrity is extremely important. You need to make sure you have the ability to ensure ongoing confidentiality, integrity, availability and resilience of the data and services processing personal data. This means some will need to upgrade their data processing in terms of IT.
- Storage Limitation
An important GDPR regulation is the right to be forgotten. Once you have collected the data lawfully, you are only allowed to use that data for as long as it is necessary for your business. You cannot keep the data longer than you need it because data owners have the right to be forgotten under GDPR.
When collecting any form of customer or employee data you need to make sure you have written or digitally signed consent. This means that the systems on your website and your paper trail need to have clear consent from the data owner. It is also important that when they register they are clearly indicating how they are going to be contacted. The customer also has the right to withdraw consent at any stage, so unsubscribe links and means of leaving your database need to be clearly visible in every communication.
Still wondering how to make your website GDPR compliant? Here’s a short list of items to check out:
- Registration forms:
Make sure they are compliant. The image above clearly shows an example of a compliant form and a non-compliant form. Just be clear and do not group different permission requests as this is against regulation.
- Tracking and Cookies
Make sure that you get consent for tracking that falls under GDPR rule such as cookies used to identify or retarget website visitors for marketing purposes.
In reality staying compliant is not such a difficult task. Always ask yourself “As an end user, what would I like to know about where my data is going?”. The answer to this question and some legal advice with the right IT support should have you in line in no time at all.