Disclaimer: This post is intended to provide helpful guidance to customers about GDPR, not as a comprehensive solution or legal advice. Each organisation should undertake their own steps to ensure compliance.

Here at EngineRoom towers we don’t seem to be able to to open our inboxes without reading one email or another about the new GPDR law coming into effect on the 25th May 2018. Whilst we bought ourselves into line with the regulations, we thought it might be a good idea to lay it all out in a blog post.

So first off, what is GDPR? Well, it stands for General Data Protection Regulation and simply put is a new EU directive to ensure for consistent data protection laws across the EU. The scary bit is the financial penalty for non conformity, which is either 4% of annual global turnover or €20 million (whichever is greatest). This is very unlikely to be enforced against smaller businesses and more likely a period of education will follow the deadline. Regardless of this I suspect you’d rather not take the chance, so let’s continue.

Although it might be a pain now, GDPR is a good thing and could lead to some benefits for you and your business:

The law will help create a more trusting relationship between you and your contacts. Knowing what kind of experience contacts want from you helps you meet—and exceed—their expectations.
The GDPR empowers your contacts to understand exactly what data is being collected and how it will be used.
And since the GDPR provides contacts with the right to easily specify and update permissions (by, for example, allowing them to quickly opt into or out of receiving certain content), it should also lead to fewer unsubscribes and spam complaints, which in turn improves deliverability.

What do you need to do?

We have broken down the action points for GDPR compliance (as we understand it) below:

1 – Get, or re-confirm, user consent

Consent for the storage of personal data is one of the cornerstones of the legislation. Essentially, you need to ensure that whenever you are storing personally identifiable data consent is sought, obtained and recorded. Another important point to make is that consent should never be implied and should always be opt-in rather than opt-out. Any opt-in messages should be in clear and pain language.

On a basic level we would suggest taking the following steps:

If you have any forms collecting personal data, you should ensure users agree to your new GDPR complaint privacy policy (see point 2 below for more information on this). This can be a simple checkbox with a link to the “Privacy Policy”. An example agreement statement would be something along the lines of: By ticking this box you consent for [YOUR COMPANY NAME] to process and store the personal data that you have provided. You may withdraw this consent at any time. For more details on how your data is processed, stored and shared see our Privacy Policy.
Any direct marketing consent should be provided via a separate opt-in mechanism. It should be made clear who this marketing information will come from, where the data will be stored and how the information being collected will be used. Ideally there should also be an indication of how a user will be able to unsubscribe from the marketing. If data is to be shared or stored with third parties then this should be clearly explained as well. The consent that has been provided should again be recorded. An example of an excellent opt-in form is shown below:
You should ensure you re-obtain consent from users on any marketing lists where you already hold their information.

2 – Update privacy policies

Do a full review of current privacy notices and ensure that they align with requirements under GDPR before it takes effect. The notices must:

Tell the user the personal information you hold.
What you do with the personal data and anything you plan on doing with it.
Make it clear that the user has the right to request access and/or deletion of their data.
Specify the identity of the controller and of the data protection officer.
Detail the conservation period (how long data will be kept).
State the contact method to be used to lodge a complaint.
State with whom the data will be stored and who will have access to this data.
State the right and contact method to withdraw consent at any time.

It’s important to note that access to the privacy policy should be present at all points where personal data is collected.

3 – Prepare for data breaches

There have been several large scale data breaches in the news over the past few years and unsurprisingly enough one of the main goals of GDPR is to try and reduce this, or at least ensure the parties involved are accountable. To prepare yourself for any possible data breaches you should be:

Providing mechanism(s) to encrypt or otherwise secure personal data.
Implementing security measures.
Confirming ongoing confidentiality, integrity and availability of personal data (see point 4 below).
Providing mechanisms to restore the availability and access to personal data.
Facilitating regular testing of security measures.
Notifying the data protection authority within 72 hours in the event of a data breach incident.
Notifying affected data subjects of a high-risk data breach incident.

4 – Perform an audit

To ensure you are comfortable with the data you hold, we would suggest you perform a simple audit.

This should contain the following information on each of your data storage and processors:

Who has access.
Why are you storing it.
When do you store it (i.e. after the submission of a form).
What information are you storing.
How is the information stored.
Compliance: if the storage or processor is third party then you should ensure they are GDPR compliant themselves.

5 – Show Willing

Elizabeth Denham of the ICO (Information Commissioner’s Office) has said her office will be more lenient on businesses who have been caught out by GDPR, if they have shown “awareness” of it. This essentially means if you make an effort and show willing to be compliant then if you do get investigated and are found to be breaching part of the legislation the ICO is less likely to go down the route of monetary penalties. Therefore saving you that €20 million.

Q&A

The UK is leaving the EU, does this GDPR still apply?
Yep, afraid so – the UK government has be it clear that regardless of Brexit, GDPR will be implemented in full to ensure the UK aligns with data protection laws across the EU. Regardless of this if you want to do business with anyone in the EU then this will be a requirement anyway.

When do I need to be compliant by?
The deadline for compliance is the 25th May 2018.

Do I need to be GDPR compliant?
Almost certainly yes. The GDPR applies to personal data collected, held or processed. The following excerpt is from the ICO’s definition of personal data:

“The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. … The GDPR applies to both automated personal data and to manual filing systems”

Can you help me with my GDPR compliance?
We will of course help where we can and give advice where possible. However, you will be ultimately responsible for ensuring that you are compliant. Obviously if you need us to do any work on your website to ensure your GDPR compliance then please just get in touch and we can discuss the steps to be taken.

I am PCI compliant, will this do?
No, afraid not. GDPR is very different to PCI. PCI lays out the technical measures required for processing payment. GDPR is not based on the technology used but instead focuses far more broadly on the protection of personal data collected, held and processed.

Where can I find out more?
It’s a bit of a dry read but a good place to look for all of the relevant information is the ICO’s website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
More information can also be found on the EU GDPR website: https://www.eugdpr.org/.