General Data Protection Regulation compliance is an upcoming issue for British websites, though it is one they too often know little about. About half of businesses surveyed recently were somewhat unfamiliar with the rules, and even those who were aware often had no idea what to do to get into compliance. Yet the rules go into effect in May of 2018. Here is everything you need to know about GDPR compliance.
Why General Data Protection Regulation Is Going Into Effect
General Data Protection Regulation or GDPR is intended to be an incremental improvement in data protection. For example, it will harmonize data privacy laws across Europe. It will also provide more rights to individuals and greater protection to their information. If you are already in compliance with existing data protection rules, GDPR compliance is only one more step.
Why GDPR Compliance Is Critical
GDPR applies to any organization that controls and/or processes data. Data controllers state how and why personal data is processed. Data controllers could be anyone from a user forum talking about a niche subject to ecommerce sites collecting user information as part of the purchasing process. Data processors actually process the data. Data processors may be the website owners, search engine optimization firms analysing customer data or IT professionals looking for potential cases of fraud.
Businesses will face higher fines for non-compliance with data protection rules and larger fines if a data breach occurs, whether a data controller or processor. If the data processor is involved in a data breach, their fines are higher under GDPR than under the Data Protection Act.
A General Overview of the Requirements Set by GDPR
The GDPR regulation says that data controllers must process personal data lawfully, transparently and for a specific purpose. Data collection must be lawful, so expect rules regarding what information you can collect and who you can collect it on to remain the same except they will now apply to all of your EU customers.
You can still collect data as necessary to meet a contractual or legal obligation or protect an essential interest, such as someone’s medical records. Data collection when the person has given permission is lawful.
The data analysis must be transparent. You have to explain in plain language what data you collect, what you do with it and how it is processed. This is enforced by the requirement that controllers record how and when someone gives their consent and document when that consent is withdrawn. And, data collection must be for a specific purpose. Sorry, Google, no more data slurping as people leave your website in the vague hope the data will be useful somehow.
Complying with GDPR requires changes from updating user policies and privacy policies to altering how you document that someone gave their consent to have their data collected in the first place. Failure to comply with GDRP leaves your business open to fines and penalties, so make sure that you understand what steps you need to take to be compliant.