A 5 Minute Guide To GDPR.

Unless you’ve been living under a rock the past few years then you will have heard about GDPR and how these changes to the law could potentially affect your business. You may be wondering how your business in particular can stay on the right side of the law, especially if you make use of mailing lists and collect personal information from your customers and website users.  

To understand the risks associated with GDPR it’s important to know a bit more about what the law is and what it’s designed to do. Essentially, it was brought in to protect users from having their data misused, and it places a high emphasis on the importance of consent and proper data management. 

The new GDPR legislation is designed to be an updated and more robust version of the Data Protection Act of 1998 which grants more protection to consumers. The aim is to ensure that businesses have effective and compliant ways of collecting and storing users’ information, and to prevent other companies from getting their hands on individuals’ data without their expressed consent. 

The main differences between the original Data Protection Act and GDPR are as follows:

• The definition of ‘personal data’ has been expanded to include information which was previously unprotected. 
• Companies must seek specific and explicit consent in order to collect and store personally identifiable information such as email addresses. 
• Further to the above point, users also have a right to be ‘forgotten’ and have their personally identifiable data removed from databases after a certain amount of time even if express consent is given. 
• Users must actively opt in to mailing lists and other data processing rather than using ‘soft’ opt ins.
• Some businesses are required to appoint data protection officers who will be responsible for making sure data collection within the company is compliant with new GDPR legislation.
• New legislation extends to companies outside the EU which deal with data from EU sources. 
• Companies are now operating with a duty to report any data breaches to the Information Commissioner within a predetermined time frame.
• More extensive penalties have been introduced for those found to be non-compliant including fines of €20 million or more. 

These points represent big changes in the way businesses handle their customers’ and site users’ data, and you do need to be aware of them and how they will affect your operations. To assess your site for GDPR compliance you can use the following list as a starting point:

• A privacy notice must be listed on your site which details how and why data is collected as well as how it will be used and how long it will be kept for.
• When collecting new user information you must make sure your process takes users’ new extended rights into consideration
• Express consent must be given for any data collected, and if this data comes from children then age verification and express parental consent must be sought. 

It’s a good idea to carry out an audit of all the data you currently store to make sure it is compliant as previous ‘soft’ opt-ins may no longer be permitted under the new guidelines. You should also bear in mind that data which has been on file for a while may be infringing on users’ rights to be ‘forgotten’ after a certain time frame, so look into this too. 

This is especially important if your business utilises email marketing to engage with customers and users, so be sure to ensure all of your databases are compliant and in line with the new law. If you are new to email marketing, then it’s good practise to make sure your venture is compliant before you start collecting information. 

A further note we’d like to add is that cookies are also covered under GDPR changes. If you want to make use of cookies on your site then you must also get consent from your users. You are obliged to let users know that the cookies are there, what they are for and why, and you must seek the user’s consent to use the cookies with their device. 

Of course, we’re web design specialists not legal practitioners, so this information is only intended to be a starting point for your business. We’d always recommend getting assistance from a professional who specialises in GDPR and data protection if you’re unsure of anything. 

When it comes to building a newsletter opt in form and making sure your privacy notice is up and running correctly then it’s highly recommended that you consult with a specialist. Luckily, this is something we carry out regularly and are more than happy to help with.