How the New General Data Protection Regulations Affect Online Business
Running an online business is difficult enough but it is going to get a little more challenging once the new data protection laws come into effect on the 25th May 2018. The new General Data Protection Regulations (GDPR) are designed to give individuals more rights over their data and ensure that data is better protected by those who keep it – and that includes online businesses. In this post, we’ll look at the implications GDPR has for online businesses.
What are the new rights of consumers?
According to the ICO, the new legislation will give people a range of new rights over personal data held about them. These include being given clearer information about how their data is processed and used – indeed, in some circumstances, explicit consent will be needed before processing can go ahead.
Individuals will also have improved access to any data you hold on them and have the ability to rectify any errors. They will also have the right to be forgotten, which means that customers who leave you can have all their data permanently erased.
In addition, people must also be informed if data about them is accessed by unauthorised entities, e.g. if you are hacked or if an employee loses data. In addition, they will have more control over any automated decisions companies make using data profiling.
What are the implications for online business?
One of the biggest challenges for online businesses will be the need to keep records of user consent. From next year, when an individual gives you consent to store and process their personal data, you will need to keep a comprehensive record of how and when that consent was given. And that consent has to be explicit, not inferred.
As people will also be able to withdraw consent at any time, new regulations now mean that their details must be permanently deleted. Their right to be forgotten means you cannot just move details from an active list to an inactive one.
The new rules regarding data breaches are perhaps the ones which have the biggest impact. If data is lost or stolen, either through deliberate hacking or accidental loss, you will have a maximum of 72 hours, to inform the ICO of the full details of the breach and submit plans for how you will deal with the effects. You may also need to inform all those whose data is lost. Failure to protect data is now punishable by a fine of up to 4% of global annual turnover or €20 million – whichever is the highest.
In order to protect against data breaches, organisations will now need to keep track of all personal data. You’ll need to know exactly what data you hold on each person and where that data is stored. This might not be too difficult for organisations where data is held centrally, for those where each member of staff has copies of data held separately on individual devices, it might be far more challenging. If an employee leaves a pen drive containing personal data on a train and you are not aware of it, the repercussions will be significant.
Privacy by design and by default
One of the cornerstones of the new act is to make sure that privacy is at the heart of all projects that businesses carry out – what the ICO call ‘privacy by design and privacy by default’. This means that online businesses must take into account the effect that personal data processing can have on a customer’s privacy. Every process which involves personal data or affects the privacy of an individual should be designed with data protection compliance in mind.
The aim of this is to ensure that highest levels of security are in place in any IT system or business procedure to automatically protect personal data. In other words, the customer should not need to do anything themselves to protect data held on your system, that protection should be built-in, by default. The intended outcome is that privacy becomes an integral part of the design and architecture of IT systems and business procedures, instead of being an afterthought.
Things to do
As an online business, there are a number of things you will need to do to make yourself ready for the implementation of GDPR. These include:
- Audit what personal information you currently take, process and store.
- Assess how you can ensure that customers are fully aware of how and why the information is being taken, processed and stored and that you have their consent to use it.
- Find ways to make sure customers can remove consent if they wish and have information permanently deleted if desired.
- Audit where information is stored and processed in your business and ensure that records of what is stored, where it is sored and how it is processed are kept. Where possible, centralise data storage to reduce risk.
- Ensure that each place of storage has the highest levels of security in place: firewalls, intrusion monitoring, virus monitoring, strong passwords, access control, encryption, use of pseudonyms, etc.
GDPR will soon be law and will remain in force even when the UK leaves the EU. Any online business that takes email addresses, credit card details or any other form of personal information will be legally obliged to comply with it. It is important, therefore, to start taking measures now, so that by the time the law comes into force, you have everything ready.