The GDPR (General Data Protection Regulation) will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
What is the GDPR?
The GDPR is Europe’s new framework for data protection laws. The main objectives of GDPR is to give individuals back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Each member state in the EU already operates under the current 1995 Data Protection Regulation (DPR) and has its own national laws. In the UK, the current Data Protection Act 1998 sets out how your personal information can be used by companies & the government. The key difference is that GDPR changes how personal data can be used.
All individuals and companies that are either ‘controllers’ or ‘processors’ of personal data will be covered by the GDPR, which includes Magento ecommerce merchants storing data about individuals.
A ‘controller’ is the body that decides the purpose and manner that personal data is used, or will be used, and a ‘processor’ is a person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data.
The GDPR places specific legal obligations on processors. They are required to maintain records of personal data and processing activities, and will have significantly more legal liability if they are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
If you are a controller, the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. The GDPR applies to processing carried out by organisations operating within the EU, and to organisations outside the EU that offer goods or services to individuals in the EU.
What data does the GDPR apply to?
The GDPR applies to ‘personal data’. Data such as an online identifiers (eg an IP address) can be personal data. For most organisations, keeping HR records, customer lists, or contact details etc, you can assume that if you hold this information that it falls within the scope of the GDPR. The GDPR applies to both automated personal data and to manual filing systems.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data”. These can include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
Accountability & consent
In the case of “a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data“, if that breach is likely to result in a risk to the rights and freedoms of individuals, then that breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it.
In the case of the UK, that’s the ICO – the UK’s independent body set up to uphold information rights. When the breach is likely to result in a high risk to the rights of individuals, you must also notify those concerned directly.
The GDPR has higher standards for consent. When an organisation is relying on consent to lawfully use a person’s information they have to clearly explain that consent has been given and there has been a “positive opt-in”. Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent.
The GDPR also states that you have to make it easy for people to exercise their right to withdraw consent. And, most significantly, companies will have to make sure the consent they’ve already got meets the standards of the GDPR. If not, it’ll have to be re-obtained.
Companies will also need to make it easy for people to withdraw consent and tell them how, and keep evidence of consent – who, when, how, and what you told people. Consent is one way to comply with the GDPR, but the new legislation provides five other ways of processing data other than consent, found on the ICO website.
With the GDPR requests for personal information can be made free-of-charge – when an individual asks a business for their data, they must provide it within one month, and everyone will have the right to get confirmation that an organisation has information about them.
What to do now?
The ICO has issued a document ‘Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now‘ to help businesses prepare. A summary of which is below:
1. Awareness: You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
2. Information you hold: You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. Communicating privacy information: You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. Individuals’ rights: You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5. Subject access requests: You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6. Lawful basis for processing personal data: You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
7. Consent: You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
8. Children: You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
9. Data breaches: You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. Data Protection by Design and Data Protection Impact Assessments: You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
11. Data Protection Officers: You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
12. International: If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
For a more detailed breakdown of each action, please view the full document on the ICO website.
All information featured in this article is obtained from or influenced by the sources found below. This article is designed as an aid to ecommerce merchants only. Seek legal advice or contact the ICO for official and additional information about the GDPA and how it will affect your ecommerce business.