We're getting an increasing number of queries regarding the GDPR, and we are seeing a number of misconceptions about what it is and what it means for website owners. The purpose of this post is to firstly outline explicitly that Kualo are committed to being fully GDPR compliant by 25th May 2018. Secondly, we aim to address a number of general points with regards to what the GDPR is, and what you need to do to ensure that you are also compliant.
In summary, if you collect any personal data for EU residents, or if you provide the means for others to collect this data, you must ensure you are GDPR compliant and we strongly recommend reading on.
In what follows we outline the basics of the GDPR.
It is, however, a complex area - we are writing this for informational purposes only. We recommend that you conduct your own research and/or seek professional assistance, our guidance alone should not be relied on for any reason.
What exactly is the GDPR?The GDPR is the EU's new data protection regulation, designed to harmonise the data privacy laws across Europe, and is the most important change in data privacy regulation in the last 20 years.
It applies to all businesses that collect data from or monitor the behaviour of EU residents, meaning it not only applies to EU businesses, but businesses in any country worldwide who deal with the data of EU residents. The bottom line is businesses worldwide are required to collect data more securely - which can only be a good thing, particularly in the wake of recent data collection scandals hitting the headlines.
What are the key points?The GDPR includes 99 articles, so there is a huge amount in there to digest.
The key changes that the GDPR brings in are as follows:
Increased transparency and explicit consent.All businesses will need to obtain consent to use a persons data for certain purposes, including marketing. This consent will have to be informed (i.e. people understand what they are agreeing to) and cannot be hidden in terms and conditions and legalese. You need to be able to prove clear and affirmative consent to process that data.
Increased ease of access to personal data.If you hold personal data, people have the right to request the data you hold relating to them, free of charge, and within one month of their request. From a practical standpoint, you therefore need to be in a position to provide them with their data on request.
Data minimisation, and the right to be forgotten.Under the GDPR, you should be collecting only data that is adequate, relevant and limited to strictly what is necessary. The data should only be held for as long as is necessary to complete the original purpose of collecting this data, and this purpose should also not change without obtaining further explicit consent. People also have the 'right to be forgotten' - which means that they can request that all of the personal data you hold on them be deleted upon request, without undue delay. In a practical sense, this means that you have to have processes in place to erase data on request. If this data collection forms part of a contract, there may be certain elements of data which may not be able to be deleted for legal or compliance reasons - for example in the UK, financial records need to be kept for at least 6 years.
New obligations for data processors.Under present legislation, obligation rests solely with the data controllers. Under the GDPR, data privacy obligations are shared by both data controllers, and data processors. A data controller is the person who collects the data from an individual - so to put this into context, if you collect personal information on your website via a form, you would then be the data controller for that information. If that website is hosted with Kualo, we would be the data processor, as it resides on our servers. To complicate things further, if you are a reseller of our hosting services, for example if you are a web designer building and hosting websites for your clients using our servers, you would also be considered a data processor as you would have access to that data.
These new obligations include taking adequate security measures to protect the data, restrictions on the transfer of data to third countries, and an obligation to notify following data breaches amongst others. This is a complex area and we have expanded on this in a separate post.
You may need to appoint a Data Protection OfficerIf you are a public body, or if you collect certain types of very sensitive data, or if your core activity requires large scale, regular and systematic monitoring of individuals, you must appoint a Data Protection Officer, or DPO. The DPO must be independent, an expert in data protection, adequately resourced and must report to the highest management level.
Breach NotificationsIf a breach of data privacy occurs, if you are a data controller, you have a mandatory obligation to notify your supervisory authority within 72 hours (in the UK, that's the Information Commissioner's Office). You also have to notify the affected data subjects where the breach is likely to result in a "high risk" to their rights (though what constitutes high risk is vague). Data processors are also obliged to report any breaches detected, but only to the data controller. More information can be found here.
Greater AccountabilityThe GDPR introduces a new concept of accountability, which requires that you are able to demonstrate how you comply with the GDPR. You must additionally keep detailed records of your processing activities, and implement appropriate technological and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR. In businesses with fewer than 250 employees, there are reduced record keeping requirements, with some exceptions depending on the data or scope of data collected.
Does this apply to me?In a nutshell, almost certainly.
The GDPR also applies to businesses of all sizes, including sole traders.
What are the consequences of non-compliance?Non-compliance can lead to serious fines.
If your organisation doesn't process an individual's data in the correct way, it can be fined.
If it requires and doesn't have a data protection officer, it can be fined.
If there's a security breach, it can be fined.
These fines can also be extremely large. Smaller offenses could result in fines of up to €10 million or 2% of a firm's global turnover (whichever is greater). Offenses with more serious consequences could result in fines of up to €20 million or 4% of a firm's global turnover (again, whichever is greater). These fines are so large that they could cause a small business to fold.
But... don't panic.
If you're a small business (and you're not in business to pull the next Cambridge Analytica scandal), remember that first and foremost, the GDPR is about putting the rights of individuals first - and in the current climate, that's a good thing.
Indeed, the Information Commissioner's Office has sought to reassure businesses that they won't be seeking to make early examples of organisations for minor infringements, that maximum fines will not be the norm, and that they have "always preferred the carrot to the stick".
The important thing is that you start putting measures in place to comply now so that you can achieve compliance by the deadline.
A Shared Obligation for Data SecurityUnder the GDPR, we have obligations both as a data controller (for the personal data we store and control about our own customers) and as data processor (for data we store but do not control, i.e. typically your client's personal data uploaded to our servers).
If you hold personal information on our servers, you will act as data controller, and we will act as data processor.
If you share any of this information with any third parties (email marketing providers, live chat software, SaaS applications etc.) then they will also act as data processor and you, as data controller, are required to ensure that they are also GDPR compliant.
This 'shared responsibility' on data security responsibility is one of the striking changes that the GDPR introduces, and have written a more detailed post that explains our obligations under this in more detail.
What happens next?We are currently in the process of updating our terms of service, finalising new policies and procedures to ensure that we, and any 3rd party companies we contract, meet GDPR compliance. We will be contacting all of our customers as appropriate to inform you of these changes.
Once again, it is also important that if you collect, or have the potential to collect, personal data for any EU resident, that you also comply with the GDPR. We strongly recommend that if you have not started the process of complying already, that you do so immediately. As outlined above, one of the key components of GDPR compliance is that you can actually demonstrate your compliance with it, which may involve updating your own terms of service, privacy policies and internal procedures, as well as processes for collecting and processing personal data.
Useful Resources:If the GDPR seems daunting, unfortunately this is because it is. Over the course of the coming days and weeks we will be publishing further blog posts which drill into some of the more specific details of GDPR compliance, including concrete steps to take, and more information on our own compliance.
In the meanwhile, we'd strongly recommend that you review the following resources:
- The Information Comissioner's Office Guide to the GDPR
- IT Governance List of Free GDPR Resources
- EU GDPR Documentation Toolkit [an editable toolkit that contains all of the policies and other documentation you will require to implement GDPR]
- The full text of the GDPR itself