General Data Protection Regulation (GDPR)

What is GDPR and how does it affect me?

What is GDPR?

  • A new European regulation on data privacy. Full details can be found on this website: https://gdpr-info.eu/.
  • It builds on previously existing privacy and data protection rules in Europe and the UK, so, for those who are compliant with existing rules, major changes will not be required.
  • It affects how personal data is collected, retained, shared, and deleted.
  • Those who control and/or process personal data must make sure that all of their dealings with that data are compliant with the new rules.
  • It applies across all European countries.
  • It also applies to data belonging to European nationals, even if the company is located outside the EU, and, in this sense, will definitely continue to be relevant to the UK after Brexit.
  • Moreover, the UK government also has plans to enact more or less the same rules post-Brexit in a new UK Data Protection Act.
  • (See: https://www.gov.uk/government/consultations/general-data-protection-regulation-call-for-views)
  • Failure to comply can lead to fines.

How do I comply with GDPR?

  • I need to deal with personal data in my possession in a lawful, fair and … transparent manner.
  • In order to be lawful, data must be processed on one of the following bases:
    1. consent
    2. a contractual obligation with the person providing their data
    3. to protect other “legitimate interests,” which can include commercial or other interests, provided that these are not outweighed by the “interests or fundamental rights and freedoms” of the person providing their data
    4. to comply with legal obligations.
  • There are also some public interest justifications for processing data in Article 6.
  • Where appropriate, I will need to have mechanisms in place to obtain consent for collecting and holding personal information, and consent must be sought in “an intelligible and easily accessible form”.
  • I will need to have a data retention policy to ensure that I am not keeping personal data for longer than it is required.
  • I will need to provide users of my website with access to a privacy policy explaining how their data will be collected, stored, and shared, as well as their rights in relation to their own data.
  • I will have to ensure that the individuals providing data can make requests for access to their data, including requests for their data to be returned to them. In particular, I have to ensure that individuals are able to find out “whether or not their data is being held or processed, where, and for what purpose.”
  • I will have to respond to requests for the return or sharing of data with the individuals providing it, by sending it to them in an electronic format, free of charge.
  • If an individual requests that his or her data be erased, I will need to desist from further dissemination of that data, and I may also have to request third parties to stop dealing with their data. However, if I need to retain the data for “overriding legitimate grounds,” including the exercise of the right of freedom of expression and information, compliance with legal obligations or needs, public interest, or archiving purposes, I can do so.
  • I must notify individuals if their data have been implicated in a breach that “is likely to result in a high risk to the rights and freedoms” of individuals.

Making my Website GDPR Compliant

You may need to update your website to comply with GDPR. Here are a number of checks you may need to take to ensure your website is GDPR compliant.

Please note that these checks are in no way exhaustive, and the steps required to make your site fully compliant may vary based on your website and how you use personal data. These are just some of the issues you may wish to consider.

  • You should have a privacy policy on your website  and clear contact information for visitors of your site to contact you with GDPR requests.These items should ideally be easily accessible from the home page.
  • If you use a mailing list or other marketing methods, you need to ensure that all people on that list have given you consent to contact them. This consent needs to be informed, so a user need to understand what they are signing up for, and the need to actively choose to receive it. A pre-ticked sign up check box, for example will not be considered consent to send mail to a user under GDPR.
  • You should also be aware of what personal data your website may collect and set a retention policy for that data. You should also be aware of how to comply with data access and deletion requests for any personal data your website may hold.
  • You should ensure that the software on your website is kept up to date to minimise the risk of a security breach
  • If your website stores user’s personal data, you should ensure you have a policy for deleting such data when it is no longer relevant or required
  • If your website has an online shop, make sure you understand what data is stored by the shop, and put appropriate retention policies in place

More information about what you need to do to comply with GDPR can be found on the Information Commissioner’s Office guide to the GDPR.