GDPR

We know GDPR isn't sexy or interesting but its implications are serious for all business owners. As such we urge that you read through the whole of this page and take action. Remember, we are here to help you with any web related issues, just get in touch! 😃

Please note: Whilst we hope this is super informative for you, we must stress this is a guide and nothing more. Duck On Water is not qualified to provide legal advice and the contents of this page mustn't be taken as such. We strongly recommend that if you are uncertain regarding anything GDPR that you get professional legal advice (just make sure that the legal professional really knows their stuff when it comes to GDPR and that they understand your specific business).

What is GDPR?

GDPR (General Data Protection Regulation) is intended to strengthen individuals’ rights and unify data protection rules across the EU through stricter personal data handling requirements and higher fines for non-compliance. The GDPR applies the processing of data subjects’ personal data by any size of EU or non-EU organisation that provides goods or services to the EU or monitors EU users’ behaviour.What is personal data?

The GDPR definition of personal data includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.—but, it also includes data that we might consider to be non-PII, like IP addresses or device IDs.
For a comprehensive list of what the GDPR considers personal data, please read Article 4(1) of the GDPR. Additionally, included in the definition of personal data is a subset of data known as “special categories of personal data.” Special categories of personal data is a specific list of data, expressly set out in the GDPR, and includes things like race, religion, political opinions, health data, etc. Personal data can even include data about an individual that has been hashed or encrypted.

Does it affect me, business, my website?

Yes.
Individuals, organisations, and companies that are either 'controllers' or 'processors' of personal data will be covered by the GDPR.
Both personal data and sensitive personal data are covered by GDPR. Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address etc (for example: ecommerce websites require contact information and this is stored in the website as well as emailed out).
Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
These definitions are largely the same as those within current data protection laws and can relate to information that is collected through automated processes (for example newsletter subscribe forms on websites). Where GDPR differentiates from current data protection laws is that pseudonymised personal data can fall under the law – if it's possible that a person could be identified by a pseudonym.

Whats the difference between a data controller and processor?

Not everyone that handles the personal data of individuals is the same and data protection laws allow for this by having two different terms: controller and processor. Here's what they mean.

Controller
A controller is an entity that decides the purpose and manner that personal data is used, or will be used.

Processor
The person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data.

Personal data, who has access?

Everyone will have the right to get confirmation that an organisation has information about them, access to this information and any other supplementary information.
Requests for personal information can be made free-of-charge. When someone asks your business for their data you use provide it within one month.
The new regulation also gives individuals the power to get their personal data erased in some circumstances. This includes where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there's no legitimate interest, and if it was unlawfully processed.

How long do I have to sort it?

GDPR will go into effect on May 25, 2018.

Who is in charge of GDPR in the UK?

Government
The Department for Culture, Media and Sport is the government arm responsible for ensuring that UK law complies with the requirements of GDPR. The government body is responsible for creating the UK's Data Protection Bill but won't have control of the day-to-day elements of GDPR once it is enforced.

The Regulator
Once the provisions of GDPR become law in the UK, the Information Commissioner's Office (ICO) will be responsible for enforcing them. The ICO has the power to conduct criminal investigations and issue fines. It is also providing organisations with huge amounts of guidance about how to comply with GDPR.

Who will enforce it in the UK?

The Information Commissioner's Office. Elizabeth Denham is the UK's information commissioner in charge of data protection enforcement.

Does Brexit matter?

The UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR. There are some small changes but our own law will be largely the same.What happens if I don’t get compliant?

GDPR fines have been much talked about and with good reason. Monetary penalties will be decided upon by Denham's office and the GDPR states smaller offences could result in fines of up to €10 million or two per cent of a firm's global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or four per cent of a firm's global turnover (whichever is greater). These are larger than the £500,000 penalty the ICO can currently wield and, according to analysis, last year's fines would be 79 times higher under the new regulation.

Ok, so how do I become compliant?

First identify if you are a “data controller” or a “data processor” (or potentially both). Then go through the ico’s self assessment questionnaire, this is a very good starting point as it will help guide you through the process of what you need to do.
Pro tip 1: Always select the “More Information” option as this gives detailed info and instructions on what to do.
Pro tip 2: Leave all questions as “Not yet implemented” then click through each page, at the end you will be presented with an overall rating along with details of all the suggested actions to take (this is a real time saver).

Can Duck On Water help with GDPR?

We sure can, however as each of our clients businesses are so different we will need to tailor what we can do on an individual basis. Please get in touch once you have been through the ico’s self assessment questionnaire. We can then help draw up a plan of how to get your web related things in order.

As an example of the things we can help with:

  • Contact forms (amending or creating new versions)
  • Newsletter and other subscription forms
  • Booking systems
  • Membership websites
  • Ecommerce websites
  • User surveys
  • Tracking analytics
  • Implementing an SSL certificate for website
  • Improving website security
  • New Privacy Policies and site Terms & Conditions
  • Permission pass campaigns to make customer/user subscriber lists compliant (e.g. your newsletter send lists)

Want more info?

We don't claim to have all the answers. In between a lot of GDPR hype there are some incredibly useful resources that have been published on the regulation.
Here's where to go if you're looking for more in-depth reading:

  • The full regulation. It's 88 pages long and has 99 articles.
  • The ICO's guide to GDPR is essential for both consumers and those working within businesses.
  • EU GDPR is the Union's official website for the regulation. It details all you need to know and has a handy countdown clock for when GDPR will come into force.
  • The EU's Article 29 data protection group is publishing guidelines on data breach notifications, transparency, and subject access requests.

Any other tips for my business as a whole?

It’s not just your website that needs to be GDPR compliant, GDPR will permeate your entire business.
As such we have the following suggestions to help manage and secure your client/users/customers data:

You probably have lots of personal data stored in various places around the business. Do you have a good understanding, and documented record of the data you hold?
Checking ALL your customer/client information is vital to be sure that you know exactly what you have and where. That way you are always prepared if you need to provide it or delete it as requested.

Do you have a defined policy for how long you retain personal data, so you don’t retain it unnecessarily, and ensure it’s kept up to date?
This can be used internally for staff and also for clients/customers upon request. It will help keep your existing and future data compliant whilst being able to show to customers that you take their privacy seriously.

Do you need to either gain or refresh consent for the data you hold?
This could be from all kinds of sources, check all the data you hold and where needed get new consent for it.

Is your data being held securely, keeping in mind both technology and the human factors in data security?
You don't need to be an IT specialist to get your data in order and managed. Below are a list of tools and services that can help you get sorted asap:

  • LastPass - Cloud based password manager allows total control over who has access to passwords, if you are using a document hidden on your computer of phone or have that “password book” hidden in your office then you need to scrap them and use a password service asap.
  • NordVPN - secures your internet connection both in the office and when using public WiFi.
    Digital Scanning Services - rather than storing customer details in the office where they are at risk, you could get them scanned and digitised making them more secure and easy to access and organise. There are many services that provide this.
  • Secure Encrypted Backups - do you backup all your computers? If so are you just relying on external hard drives? Are those hard drives encrypt? Then you are not protected. Even if you have external drives with encryption what happens if they are lost in fire or worse stolen. We recommend using a cloud based backup system in partnership with external backups to make sure your data is secured.
    At Duck ON water we use Dropbox and Backblaze for cloud backup along with encrypted external drives backing up using TimeMachine and Carbon Copy Cloner.

Whether you are a data controller or data processor (or both), do you have the correct legal arrangements in place?
Your business insurer should be able to provide you with the details of cover you have with them. We also recommend that if you are in any doubt that you consult a legal professional that has a strong understanding of GDPR and your business area.

And thats it for now, we will try and keep this info updated and notify of any changes.

And you're done!
Go have yourself a KitKat, you deserve it.👍

PLEASE NOTE THAT THIS INFORMATION WAS ACCURATE AT THE TIME OF WRITING BUT SOME OF IT MAY NO LONGER BE CURRENT AS SOME THINGS HAVE CHANGED REGARDING GDPR SINCE THAT TIME.