The GDPR is a new EU data protection regulation and its purpose is to strengthen and unify data collection from individuals within the European Union.
It is the strictest data law ever introduced and will immediately replace the obsolete Data Protection Directive 95/46/EC.
What’s the point of GDPR?
GDPR is not designed to make it more difficult for business to sell or perform their normal function, the main purpose of GDPR is to give users greater control over their personal data through legal consent. For organizations who store or process personal data, this consent also provides a lawful basis for processing data and marketing efforts.
A key element of the legislation is gaining a customer’s permission to use their data for a specific use. However, in marketing meaningful relationships aren’t based on compliance alone. For example, a smaller mailing list with full consent will yield a far higher click-through, open and engagement rate than a mailing list going to users who have no interest in the services or products you sell.
GDPR brings an opportunity to build trust with customers which is always positive. A business that promotes compliance, transparency and security is one everyone will trust. On the flip-side, if you visit a website which clearly does not comply, would you trust it?
Who must comply?
GDPR will affect all aspects of data collection and processing, and it’s not only for EU-based entities but every organisation that keeps data from individuals within the EU. Business that does not comply by the 25th May 2018 will face fines as high as 2% of the company’s annual turnover or €20,000,000.
You’ll have to comply with all relevant sections of the regulation.
- All processing must be fair & lawful. [Art. 6][Art. 9]
- Respect the rights of the data subject. [Art. 12–23]
- Keep records of processing (e.g. audit trail). [Art. 30]
- Cooperate with supervisory authority. [Art. 31]
- Process all personal data securely. [Art. 32]
- Communicate data breaches to supervisory authority [Art. 33], and to data subjects. [Art. 34]
- Perform Data Protection Impact Assessments (DPIA) where appropriate or required. [Art. 35]
- Designate a data protection officer where appropriate or required. [Art. 37]
- Follow requirements for international transfers of data. [Art. 44–50]
How to comply with the GDPR
Looking solely at the GDPR legislations in relation to websites, there are three simple guidelines that need to be followed in order to be compliant:
Undertaking an information audit will be helpful when documenting all personal data already being stored by your company. This should then be able to tell you what it is, where it came from and who it is shared with.
Ensure that all decision makers and key players are aware that the GDPR is being put in place – everyone needs to know the impact that GDPR will have on the ongoing day-to-day life of a business.
If you are still unsure of where to start, Logic Design are soon going to be providing GDPR website compliance as a service; this will include an initial audit of your website and a full report of our findings.