If you work in a large organisation, the chances are you've heard GDPR, or the General Data Protection Regulation, mentioned more than a few times since it was adopted by the EU last year.
This new regulation goes further than existing privacy legislation because it covers any information relating to an identified or identifiable person – which includes information such as a somebody’s IP address.
When GDPR comes into effect on 25 May 2018 you will also have new responsibilities when it comes to collecting people's data, processing that data, and what you tell people about the way you intend to use it. I’ll cover all three in this article.
Asking for consent to collect data
The biggest implication of GDPR for web teams is the change to consent. People must now give you their explicit consent before you can use their data. This must be:
- Freely given
It will no longer be enough to add a pre-ticked consent box to a form or show a message informing people that by visiting your website they agree to sharing their personal data. You must make sure that people are aware what you want to do with their data. You will also have to get people’s consent to use their personal data for every different purpose you have in mind.
This cookie bar on Ryanair's website wouldn't comply with GDPR because it doesn't allow visitors to opt out of having cookies placed on their device.
GDPR also makes clear that it's unacceptable to deny services to people unless they give you consent to use their data. So, for example, you won't be allowed to deny visitors access to your website if they refuse to let you place tracking cookies on their device or record their IP address.
It’s vital that you record this consent so that you can prove you have abided by the GDPR if someone complains. You should store details of what a person agreed to and when they gave you permission. You must also provide a simple way for people to withdraw their consent in future if they change their mind.
Things to do now:
- Review how you ask for, record, and manage people's consent.
- Untick any pre-ticked consent boxes you are currently using.
- Update forms to include information on how you will use people's data and ask them for consent for each purpose.
- Begin getting your users to update any existing consent that doesn’t meet the new standard.
- Audit your website cookies to determine which require consent.
Processing people's data
The collection, storage, or use of personal data in any way is called processing. As well as giving individuals more rights when it comes to the collection of their data, GDPR also gives people more control over how their data is processed.
You can only ask people for data that you need to do the things set out in your consent form. Data should be kept only as long as is absolutely necessary, and you must justify why you need to store it for so long. People have the right to ask you to delete or correct any of their data. They can also request a copy of it, so you need to store it in a common electronic format.
GDPR also places restrictions on processes that make an automated decision or profile people without their consent. People have the right not to be subject to a decision based on this kind of processing if it has a legal or other significant effect on them. If you are using an automated process to profile people, you must make sure the process is fair, secure, and accurate.
Things to do now:
- Put in place a schedule for deleting old data.
- Provide a way for people to delete their data.
- Allow people to request access to their data.
- Make sure you are storing data in a commonly used electronic format that makes it easy for people to read their data or move it to another system.
- Make it easy for people to rectify inaccuracies in their data.
- Review any processes that make an automated decision or profile people and ensure they comply with the new regulation.
Keeping people informed
The GDPR requires organisations to identify a lawful basis for processing people's personal data. Consent is the most obvious basis. Other reasons include fulfilling a legal obligation, protecting a person's wellbeing, or the processing being in the public interest.
You should document the kinds of processing you carry out and your legal basis for doing so in the privacy notice on your website. This should be:
- Concise, transparent, intelligible, and easily accessible
- Written in clear and plain language that's appropriate to the reading level of your audience
- Available free of charge
You must also provide information on why you need a person's data, the length of time you will keep it, and details of their rights – including the right to complain to a supervisory authority.
Things to do now:
- Review your privacy notices and make a plan to update them in good time.
- Include information on your lawful basis for processing the data.
- State how long you will keep data before you delete it.
- Make it clear that people have the right to complain to a supervisory authority if they are unhappy.
Where to go from here
The Information Commissioner's Office has detailed information on exactly what you should include in your privacy notice. And, if you work for a public authority, your organisation will need to appoint a Data Protection Officer as part of complying with GDPR. This person will be a valuable source of information on all the steps you should follow to become fully compliant with the new regulation.