What is the GDPR?
GDPR gives EU citizens the right to know the details of any personal data you hold about them and how that data is processed and used. As an organisation, you are obliged to provide this information on request.
2. The right to be forgotten
People also have the right to be forgotten. This means that if a person requests it, you will be required to cease the processing of any data you hold about them and delete it.
3. The right to data portability
If you hold data about anyone, they can now ask for that data to be passed to another organisation. This can make things like passing on ‘no claims’ histories from one insurer to another, much easier. However, it also means that customers can use the records you hold about them to get better deals from your competitors.
4. The right to be informed about data breaches
Some organisations have kept serious data breaches secret for months in order to protect them from bad publicity and other unwanted consequences. Now, customers have to be legally informed within 72 hours. You must also inform any supervising bodies.
5. The right to data correction
Under GDPR, any data you hold about an individual must be accurate. If it isn’t, they have the right to demand it is corrected.
The GDPR itself is here. The European Union has created an information portal here. A number of companies provide consulting services that help with different aspects of your compliance process. While Web World doesn’t recommend any particular approach to GDPR compliance, your solicitor or regulatory advisor may be able to point you to resources that are helpful. In Ireland that is the Data Protection Commissioner.
Where can I get more information about GDPR and my compliance obligations?
Who does the GDPR affect?
GDPR also brings in tougher data protection regulations for all organisations that collect and process personal data.
From May, organisations will be required to implement reasonable data protection measures to protect EU citizens’ personal data and privacy by design. ‘By design’ means that end to end measures need to be planned and put in place so that everything from the collection of data all the way to its safe deletion is taken into account. Part of this includes the requirement for organisations to undertake a data protection impact assessment in order to identify risks to data and outline measures to ensure those risks are addressed.
2. Creating a Data Protection Officer role
Any organisation that processes or stores sensitive data, significant amounts of personal data, or regularly monitors data subjects must create a Data Protection Officer (DPO) role within their organisation. This individual will have responsibility for overseeing data protection, privacy and GDPR compliance. All public authorities (police forces, local councils, government organisations, etc.) must also have a DPO.
3. GDPR extends beyond the EU
GDPR is designed to protect the data and privacy of EU citizens. This means any organisation that holds data on EU citizens is required to comply with the regulation, whether based in the EU or not. This will have an impact on companies like Google, eBay and Amazon that collect web data from users in the EU. It will also affect many smaller international companies that trade in the EU, for example, app-based companies, game providers and online retailers.
4. Big fines for non-compliance
The size of the fines which can be given to organisations that do not comply with GDPR is an indication of how determined the EU is to tackle issues with data protection and data privacy. From May, the maximum fine will be €20 million or 4% of an organisation’s annual global turnover, whichever is higher. This can be levied for failing to adhere to core principles of data processing, infringement of personal rights, or for transferring personal data to other countries or organisations that do not ensure an adequate level of data protection.
The issue of transferring data to countries or organisations with less adequate data protection should be a major concern for any company that has a website. If your web host has data centres outside of the EU, it is possible that the information you collect could be stored on less secure servers without your knowledge – and this could mean you are unwittingly breaching GDPR compliance. The same applies if your web host does not provide adequate security even if it is within the EU.
How will Web World comply with GDPR?
- We do not collect or process “sensitive” data that is subject to GDPR.
- We do collect and/or process other personal information subject to GDPR.
- We store some personal information subject to GDPR for set periods of time.
- To facilitate GDPR compliance we are strengthening our data segregation and access policies, our breach response plan, and relationships with vendors who may handle data on our behalf, or on behalf of our customers.
- Provide detailed information about the types of data we collect or process
- Include the reasons for that collection or processing
- Set out the length of time we store the data
- Indicate whether the data is accessed by third parties on our behalf