You may or may not be aware of the looming GDPR rules governing the handling of personal data, which are to be enforced one year from now, as of May 2018. The General Data Protection Regulation (GDPR) was introduced by the European Union and will take place regardless of the UK’s departure from the EU. As a digital agency handling a number of web design clients, we must take any new legislation seriously and to avoid problems, your company should too.
In essence, these strict regulations will replace the already stringent existing ones with regards to how companies collect, store and use personal information. At its core, the GDPR aims to give control back to ordinary people when it comes to their personal data, by creating a co-ordinated framework for data protection across all the EU member states. In order to do this, tighter controls must be introduced over those who host and process such data. Many websites also collect data so GDPR will affect all our clients with website databases and webforms.
It is not difficult to see why such regulations are necessary in the UK, since there are news stories and scandals occurring on a regular basis regarding data breaches, hacks and other online data crimes.
What do the provisions include?
- The legal right of people to access, correct, delete or transfer personal information held about them on any company system
- The requirement for citizens to provide explicit consent for their personal data to be held, after which companies must save this consent
- The legal obligation for organisations to inform the relevant data authorities and consumers, within 72 hours of breaches to data security
Does my company have to comply?
Yes, if you are a company which operates within the EU and handles and stores any kind of personal information, then you will have to comply with these new rules. These regulations are going to apply across the board, irrespective of company size or business sector – of course us web designers will have to conform!
They say that prevention is better than cure and this is certainly the case when it comes to GDPR, particularly since the penalties for non-compliance can be very severe.
Provisions in the GDPR stipulate that fines of up to 4% of a company’s annual turnover (or up to 20 million euros, depending on whichever is highest) can be ordered where violations are serious. It is unclear what constitutes a ‘serious’ violation, but it is important to note that for a small business, such a fine could be cataclysmic.
One of the most noteworthy changes which will be brought in by GDPR is that it places direct responsibilities on data processors for the first time. Data processors are essentially those businesses or people who process personal data on behalf of data controllers (those who determine how and why personal data is processed).
Regarding GDPR and web design, in simple terms, the new regulations now make the people in charge of website planning or data input responsible too, rather than just the website owner or web hosting company, thus covering a much larger array of people.
It is therefore a good idea to work with professional, forward-thinking web design and SEO agencies who are always at the forefront of new technology and can actively implement any new directives such as GDPR for clients. Perhaps it’s time to consider KD Web if you have concerns.
What practical steps do I need to take to comply?
In order to comply with GDPR, companies which handle personal data must now fully understand exactly what kind of information they hold, where they hold it and who has access to that data. To establish this, a company-wide data audit is recommended and ideally, this will be carried out as soon as possible.
It is important that all employees who have previously, or will in the future, handle personal data, are made aware of these new regulations. Such employees should fully understand the provisions and what they will mean for the organisation. This includes ALL workers, not just those in senior positions and as such, GDPR training sessions are a good idea in helping uninformed personnel comprehend these new rules.
Moving forward, companies should update their existing data protection policies and practices and seek to put in place rigorous schemes to govern them. There should also be a system to quickly notice and respond to any data breaches.
Furthermore, companies will need to appoint a dedicated Data Protection Officer; an individual who is responsible for all company-wide personal data. It is obviously a no-brainer that you should look to appoint someone who has expertise in data protection and GDPR in particular.
GDPR compliance may seem like an overwhelming task for many businesses, but the reality is that it is coming and all businesses must start taking action to protect themselves and their customers sooner rather than later.
While KD Web cannot give actual legal advice on GDPR – we can help clients with suggestions regarding towards gearing up for their Web Design GDPR needs and can also help with implementation of those suggestions.