8 Mar 2018

GDPR – The Basics

Many people are still not actually aware of the looming GDPR that is coming into effect on the 25th May this year. But fear not, we will be running a blog series that will break it all down for you. And the actions you need to be taking. NOW!

So, what is GDPR?

GDPR, which stands for General Data Protection Regulation, is essentially a well overdue update of the 1998 Data Protection Act. It brings with it tougher fines for non-compliance and breaches – this could be up to £17 million, or 4% of your annual turnover. So essentially, that could be your business wiped out, just like that. Which is why it is SO important to fully understand the new regulation.

What boxes do I need to tick?

Unfortunately, it’s not quite that simple. You need to look at how you store and handle personal data as a whole. As well as having policies and procedures in place so that if you are inspected, you have a complete paper trail.

There are 6 core principles that need to be adhered to(*):

  1. Data should be processed lawfully, fairly and in a transparent manner.
  2. Data should be collected for specified, explicit and legitimate purposes.
  3. Data should be adequate, relevant, and limited to what is necessary in relation to the purpose it was collected for.
  4. Data should be accurate, and kept up to date.
  5. Data should be kept in a form which permits identification of data subjects for no longer than is necessary.
  6. Data should be processed securely, and protected against unauthorised processing, destruction, or damage.

(*) Reference – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/

So how does this differ from the DPA?

The foundation of GDPR falls down to consent. You need to offer your customers a real choice. Now that doesn’t just mean having a tick box at the bottom of your email signup form, like most of us do at the moment. It means that you CLEARLY have to state what people are signing up to.

Being ‘granular’ is key. Separate consent is needed for separate things. For example, if you are offering emails for different digital marketing services, people have to know which email list they are subscribing to. It has to be as black and white as: ‘Would you like to receive marketing emails about SEO?’. The tick box can’t be pre-ticked either. They have to do this themselves.

Keeping evidence

Once you have consent for someone to sign up to your email marketing, for example, you need to keep evidence. You need to store who they are, what they signed up to, how they gave their consent, and when this was.

Don’t forget, that you also need to make it easy for people to withdraw consent. Or access the data you have on them. That is why it is so important to have that trail of where the data came from.

Personal data breaches

Every organisation has the responsibility to report data breaches to the relevant authority. You MUST do this within 72 hours of becoming aware of the breach too. If the breach is likely to adversely affect the rights and freedom of the individuals concerned, they must also be informed.

With this in mind, you should ensure that you have solid procedures in place to prevent data breaches, as well as investigative procedures.

What you need to be doing now

The first step you need to be taking is making sure your website is GDPR compliant. Yes, we keep harping on about it… but the first step is to get an SSL certificate installed! Which we can install for only £60+VAT annually. Your website has to be secure, which is even more important when collecting personal data.

Secondly, ensure your WordPress is updated regularly. If you have a support and maintenance contract with us, this is done automatically so no need to worry.

Thirdly, update your privacy policy page. This needs to be in line with the new regulation, and disclose more information than previously. The language should be clear, and you must include the following key information (**):

  • Who your data controller is
  • Contact information for the data controller
  • Informing users of the rights they have under GDPR (with regards to accessing their own data)
  • Whether users are required to provide personal data, and what happens if they don’t (put simply, if they don’t provide an email address it may mean they are unable to login to their account)
  • Whether you transfer data internationally
  • What your legal basis is for processing data

(**)  Reference – https://termsfeed.com/blog/gdpr-privacy-policy/

Finally, most importantly, review your consent forms. You must obtain explicit content from the user, and all forms will need an opt-in checkbox, allowing the user to acknowledge and consent. Here is a great example from Woolworths Australia, who as you can see have gone for the ‘granular’ data approach:

Okay, so that was a bit of a whirlwind introduction into GDPR, but it should give you the basic information to start with. Keep an eye on our blog page during the next few months in the lead up to the introduction of GDPR, as we will be going through things in detail for you.

If you have any questions, or would like to get these changes implemented to your current website please email office@laser.red, or giving us a call on 01472 878496.

The authors

Charlotte Perrelle - Digital Marketer at Laser Red
Charlotte Perrelle
Digital Marketer