Helping you with digital solutions.

What You Need To Know About GDPR

The General Data Protection Regulation (GDPR) enforcement date is the 25th May 2018. The purpose of GDPR is to supply data protection laws across all the countries within the European Union. It ensures that EU citizens understand how their data is being used. It also gives the opportunity to make any complaints even if they are not in the country where it is positioned.

The main question the majority of business owners think is:

“Is my company going to be impacted?”

If you are either a controller or processor of personal data, it will affect you. If you are neither, it is still beneficial for you to read on so you are aware of the changes. It is also important you understand how your own personal data is being handled by other companies.

A controller determines the purpose and means of processing personal data. This ensures your contracts with processors comply with GDPR. A processor is responsible for processing personal data on behalf of a controller. They are required to maintain records of personal data and processing activities.

GDPR requires you to provide what personal data you have collected about customers including name, address, IP address or banking details. Customers are within their personal rights to request access to the information. Currently, you are allowed to charge the customer £10 for providing them information, however due to the GDPR you will have to provide the information free of charge. If the request is found to be groundless or excessive then you can refuse or charge. However if you refuse a request, you must tell the individual why and that they have the right to complain to the authority and to the legal justice system.

In the new regulation, under some circumstances it gives individuals the power to have their personal data erased. This would occur if it’s no longer needed for the purpose it was collected, if consent was withdrawn or if it was unlawfully processed.

Privacy Notice is a statement or a legal document that discloses ways a party gathers, uses, and manages a customer or client’s data. It fulfills a legal requirement to protect a customer or client’s privacy. It is important you explain your lawful basis for processing personal data in your privacy notice and when you answer a subject access request. Individuals have the right to complain to the ICO (Information Commissioner’s Office) if they think there is a problem with the way you are handling their data.

Information must be provided in concise, easy to understand and clear language. This will ensure there is little confusion from your clients and will make life easier on both sides.

GDPR includes the following rights for individuals:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data probability
  • Right to object
  • Right not to be subject to automated decision making including profiling.

You should start thinking now about whether you need to put systems in place to certify individuals’ ages and to obtain parental or guardian consent. Only children 13 years and over can give their own consent.

The right to data portability is new. It only applies:

  • To personal data an individual has provided to a controller
  • Where processing is based on the individual’s consent or for the performance of a contract
  • When processing is being carried out by automated means

If an organisation doesn’t process an individual’s data in the correct way, the company can be fined. A company can also be fined if the there is a security breach and if the business does not have a data protection officer (if required).

If a data breach occurs, you only need to notify the ICO of a breach where it is likely to result in a risk to the rights and freedom of the individual.

These can include:

  • Discrimination
  • Damage to reputation
  • Financial loss
  • Loss of confidentiality
  • Any other significant economic or social disadvantage.

You should designate someone to take responsibility of your data protection compliance. The Data Protection officer can be any existing member of staff or you can hire someone to fulfill the role.

Here at Hex, we can do this for you and we guarantee that your website will be live by Friday 25th May 2018. Please email us for any enquiries and we will be happy to help you as best as we can!