In Data Protection, GDPR, Websites by Olivia


GDPR arrives on 25th May — get your business ready

The General Data Protection Regulation (GDPR) is far-reaching EU data protection legislation that arrives on 25th May 2018. And ready or not, it’ll affect your business. It applies regardless of Brexit and aims to enhance citizen’s privacy rights compared to the Data Protection Act 1998 and protect their information in a data-driven age. This means that any size of business should be able to demonstrate that its data protection processes and policies are above-board. But if you’ve been caught on the hop, it’s not too late to get your house in order — here are a few simple tips to get your business GDPR- ready.

All businesses should:

  • Perform a data audit — GDPR regulators will take a bleak view of any firm that doesn’t protect against unlawful or unauthorised processing, damage, destruction or accidental loss of data.
So you’ll have to find out where all of your paper and electronic files are, work out what’s in them and decide if storage systems are secure and agile enough to be fit for purpose.
  • Confirm your ‘opt-in’ options — GDPR demands that you have a valid legal basis for processing data.
So you’ll need to send out new, clear and concise privacy notices to all clients, asking them to positively ‘opt in’ to various types of communications, rather than the traditional ‘opt out’ approach.
  • Prepare for Subject Access Requests (SARs) and Right to Erasure — SARs allow a customer or former employee to request a copy of the personal information an organisation holds on them (subject to certain exceptions). You need to know what info to provide/withhold and have systems in place to provide a response within one month.
In certain circumstances, individuals can request that information held on them is erased completely from your records — this Right to Erasure request should also be actioned within one month.

Website owners should:

  • Get to grips with data types — under GDPR, data like name/address/location/IP address is classed as ‘personal data’, whereas information like health status/ethnicity/sexual orientation/religious and political beliefs is classified as ‘sensitive personal data’ and given a greater level of protection.
  • Understand data rights — whether you’re controlling or processing information, you must protect individual rights like the right to be informed, the right of access, the right to rectification, the right to erasure and so on.
  • Audit all electronic systems — trawl web forms, CRMs, email clients and social pixels to determine what data is first and third party, how long it’s stored, what’s the legal basis for processing and who it’s shared with.
  • Secure systems — by removing risky redundant data, ensuring all data is processed in GDRP compliant manner, and stopping sharing information with third parties unless you’re assured they’re also compliant.
  • Document your new processes and policies — so you can demonstrate that everything you do is above-board.
  • Update and publish a GDPR-ready privacy/data protection policy — to transparently confirm what data you collect, why you gather it and how you use it.
  • Obtain clear consent — any electronic data should only be processed according to the declared purpose it’s collected for, so you can’t transfer people who’ve filled in a contact form to your mailing list.
As described earlier, provide all contacts with proactive opt in options for each different type of data gathering and ensure that they’re always offered the chance to opt-out of future communications. Some of these processes will result in losing information — but remaining contact data will be legally compliant and higher-value — while new customers will feel confident that you’re completely compliant. Additionally, you’ll avoid a potentially hefty fine from the Information Commissioner’s Office (ICO).

For more information on GDPR preparedness, contact us for a chat or take a look at the ICO advice for small organisations. For more useful information, check out these related posts from the Scenicus blog:

Share this Post

Want great digital content? Join our mailing list today!

* indicates required