GDPR for your Business, UK Policing, over the past few days and weeks you’ve probably received emails from companies, and seen in the media, how GDPR is about to come into force. We at SEO London Club have taken a long, hard look at what this involves for the UK, what it means for your small business, and what you need to do.
What Is GDPR?
GDPR stands for General Data Protection Regulation. It is the new legislation that will replace the 1998 Data Protection Act, which purely by it’s age, has become in certain areas, obsolete.
GDPR will be in force from 25 May 2018, and affects all businesses operating the European Economic Area (EEA).
It is designed to provide greater protection to consumers, through greater transparency and accountability.
Research shows that customers do have significant concerns about the data companies have about them. Recent scandals such as Cambridge Analytica have brought data into the public consciousness.
Why Did the Government Introduce GDPR?
GDPR isn’t something just for the UK – it applies to all businesses in the European Economic Area. It came as part of the Data Protection Act 2018.
That’s the data protection regime of the UK. It’s 20 years since the last data protection act was enforced, so a lot has changed in that time.
The explosion of the internet means that the 1998 Data Protection Act was out of date. It didn’t protect data in the right way.
It makes sense, really. Back in the 1990’s, technology wasn’t such a big thing. The internet was still on dial-up, and most people didn’t have mobile phones.
Put simply, data was handled differently back then. No one was really worried about unethical data collection. GDPR was needed to bring data protection into the 21st Century!
People have become more and more concerned about what companies were doing with their personal data.
There have been questions over whether the UK Government needed to enforce GDPR because of Brexit. However, the government has said that GDPR will still be in force after Brexit.
Is GDPR A Bad Thing For My Business?
To be blunt – NO! European and UK Government bodies, despite it not always feeling the case, are not in the business of making life difficult for companies.
Consumers are currently both worried and angry about the way their data has being shared. GDPR gives businesses a chance to make consumers trust them with their data.
Trust is a massive part of any relationship between a business and consumer – so use GDPR to your advantage!
What Do I Need To Do?
New rules and regulations can be overwhelming, and then there’s the fear of falling foul of them and been hit with sanctions such as fines.
To help you prepare, we’ve developed a handy 8 step guide.
1. Know That The Law Is Changing
That’s how difficult this guide is! By simply knowing the law’s changing and you need to take action then congratulations – you’re all set for Step 2.
2. Check The Records You Possess
Here’s the legal bit. You have to keep up to date records of any personal data you hold. This applies to everyone, be it your customers, suppliers and your staff.
The term ‘personal data’ is easiest defined as any information about an individual that can lead to them being identified, whether directly or indirectly.
3. Be Clear On Why You Have This Data & How You Use It
The law is clear – you need to have a reason to hold personal data, and the law provides 6 reasons you can justify doing so.
The ICO (UK Information Commissioners Office) explain the 6 reasons here.
Make sure you record which of the reasons you have employed and how you’ve used data.
4. Be Prepared For When People Ask About Their Data
The public will have the following 7 rights over the personal data you hold about them. You should have a plan for how to deal with any requests.
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
5. Are You Telling People Your Collecting Data?
6. Be Security Conscious
Both the paper and digital copies of personal data you hold need to be secure. Double check your premises security, CCTV and locked cabinets are a good start.
Digital data needs to be encrypted. Make sure everything is password protected too, and if relevant see what cyber security your web host is offering.
7. Be Prepared For Any Breaches Of The Rules
By developing a process to follow if you have any suspected breaches of the rules you will save yourself both time and stress if you fall foul of them.
Make sure you have the ICO’s dedicated personal data breach helpline ready to call – 0303 123 1113.
8. Last But Not Least – Don’t Panic
Crucial step this. Despite the media making out businesses will all be fined into bankruptcy it’s best to keep at the forefront of your mind that the ICO are there to help you comply.
Sensible precautions and changes are required but don’t allow yourself to overthink it. Keep it simple!
How Will GDPR Affect Your Website?
As we review web design companies it stands to reason our main concern is how GDPR will become relevant to your website.
What Does GDPR Involve for Web Design
GDPR is a bit of a game-changer, really. It’s not easy to achieve GDPR compliance – for some companies, it has taken up to a year.
Most companies have websites, many rely on web designers. Compliance on websites is now a legal requirement. Most web design companies will have to include some basic GDPR functions to their clients.
These basic solutions aren’t completely GDPR compliant, but enough to avoid prosecution.
There’s a considerable cost involved in getting a completely GDPR compliant website. For a top-notch job, you’re looking at a bill of up to £3000.
At the lower end, around £1000. These estimates don’t include writing the GDPR policy, which can double the cost.
Privacy by Design
The privacy by design (PbD) framework is something that many developers are choosing to adopt. It involves anticipating and preventing privacy issues from the start.
PbD isn’t a new thing, it’s been around since the 1990s. Still, most developers hadn’t heard of it before GDPR started causing headaches.
Impact on Development Practices
For web developers and designers, GDPR starts at the coding level. It doesn’t restrict programming languages but means there’s a need to use preventative coding strategies.
Design Strategies and GDPR
When it comes to design strategies, GDPR has an impact. It changes the way designers design, both at front and backend. Privacy policies need to be available to view.
Cookie consent statements and banners have to be visible. Plus, website users must be able to view, download and delete any data you’ve collected on them at any time.
Whereas in the past, it was ok to assume consent, with GDPR, that’s no longer the case. Designers need to make sure users give consent for data collection, whatever form it takes. In some form or other, websites collect data – now, it’s important to make sure it’s done legally.
Some websites have cookie-consents with the ‘accept’ button already ticked. That’s technically a breach of GDPR. If the user has to un-tick the box, and aren’t made aware, then it’s assuming consent.
Complexity of GDPR
GDPR is neither simple nor straightforward. Look online and you’ll see dozens of checklists for making websites GDPR compliant.
These are generally long lists of things that need to be implemented. It’s important for web designers and developers to fully understand what GDPR means for them.
They need to be able to advise clients how to avoid non-compliance penalties and fines. Let’s face it, it took Facebook 18 months to work on GDPR compliance, and there were still complaints.
Are the Government Prosecuting for Non-compliance?
GDPR legislation means that businesses can be prosecuted if they don’t comply with GDPR regulations. There are several types of sanctions that can be enforced. These range from warnings to fines.
Fines for GDPR Non-compliance
There are two levels of GDPR fines. Less severe data protection breaches have a maximum fine of €10 million or 2% of business revenue.
More severe breaches can cost businesses up to €20 million, or 4% of business revenue.
However, just because businesses can be fined, that doesn’t automatically mean they will be.
The Information Commissioner’s Office (ICO), who’s in charge of prosecuting GDPR breaches, see fines as a last resort. They’re not planning on putting small traders out of business with fines.
When it comes to bigger businesses, such as Facebook, prosecution is more likely. The ICO said that had the Cambridge Analytics scandal happened after GDPR, Facebook’s fine would have been up to $1.6 billion.
Do The Biggest Websites In The UK Comply With GDPR?
Social Media GDPR Compliance
Facebook, Google, Instagram and WhatsApp were the subject of complaints about GDPR non-compliance on the first day of the legislation.
These companies were accused of enforcing consent to terms of service. GDPR insists that consent has to be given without pressure.
Facebook, Google, Instagram and WhatsApp, however, insist that they’ve spent over a year preparing for GDPR. Policies are more easily accessible. There is also the ability for users to access, download and delete personal data.
On the day of publish, none on the websites mentioned above comply with GDPR
Whilst GDPR technically impacts on the UK police force, there is a partial opt-out clause for domestic law enforcement. This means that compliance is not applicable to personal data when it comes to law enforcement.
However, UK police websites are still bound by GDPR regulations when it comes to collecting personal data not directly related to law enforcement.
Local police force websites should have GDPR compliance, but none we have seen do. This should includes privacy statements, and the ability to access, download and delete personal data.