GDPR – Some useful information
General Data Protection Regulation
You may be aware of the new GDPR rules governing the handling of personal data, which are to be enforced as of May 25th 2018. The General Data Protection Regulation (GDPR) was introduced by the European Union and will take place regardless of the UK’s departure from the EU. As a web design/digital agency handling a number of web design clients, Totech Web must take any new legislation seriously and to avoid problems, your company should too.
In essence, these strict regulations will replace the already stringent existing ones (Data Protection Act 1998 which was designed to protect personal data stored on computers or in an organised paper filing system. It follows the EU Data Protection Directive 1995 protection, processing and movement of data) with regards to how companies collect, store and use personal information.
At its core, the GDPR aims to give control back to ordinary people when it comes to their personal data, by creating a co-ordinated framework for data protection across all the EU member states. In order to do this, tighter controls must be introduced over those who host and process such data. Many websites also collect data, so GDPR will affect all our clients with website databases and web forms.
These regulations are necessary in the UK, since there are news stories and scandals occurring on a regular basis regarding data breaches, hacks and other online data crimes.
(For more information about GDPR please click this link):
What does it consist of?
- The legal right of people to access, correct, delete or transfer personal information held about them on any company system.
- The requirement for citizens to provide explicit consent for their personal data to be held, after which companies must save this consent.
- The legal obligation for organisations to inform the relevant data authorities and consumers, within 72 hours of breaches to data security.
Does your company/organisation have to comply?
Yes: if you are a company or organisation which operates within the EU and handles and stores any kind of personal information, then you will have to comply with these new rules. These regulations are going to apply across the board, irrespective of company size or business sector (including web designers).
Preventative action is recommended, particularly since the penalties for non-compliance can be very severe.
Provisions in the GDPR stipulate that fines of up to 4% of a company’s annual turnover (or up to 20 million euros, depending on whichever is highest) can be ordered where violations are serious. It is unclear what constitutes a ‘serious’ violation, but it is important to note that for a small business, such a fine could be catastrophic.
One of the most prominent changes which will be brought in by GDPR is that it places direct responsibilities on data processors for the first time. Data processors are essentially those businesses or people who process personal data on behalf of data controllers (those who determine how and why personal data is processed).
Regarding GDPR and web design, in basic terms, the new regulations now make the people in charge of website planning or data input responsible too, rather than just the website owner or web hosting company, thus covering a much larger array of people.
We at Totech Web consider it vital to be at the forefront of new changes taking place. It is important to us to be able to implement new directives such as GDPR for our clients.
What are the steps to your compliance?
In order to comply with GDPR, companies/organisations which handle personal data must now:
- fully understand exactly what kind of information they hold.
- where they hold that information.
- who has access to that data.
Data Audit: To establish this a company-wide data audit is recommended and ideally, this should be carried out as soon as possible.
GDPR Training Sessions: It is important that all employees who have previously, or will in the future, handle personal data, are made aware of these new regulations. Such employees should fully understand the provisions and what they will mean for the organisation. This includes ALL workers, not just those in senior positions. As such, GDPR training sessions are a good idea in helping un-informed personnel comprehend these new rules.
Update Existing Policies: Companies should update their existing data protection policies & practices; and seek to put in place rigorous schemes to govern them. There should also be a system to quickly notice and respond to any data breaches.
DPO: Companies will need to appoint a dedicated Data Protection Officer; an individual who is responsible for all company-wide personal data. You should look to appoint someone who has expertise in data protection and GDPR in particular. Not all companies/organisations need to assign a DPO. Please click this link to find out if your company needs to appoint one:
GDPR compliance may seem like an overwhelming task for many businesses and organisations. However all companies and organisations need to start taking action to protect themselves and their customers as soon as possible, if not done so already.
Whilst we at Totech Web cannot give actual legal advice about GDPR – we can help clients prepare for it by offering suggestions for their websites.
For more information about GDPR please click this link :