GDPR, Ballyhoo & You
GDPR is starting to become a familiar acronym. You may be aware of upcoming changes to the law concerning privacy, and perhaps you've even received a few scary emails saying that the end of data protection as we know it is nigh.
But what is it all about, really? And how will it affect your website? We want to let you know in real terms what you need to know and how Ballyhoo will aim to help you transition to new General Data Protection Regulation (GDPR) requirements.
Disclaimer: This article provides an overview of GDPR and does not constitute legal advice. Ballyhoo's focus is on how to become website-compliant, and we have partnered with the specialist security firm, Aristi, should you require more in-depth information on best-practice within your organisation.
Are you ready for GDPR? Are you?!
GDPR will mean a shake-up of how we manage data consent and requires more stringent policies and possible changes to your website and data storage.
Despite the law not being enforceable until May 2018, we've already seen a lot of information circulating about how to comply. And quite rightly, it's much better to prepare.
GDPR will mean a shake-up of how we manage data consent and requires more stringent policies and possible changes to your website and data storage. However, in the grand scheme of things, this is a positive development and, with a little foresight and proper management, it should be reasonably painless - especially if you are already on top of your duties under the Data Protection Act.
If you're in any doubt about how to comply and what changes you may need to make to your website (and we can almost guarantee there will be some), we've created a GDPR audit service especially to help you meet your obligations.
So, what is GDPR?
GDPR is a new European Directive which focuses on the rights of the individual. It is being introduced to give people more control over how and where their data is in use.
GDPR supersedes the Data Protection Act 1998 (the DPA). We've made many technological advances in recent years, so GDPR takes into account how these affect the way we now store and use personal data. If you are already DPA-compliant, you are on the right track and may find that not much has to change.
As a website owner, you are responsible for any data received through your website; at a minimum, you probably have at least one contact form on your site. It's more complicated for those of you who are selling products or taking bookings online as the amount of personal data required to carry out the purpose of the website increases.
Personal data now includes other information that can be used to identify an individual, other than the information they actively provide to you, like cookies stored on their devices and IP addresses.
Should anything go amiss, you'll also have a legal obligation to report any data breaches promptly and in their entirety to the Information Commissioner's Office (ICO).
When does GDPR come into force?
Despite the UK leaving the EU, our requirement to adhere to GDPR will not be affected, and compliance with legislation becomes mandatory on 25th May 2018.
That's not to say you shouldn't start complying straight away. Many businesses are already rolling out their GDPR-compliant privacy policies and systems, with the intention of ironing out the kinks over coming months.
To whom or what does GDPR apply?
Different rules apply depending on the size and scale of your organisation, but the basics are the same, whether you are an individual or a company. You might be large enough to have a dedicated data controller who can take the lead on GDPR, but many of the companies we work with aren't, so we'll do what we can to help you meet your responsibilities.
How enforceable is GDPR?
As a small business owner or SME, you still have a legal duty to comply, even if you're not sure you're large enough to be on the ICO's radar. You shouldn't face any sleepless nights as long as you protect the interests of your users. In a sense, it primarily comes down to ethics:
- Are you giving customers enough information about how you will use their data?
- Are they able to opt-in (as opposed to opt-out) of communications when they hand over their details?
- Do they have the right to withdraw consent, if given, at a later date?
- Are you doing your utmost to protect their data while it is in your possession?
We can see similarities here with the “Cookie Law” of 2011. Scaremongering was commonplace when this was introduced, and many websites went a bit OTT, but as long as you employ best practice, you should have nothing to fear.
However, you should be aware that non-compliance carries fines of up to €20 million or 4% of global annual turnover, whichever is greater.
What is Ballyhoo doing to comply?
From now on, we will develop every project undertaken by Ballyhoo with GDPR in mind, in advance of the law coming into force. We will discuss the requirements for compliance with clients and ensure everyone knows their responsibilities.
Ultimately, the onus is on you as a site owner to comply with GDPR, but we'll do everything we can to help. For existing websites that we have built or manage, first and foremost we recommend that you take advantage of our new GDPR audit service.
Our audit has been designed to take a snapshot of your website or application so we can pinpoint where and how to make improvements. You'll receive a report detailing our findings, and we can then work with you to implement a plan of action. Alternatively, you can take the audit results away and work through them at your own pace, or even with someone else if you prefer.
Typically we'll look at:
- Data encryption and SSL
- User registration and contact forms
- Opt-in and explicit permission for communications
- Privacy policies
- Existing stored data
We will ensure that our hosting service has rigorous security protocols in place to protect data, and we’re currently working on a new hosting infrastructure to improve our service offering using the latest technologies and protocols. More will be announced on this soon.
New information and best practice on GDPR is continually coming to light so we will be monitoring the situation closely in the lead up to May 2018 and will keep you apprised of anything else we think you need to know.