The General Data Protection Regulation (GDPR) is the legislation that is coming into effect on the 25th May 2018. It is a new EU regulation that is attempting to unify how countries in the EU approach data protection and the security of personal information. UK is very much included in this new regulation, despite Brexit, as any country that wants to trade with countries in the EU must be compliant.
The GDPR aims to give citizens of the EU greater control over their own data, and to give them confidence that their personal information is being protected by the companies they choose to give them to.
The fines for breaking the rules are considerable: 4% of global annual turnover or €20 million, whichever is higher. Many businesses are looking to put standards in place now, as it is going to be a significant change.
Personally Identifiable Information (PII) has been given a much broader definition under GDPR.
In the words of the regulation, personal data is “any information relating to an identified or identifiable person” and it includes:
- Names
- Photos
- Email addresses
- Bank details
- Updates on social networking websites
- Location details
- Medical information
- Computer IP addresses
The GDPR also introduces the idea of “pseudonymous data”, which has been subjected to various technical measures that render it no longer directly able to identify an individual. Session IDs and customer reference numbers fall into this category that will need to be pseudonymised effectively if they are to be used in profiling or other processing activities.
Pseudonymised data is currently used in advertising to tie user’s actions together. Cookies and mobile OS identifiers are a good example. This kind of data allows some relaxations of GDPR’s provisions, if the organisation reviews its level of security and makes adequate risk assessments.
Pseudonymous data lost in a breach is more secure, as without the method for retrieving the details of the data, it is much more difficult to work out who the individual is, and so draw value from it.
Organisations can process pseudonymised data more too. They can use it in profiling as it is unlikely to cause harm to a data subject.
What can your company do?
In order to sign up for communications from your company, prospects will have to fill out a form or actively tick a box and then confirm they would like to sign up in a second email. The consent to be communicated with must be recorded and time stamped in case the data collection is questioned in the future. The process to unsubscribe must be simple and instant.
If you collect payment information on your website, previously you could outsource your data collection and payment processing to a third-party payment gateway and absolve yourself from the responsibility of looking after it. No longer. Now your company has to show proof and clearly explain that you know exactly what is happening to those details when they are collected by that third party. Although collecting payments is always, by its very nature, explicitly asked for, when GDPR comes into force this ask also needs to come with a very clear statement about where your customers data goes, and who is responsible for storing and processing the data. The privacy policy of all third parties must be easily accessible on your website. Once GDPR is implemented, organisations also need to make their customers data available for download by that customer. Whether this must be available for download from their customer log in on your website is yet to be determined- you may just be able to provide this once it is asked for.
Privacy Policy
Your privacy policy must be easy to understand (think: layman’s terms) and easy to locate on your website. Make sure it is updated according to the GDPR before the 25th May 2018.
Third Party Vendor Code
Most website/app operators don’t know about the many direct and indirect vendors who contribute to code on their site and who these vendors are, let alone know how many domains and cookies these vendors use to track website visitors. You or at least your marketing team need to understand exactly what information is being collected and state this very clearly in your privacy policy & in your opt in. For example, do you collect IP addresses and device ID’s? If so, you must make this clear.
If you are concerned how GDPR can affect your business please get in touch and our team at Phaeria will do its best to provide the best solution.
