We know GDPR isn’t sexy or interesting but its implications are serious for all business owners. As such we urge that you read through the whole of this page and take action. Remember, we are here to help you with any web related issues, just get in touch! \ud83d\ude03<\/p>\r\n
Please note: Whilst we hope this is super informative for you, we must stress this is a guide and nothing more. Duck On Water is not qualified to provide legal advice and the contents of this page mustn’t be taken as such. We strongly recommend that if you are uncertain regarding anything GDPR that you get professional legal advice (just make sure that the legal professional really knows their stuff when it comes to GDPR and that they understand your specific business).<\/p>\r\n
GDPR (General Data Protection Regulation) is intended to strengthen individuals’ rights and unify data protection rules across the EU through stricter personal data handling requirements and higher fines for non-compliance. The GDPR applies the processing of data subjects’ personal data by any size of EU or non-EU organisation that provides goods or services to the EU or monitors EU users’ behaviour.What is personal data?<\/p>\r\n
The GDPR definition of personal data includes what we typically consider personally identifiable information (PII)-name, passport number, birth date, etc.-but, it also includes data that we might consider to be non-PII, like IP addresses or device IDs. Yes. Not everyone that handles the personal data of individuals is the same and data protection laws allow for this by having two different terms: controller and processor. Here’s what they mean.<\/p>\r\n Controller<\/strong> Everyone will have the right to get confirmation that an organisation has information about them, access to this information and any other supplementary information. GDPR will go into effect on May 25, 2018.<\/p>\r\n Government<\/strong> The Information Commissioner’s Office. Elizabeth Denham is the UK’s information commissioner in charge of data protection enforcement.<\/p>\r\n The UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR. There are some small changes but our own law will be largely the same.What happens if I don’t get compliant?<\/p>\r\n GDPR fines have been much talked about and with good reason. Monetary penalties will be decided upon by Denham’s office and the GDPR states smaller offences could result in fines of up to \u20ac10 million or two per cent of a firm’s global turnover (whichever is greater). Those with more serious consequences can have fines of up to \u20ac20 million or four per cent of a firm’s global turnover (whichever is greater). These are larger than the \u00a3500,000 penalty the ICO can currently wield and, according to analysis, last year’s fines would be 79 times higher under the new regulation.<\/p>\r\n First identify if you are a “data controller” or a “data processor” (or potentially both). Then go through the ico’s self assessment questionnaire, this is a very good starting point as it will help guide you through the process of what you need to do. We sure can, however as each of our clients businesses are so different we will need to tailor what we can do on an individual basis. Please get in touch once you have been through the ico’s self assessment questionnaire. We can then help draw up a plan of how to get your web related things in order.<\/p>\r\n As an example of the things we can help with:<\/p>\r\n We don’t claim to have all the answers. In between a lot of GDPR hype there are some incredibly useful resources that have been published on the regulation. It’s not just your website that needs to be GDPR compliant, GDPR will permeate your entire business. Whether you are a data controller or data processor (or both), do you have the correct legal arrangements in place?<\/strong> And thats it for now, we will try and keep this info updated and notify of any changes.<\/p>\r\n PLEASE NOTE THAT THIS INFORMATION WAS ACCURATE AT THE TIME OF WRITING BUT SOME OF IT MAY NO LONGER BE CURRENT AS SOME THINGS HAVE CHANGED REGARDING GDPR SINCE THAT TIME.<\/b><\/p>\r\n","protected":false},"excerpt":{"rendered":" GDPR We know GDPR isn’t sexy or interesting but its implications are serious for all business owners. As such we urge that you read through the whole of this page and take action. Remember, we are here to help you with any web related issues, just get in touch! \ud83d\ude03 Please note: Whilst we hope…<\/p>\n","protected":false},"author":1,"featured_media":1565,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"content-type":"","footnotes":""},"_links":{"self":[{"href":"https:\/\/duckonwater.com\/wp-json\/wp\/v2\/pages\/1351"}],"collection":[{"href":"https:\/\/duckonwater.com\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/duckonwater.com\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/duckonwater.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/duckonwater.com\/wp-json\/wp\/v2\/comments?post=1351"}],"version-history":[{"count":4,"href":"https:\/\/duckonwater.com\/wp-json\/wp\/v2\/pages\/1351\/revisions"}],"predecessor-version":[{"id":3464,"href":"https:\/\/duckonwater.com\/wp-json\/wp\/v2\/pages\/1351\/revisions\/3464"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/duckonwater.com\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/duckonwater.com\/wp-json\/wp\/v2\/media?parent=1351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
For a comprehensive list of what the GDPR considers personal data, please read Article 4(1)<\/a> of the GDPR. Additionally, included in the definition of personal data is a subset of data known as “special categories of personal data.” Special categories of personal data is a specific list of data, expressly set out in the GDPR, and includes things like race, religion, political opinions, health data, etc. Personal data can even include data about an individual that has been hashed or encrypted.<\/p>\r\nDoes it affect me, business, my website?<\/h3>\r\n
Individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of personal data will be covered by the GDPR.
Both personal data and sensitive personal data are covered by GDPR. Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address etc (for example: ecommerce websites require contact information and this is stored in the website as well as emailed out).
Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
These definitions are largely the same as those within current data protection laws and can relate to information that is collected through automated processes (for example newsletter subscribe forms on websites). Where GDPR differentiates from current data protection laws is that pseudonymised personal data can fall under the law – if it’s possible that a person could be identified by a pseudonym.<\/p>\r\nWhats the difference between a data controller and processor?<\/h3>\r\n
A controller is an entity that decides the purpose and manner that personal data is used, or will be used. Processor<\/strong>
The person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data.<\/p>\r\nPersonal data, who has access?<\/h3>\r\n
Requests for personal information can be made free-of-charge. When someone asks your business for their data you use provide it within one month.
The new regulation also gives individuals the power to get their personal data erased in some circumstances. This includes where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there’s no legitimate interest, and if it was unlawfully processed.<\/p>\r\nHow long do I have to sort it?<\/h3>\r\n
Who is in charge of GDPR in the UK?<\/h3>\r\n
The Department for Culture, Media and Sport is the government arm responsible for ensuring that UK law complies with the requirements of GDPR. The government body is responsible for creating the UK’s Data Protection Bill but won’t have control of the day-to-day elements of GDPR once it is enforced. The Regulator<\/strong>
Once the provisions of GDPR become law in the UK, the Information Commissioner’s Office (ICO) will be responsible for enforcing them. The ICO has the power to conduct criminal investigations and issue fines. It is also providing organisations with huge amounts of guidance about how to comply with GDPR.<\/p>\r\nWho will enforce it in the UK?<\/h3>\r\n
Does Brexit matter?<\/h3>\r\n
Ok, so how do I become compliant?<\/h3>\r\n
Pro tip 1: Always select the “More Information” option as this gives detailed info and instructions on what to do.
Pro tip 2: Leave all questions as “Not yet implemented” then click through each page, at the end you will be presented with an overall rating along with details of all the suggested actions to take (this is a real time saver).<\/p>\r\nCan Duck On Water help with GDPR?<\/h3>\r\n
\r\n
Want more info?<\/h3>\r\n
Here’s where to go if you’re looking for more in-depth reading:<\/p>\r\n\r\n
Any other tips for my business as a whole?<\/h3>\r\n
As such we have the following suggestions to help manage and secure your client\/users\/customers data: You probably have lots of personal data stored in various places around the business. Do you have a good understanding, and documented record of the data you hold?<\/strong>
Checking ALL your customer\/client information is vital to be sure that you know exactly what you have and where. That way you are always prepared if you need to provide it or delete it as requested. Do you have a defined policy for how long you retain personal data, so you don’t retain it unnecessarily, and ensure it’s kept up to date?<\/strong>
This can be used internally for staff and also for clients\/customers upon request. It will help keep your existing and future data compliant whilst being able to show to customers that you take their privacy seriously. Do you need to either gain or refresh consent for the data you hold?<\/strong>
This could be from all kinds of sources, check all the data you hold and where needed get new consent for it. Is your data being held securely, keeping in mind both technology and the human factors in data security?<\/strong>
You don’t need to be an IT specialist to get your data in order and managed. Below are a list of tools and services that can help you get sorted asap:<\/p>\r\n\r\n
Digital Scanning Services<\/strong> – rather than storing customer details in the office where they are at risk, you could get them scanned and digitised making them more secure and easy to access and organise. There are many services that provide this.<\/li>\r\n
At Duck ON water we use Dropbox<\/a> and Backblaze<\/a> for cloud backup along with encrypted external drives backing up using TimeMachine and Carbon Copy Cloner<\/a>.<\/li>\r\n<\/ul>\r\n
Your business insurer should be able to provide you with the details of cover you have with them. We also recommend that if you are in any doubt that you consult a legal professional that has a strong understanding of GDPR and your business area.<\/p>\r\nAnd you’re done!
Go have yourself a KitKat, you deserve it.\ud83d\udc4d<\/em><\/h3>\r\n