Making your website compliant with the GDPR
1
Contents 2 .........................................................................................................................................................................................................Contents 3 .................................................................................................................................................................................................Introduction 4 ................................................................................How does it differ from the DPA (Data Protection Act)? 5 ................................................................................................................................................When does it come into effect? 5 ...................................................................................................................What affect will Brexit have on the GDPR? 6 ........................................................................................................................What are the key features of the GDPR? 9 .......................................................................................................................What are the penalties if I don’t comply? 10 ...............................................................................................................................................What action do i need to take? 12 ....................................................................................................................................................................................................Final word 13...............................................................................................................................................Resources and further reading 14 ................................................................................................................................................................................................About Quba
2
About the authors Mike Payne Senior software engineer Mike is a senior software engineer at Quba. He plays a key role in our technology strategy and software architecture. With over sixteen years’ experience in delivering online solutions to business problems, Mike has helped SME’s and multinational companies fulfil their online strategies. He has a wealth of experience in both how data is stored and managed, along with an expert understanding of online security.
Matt Jones Director Matt is a director and co-founder of Quba. He has been responsible for extensively researching the legal implications of the GDPR taking a lead from our legal partner Irwin Mitchell one of the UK’s leading law firms and experts on the new regulations. Matt has overseen the creation of this guide and has distilled the extensive EU guidelines into a set of easy to understand action points to ensure your website is compliant with the GDPR
Introduction The General Data Protection Regulation better known as GDPR, comes into effect on the 25th of May 2018. It is a new EU regulation aimed to make data protection more secure and empower the rights of EU citizens as to how data about them is held and used. It applies to companies that collect data from EU citizens described as the “data controller” and companies that process the data on behalf of the data controller described as the “data processor”. It has the potential to impact on almost every company in the both in the UK and worldwide regardless of whether they are a sole trader or large multinational corporation. Penalties for non-compliance are severe and the bodies responsible for overseeing them have indicated that they are likely to be strictly enforced.
So how prepared are UK companies for the introduction of the GDPR? Well in a recent survey conducted by YouGov of over 2000 businesses on behalf of Irwin Mitchell Solicitors they found the following:
• 62% of respondents said they had not heard of the GDPR • Only 29% had started to prepare for compliance despite the looming deadline • 71% were unaware of the new penalties that will come into effect with the introduction of the GDPR Clearly, there is a lack of awareness among some companies as to what the GDPR is and how it will affect their business. The implications of the GDPR are broad and affect most types of personal data. In this document we explore the issues specifically relating how the regulation affects your website and services linked to it such as CRM and email marketing systems. For specialist advice on the impact of the GDPR on other areas of your business we recommend you discuss these with one of the UK’s leading solicitors firm who has specialists in this area, Irwin Mitchell.
3
How does it differ from the DPA (Data Protection Act)? When the GDPR comes into effect it will completely replace the DPA (Data Protection Act) of 1998. Organisations and companies that are compliant with the DPA will be required to take extra steps to ensure that they comply with the GDPR. Those organisations and companies that are not already compliant with the DPA have a formidable task on their hands ensuring compliance with the new regulations. The GDPR introduces a number of new obligations detailed later in the “Key features of the GDPR” which will mean that organisations and companies will have to adapt their processes and procedures to maintain compliance.
•
Data breach - stricter guidelines for notifying the Information Commissioner in the event of a data breach
•
Portability rights - the individual has the right to obtain their data and reuse it
•
Documentation and accountability – companies and organisations must be able to demonstrate their compliance and document everything
•
Consent – Individuals must opt-in for their data to be stored or processed (with a few exceptions)
•
A large increase in fines for non-compliance
Some of the main differences include: •
The DPA only applies to the UK whereas the GDPR applies to the EU and the organisations outside that collect data on EU citizens
•
The right to be forgotten - the individual’s right to have their data permanently deleted
With a stricter enforcement and the introduction of many new requirements for organisations and businesses, those responsible for overseeing websites and digital services need to ensure that they comply with the legislation well in advance of the deadline next year. The GDPR legislation comes into effect prior to the deadline for the United Kingdom leaving the EU.
4
When does it come into effect? The GDPR became law on the 27th April 2016 (Regulation (EU) 2016/679) and comes into effect on the 25th of May 2018. Organisations and Companies that hold or process data on individuals have until
this date to comply with the regulations. This gives companies just over six months to take the steps necessary to comply.
What affect will Brexit have on GDPR? Therefore, companies will have to meet the 25th of May 2018 deadline regardless. The UK’s digital minister Matt Hancock stated that the UK Government has committed to updating and strengthening data protection laws through a new Data Protection Bill. It is anticipated that this bill will incorporate the EU’s GDPR into UK law, something confirmed in a statement by Elizabeth Denham the Information Commissioner who said:
So the result of this is that organisations and companies collecting or processing personal data cannot avoid the GDPR, particularly those who are collecting data of citizens within the EU. Rather than look at the GDPR as another box to tick in their compliance with the regulations it would be better to adopt an attitude of opportunity for companies to build trust with their customer base who in a majority of cases feel that they no longer have control over their data.
“We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.” “The Bill will bring the European Union’s General Data Protection Regulation (GDPR) into UK law”
5
What are the key features of the GDPR? The GDPR legislation is an extensive document and covers many aspects of how data is stored and used by companies. Here we detail the regulations that relate to your website and digital web-based services.
Accountability & transparency One of the key aspects of the GDPR is the area of accountability. Companies must be able to demonstrate that they comply with the principles of GDPR, this covers many aspects of the business from staff training to documentation of procedures and processes. For a start organisations and companies must ensure that the responsibilities of individuals in the company from the directors down to those processing data are made clear. Everyone needs to know how the GDPR affects them and whilst not everyone needs to be an expert they do require know the key principles and how they should be implemented.
The GDPR legislation requires companies to be transparent when dealing with individuals about how their data is being used, for what purpose and how long it will be stored for. They must make it clear who they should contact to find out how their data is being used.
Data Protection Impact Assessments (DPIAs) Data Protection Impact Assessments have been in existence now for some time essentially under the different title of Privacy Impact Assessments (PIAs). They require the organisation or company to carry out a risk assessment of an individual’s data and put in place steps to mitigate those risks. DPIA’s are an essential part of privacy by design. By identifying potential problems at an early stage, it is possible to introduce processes and procedures for dealing with these.
What does this mean for your website? “We’re all going to have to change how we think about data protection.” The information commissioner, Elizabeth Denham
In certain circumstances the GDPR require that companies appoint a Data Protection Officer (DPO). This tends to apply to companies and public sector organisations that process large amounts of data. The role of the DPO is to oversee the compliance of the GDPR within the company. Whilst this is not a requirement for all companies to have a dedicated DPO, it makes sense have someone within your company who is nominated to take responsibility for compliance. Whilst this is more of an issue of training, those responsible for the management of your website and digital services such and email marketing tools and CRM will require special training to ensure they can comply with the legislation.
When making significant changes to your website or designing a new one then a DPIA should be carried out. The full process involved in carrying out a DPIA is out of the scope of this document but essentially the process follows these steps. • • • • • • •
Identify the need for a DPIA Map out the information flows Identify the risks Identify the privacy solutions Sign off and record the outcomes Integrate these outcomes into a project plan Consult with all stake holders
Not all website projects will require a DPIA; that is why it is necessary to carry out the initial risk assessment to establish whether it is required.
Consent The GDPR states that consent must be freely given. This means that it is no longer acceptable to assume that an individual gives consent to their data being used
6
and processed. For your business, this means that you must clearly spell out how the data is going to be stored and processed by your website or associated digital services such as your CRM or email marketing database.
“When it comes to data protection, small businesses tend to be less well prepared….But small organisations often process a lot of personal data, and the reputation and liability risks are just as real.” The information commissioner, Elizabeth Denham
Individuals imputing personal data on your website need to “positively opt-in”, meaning for example that someone who is signing up for an enquiry on your website must opt in if you wish to use their data for say email marketing purposes. Furthermore, check boxes cannot be pre-checked, the individual must do this themselves. Special requirements for children will come into effect requiring that data controllers secure the permission of their parent or guardian before storing or processing personal data.
Privacy by design and psuedonymisation Organisations and companies will now have to ensure that their website, along with any web services that it utilises, implement effective measures to protect personal data. These need to be designed into their products and services from the outset. Adopting this approach to designing a new website is likely to result in a better experience for the customer by building trust, minimises the risks of a data breach and ensures that the GDPR compliance is met.
Psuedonymisation is a part of the privacy by design requirement and simply put means that those companies that store and process data need to ensure that key pieces of data, when combined that could identify an individual, are stored separately. This could mean storing their postcode separately from say their name or house number. That way if one part of the data is compromised then individuals could not be identified from just part of the data.
“Good practice tools that the ICO has championed for a long time - such as privacy impact assessments and privacy by design - are now legally required in certain circumstances.” The information commissioner, Elizabeth Denham
Many companies already use encryption when transferring data over the internet but this data is often stored in databases that are not encrypted
The right to be forgotten The GDPR states that individuals have the right to request that their data is permanently deleted often referred to as “the right to be forgotten”. Whist this may sound straightforward in practice it could present a headache for companies holding the data. The right to be forgotten does not apply in all cases. There are some exceptions but typically it would apply in situations where the data is no longer necessary for the purposes for which it was originally collected, was collected in a manner which breached the GDPR or when the individual withdraws consent. There are other situations too, such as when the data collected relates to a minor and it is definitely worth examining this is more detail. (this can be found at the Information Commissioner’s Office website, link at the end of this document) 7
Once a request is received, providing it meets the criteria for deletion, then the data must be removed in its entirety, not just removed from a single database. This includes multiple databases and backups of the data. In the case of your digital presence this not only includes any data stored on your website but also your CRM, email marketing list etc.
“Accountability is at the centre of all this: of getting it right today, getting it right in May 2018, and getting it right beyond that.” The information commissioner, Elizabeth Denham
Data security & breach notification The company responsible for storing the data is required to monitor the security of the data and in the event of the data being compromised either through a malicious attack or human error must in some circumstances report this to the governing body in this case the Information Commissioners Office. Furthermore, in some cases they should inform the individual who’s data has been compromised.
So in which circumstances should you notify the ICO? Well, it states that this should take place where the breach is likely to result in a risk to the rights and freedoms of individuals. This could, for example, be where sensitive personal data is compromised or financial information such as the individuals bank details. In the event of a breach you must inform the regulator with the nature of the data breach, the number of individuals affected and the categories of the data records concerned. Furthermore, you must give them the details of the DPO a description of the possible consequences of the breach and the action taken to deal with these consequences and mitigate its possible effects.
A clearly documented process Companies and organisations must be able to show clear evidence of compliance with the GDPR. This usually will be the role of the DPO to not only oversee but clearly document the company’s / organisation’s GDPR process. In addition to the responsibility to document the organisations process, the DPO has a responsibility to document processing activities carried out by data processors on behalf of the data controller.
What does this mean for how data is processed on your website? Well if for example, you are using cloud-based services that are integrated with your website such as a CRM service then the DPO must be able to demonstrate compliance with this system also. This presents many companies with a potential headache as web services are often integral to processing data and in many cases, based outside of the EU.
Data portability Data portability enables individuals to access and use their data across different services. The individual has the right to ask for their data to be provided, this might be so they can access a competitive service online. The data controller must be prepared to provide data promptly and in a format that is easily accessible for the individual who is requesting their data. Most likely this will be something such as a CSV file. Once a request is received you must respond within a month and the information must be provided free of charge. The result of this means that, if you don’t already have a process in place for dealing with data requests, then you will need to put one in place. If your organisation or company is one that processes a lot of personal data via your website or web services then this is likely to require significant preparation.
8
What are the penalties if you don’t comply? Many of you will already be aware of the reported penalties for non-compliance with the GDPR, these are stated as fines of up to 20 million Euros or 4% of a company’s annual turnover. The opinion of many is that it is unlikely that small to medium-sized companies will find themselves levied with a hefty fine directly after the 25th of May 2018. This is particularly likely to be the cases if they have taken steps towards meeting compliance but haven’t quite achieved it. They are far more likely to target companies processing large amounts of data with a flagrant disregard for the regulations first.
That said, this doesn’t mean your organisation or company can become complacent. We would strongly recommend that you do work towards achieving compliance with your website and internal processes by the deadline. It’s far better to plan for the GDPR now rather than scramble to meet the regulations later.
9
What action do I need to take? With the deadline looming, now is the time to act. Putting things off until a month or so away from the deadline is unlikely to allow your company time to implement the changes necessary to meet the GDPR. With some planning and preparation now, you can ensure that your website meets the requirements of the legislation and you can plan and introduce processes that ensure that your organisation is prepared.
So, what steps should I take? Audit your website - Conduct an audit of any data on individuals that your website stores and processes. Examine this data and decide whether it is necessary for your business processes to store all the data. If it isn’t then don’t store it. Create a map of your data to show how and where personal data is being stored. Encrypt it - Ensure that you encrypt any data that is stored on individuals. This doesn’t just mean when the data is transferred from customer or contact to the website, but also where it is stored. Where encryption is not practical then data masking should be used. Audit your web services – Firstly you need to look at what systems you use to store data and carry out an audit on this of exactly what is stored and where. Where you use web services to store data on individuals such as CRM systems or Email marketing systems (this includes cloud-based systems outside of the EU), you must seek assurance that the companies storing this information on your behalf comply with the GDPR. Introduce a process to remove data – The right to be forgotten requires that if an individual requests that their data be deleted, then this need to be carried out promptly and completely. It is not enough to simply delete the record from the database; you must ensure that their details are deleted from all locations be that backups and cloud-based services. Appoint a Data Protection Officer (DPO) – Whilst technically this is only a requirement for larger companies, public sector organisations or companies responsible for processing large amounts of data, we would still recommend that you appoint someone in your company who is responsible to oversee your GDPR compliance.
Update your website Terms & Conditions and Privacy Policy – This will need to reflect the changes that GDPR introduces and ensure that you communicate this clearly. We would recommend you take professional legal advice in this matter. We recommend Irwin Mitchell who have an extensive understanding of the GDPR in this regard. Be prepared in the event of a data breach – The GDPR states that the relevant authorities, in this case the Information Commissioner, should be informed of a data breach within 72 hours. In certain circumstances, the individuals who’s data has been compromised must also be informed. Your organisation needs to be able to respond quickly to this and take remedial action where necessary. Train your staff – This applies to all staff in your organisation that comes into contact with personal data but is particularly relevant to those who oversee and manage your website and associated web services. They need to understand their responsibilities when it comes to the GDPR and how to implement best practice. 10
Document everything – The GDPR requires evidence that you have collected and processed data in line with the regulations. Therefore it is very important to be able to demonstrate this by having clear documentation of all aspects of your compliance. In most cases the DPO will be the best person to carry out this task. Introduce data protection impact assessment (DPIA) When starting a new website project or making a significant update to an existing website, in certain circumstances you should carry out a DPIA to identify potential risks to individual’s data and take steps to mitigate those risks.
Data portability – Ensure that you have a process in place to deal with data requests from individuals. This should be provided in an easily transferable format such as a CSV file. Introduce privacy by design into your website architecture – Looking at areas such and Psuedonymisation is a step towards meeting this requirement.
Consent and opting in – Ensure that you meet the requirements for consent by ensuring the design of your website meets the regulations. This means that when you are collecting data consent must be freely given and the individual must opt in by checking a tick box rather than having it pre-check. You must state in language that is easy to understand how this data will be used and how long it will be stored for.
11
Final word Some organisations will view the GDPR as more red tape from Brussels that interferes with their day to day business activities. But for the more enlightened, this presents an opportunity to improve the efficiency of your data collection and processing and in doing so, improve the experience of your customers, which can only be a good thing. With the public’s lack of confidence in the security of their data online, the introduction of the GDPR should herald a new era where the trust can be restored. Acting now and taking the steps to become GDPR compliant not only is a requirement but also makes sound commercial sense.
12
Resources and further reading Information Commissioner’s Office GDPR guide https://ico.org.uk/for-organisations/data-protectionreform/overview-of-the-gdpr/
The General Data Protection Regulation (GDPR) https://gdpr-info.eu/
Irwin Mitchell’s guide to GDPR https://www.irwinmitchell.com/gdpr-2018
13
About Quba A digital agency with over 17 years’ experience of managing data for our clients and a dedicated technical team that understands the ins and outs of how data is transferred, stored and processed online; we are able to help organisations on their way to becoming GDPR compliant.
General GDPR issues Matt Jones -
[email protected]
We offer an audit service of your website to identify the steps you need to take to meet the new regulations. To find out more about the services we offer for the GDPR compliance:
This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.
Technical GDPR Issues Mike Payne -
[email protected]
Disclaimer
Get in touch www.quba.co.uk
[email protected] @qubadigital 0114 279 7779
Belgravia House 115 Rockingham Street Sheffield, S1 4EB
14
