GDPR stands for General Data Protection Regulation. It’s the new data protection law by the European Union which comes into effect on 25 May 2018.
While the law was created for the European Untion, it doesn’t only apply EU businesses.
It applies to any business, anywhere in the world, that processes personal data relating to an individual in the European Union.
Whether you’re in Australia, Canada, Mexico or even Antarctica, if your website handles the data of any user from the European Union, you will need to adjust a few things to comply with GDPR.
What are the GDPR principles?
Principle 1
“Data shall be processed lawfully, fairly and in a transparent manner in relation to individuals;”
What this means:
Ensure you have a lawful basis for handling a user’s personal data, and tell them about it.
Principle 2
“Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;”
What this means:
You must have lawful reasons for collecting a users’s personal data and only use their data for these reasons. You can only use their data for these reasons. Don’t assume that just because you have collected their data, you can use it for a purpose you haven’t told them about. You can’t.
Principle 3
“Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
What this means:
Only collect what you data need, and no more.
Principle 4
“Data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”
What this means:
Keep personal data up-to-date and free from errors.
Principle 5
“Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.”
What this means:
Once you’re finished with the personal data, you must delete it. You can, however, keep hold of personal data only for archival purposes in the public interest, scientific or historical research purposes or statistical purposes.
Principle 6
“Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
What this means:
Ensure the security of the user’s data. Do everything in your power to keep personal data safe.
Principle 7
“The controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
What this means:
Show that you understand the laws and are compliant with them. Have a privacy policy that talks about the data you are collecting and what you’re doing with it. Make it easy to understand, and respond to any requests from people enquiring about their data.
What rights do users have under the GDPR?
In addition, the GDPR also defines the rights of individuals.
If you need to respond to a users request under one of these rights, you have one month to respond and take action. That’s one month from the date of the receipt’s request.
- Right to be informed; individuals have a right under the GDPR to be informed that you’re collecting their data for a particular purpose. You need to let people know why you’re collecting their data, for how long you’ll be keeping their data, and whom it will be shared with.
- Right of access; a person is entitled to access their personal data as a way to request rectification or erasure of their personal information (see the next two points). They are also entitled to lodge a complaint under this right and be informed about the safeguards put in place if their data is transferred to a third country or international organisation.
And no, you can’t charge someone a fee when they ask for access to and information about their data. But you can charge a reasonable fee when their request is manifestly unfounded or excessive (think overly repetitious). - Right to rectification; a person has a right under the GDPR to have their data corrected if it is inaccurate. This right is closely linked with one of the principles of the GDPR that deals with maintaining accurate data. This right is fairly straightforward; if someone realises their data is wrong and they ask you to correct the error, then you need to comply with their request.
- Right to erasure; a person can make a request to you have their data erased. However, this is not an absolute right and only applies in certain circumstances. If the purpose for which you collected the data is no longer necessary or required, then a person can request to have their data erased. Keep in mind that if you are relying on a legitimate interest as the basis for processing someone’s data, a person can make a valid request to have their data erased if there is no legitimate interest in continuing to process their data. For example, where a newsletter subscriber doesn’t want to receive your company updates anymore. You must also erase a person’s data where you need to comply with a legal obligation.
- Right to restrict processing; this right is where someone asks you to restrict the processing or use of their data. Similar to the right of erasure, it is not absolute and only applies in certain circumstances. One of these circumstances is if the data has been unlawfully processed. Restriction of data might mean that you store the person’s information but do not process it. A simple example: if someone asks you to stop sending them promotional emails, then you need to stop sending them emails; the data still exists; you just can’t use it for that purpose anymore, at least until the person provides consent again.
- Right to data portability; you will need to be mindful of this right depending on the type of organisation you are and the data you collect. A person has a right under the GDPR to obtain and use their personal data for their own purposes across different services. The way you comply with this right is by making sure the data is available in commonly used forms (such as CSV files) and that the data can be specifically extracted if required. You may also be required to transfer the data directly to another organisation—so data needs to be stored in a way that makes this possible.
- Right to object; an individual has a right to object to their data being processed. This includes direct marketing (including profiling) and processing based on a legitimate interest. An individual must have grounds to object based on their own situation. However, where someone objects to their data being processed for direct marketing, you must stop processing their data as soon as you receive the notice. There are no exceptions to this part of the right.
- Rights related to automated decision making including profiling; there are a few GDPR rights in relation to automated decision making. An individual has a right to object to an assessment being made about them by a machine where the outcome of that assessment may have a legal impact on them. A person is legally entitled to bypass any automated systems and be assessed by a human, rather than a machine. An example might be an automated decision on a loan. Another might be an online aptitude test used in a recruitment process. This is interesting, given the continued rise of automation over the past few years.
I sell products online, do I need to be GDPR compliant?
Are you processing any personal data about EU citizens? If the answer is yes, then GDPR applies to you.
What should I do next?
- Audit the personal information your website holds, where it came from and who you share it with.
- Delete any personal data that you don’t need, or that you didn’t obtain lawfully.
- Document procedures to account for users’ rights under the GDPR, e.g. their right to erasure.
- Update your privacy policy. It should include what data you collect, the reason for it, which ‘lawful basis for processing’ that data applies to, along with your procedures to account for users’ rights as mentioned above.
- Review how you are collecting data.
- Ensure you have the correct security and safeguards in place to protect personal data.