What website owners need to know about GDPR and Brexit

New legislation called GDPR is set to come into place in May 2018.  Its intention is to increase regulation of personal data held by businesses in the UK. So as a business owner with an active website, how does this affect me?

Background on GDPR

GDPR – short for General Data Protection Regulation – is a new series of regulations coming into force on 25th May 2018.  Its main purpose is to protect the public in terms of personal information businesses can store.  More specifically it will shape the ability for users to ask for a copy of all their data, and for that data to be removed on request.

GDPR will also tighten what data storage providers (websites, hosting companies, IT companies) are expected to do to maintain the security of their systems.  Any data breaches will, by law, have to be reported within a minimum period and share information about their processes with interested parties.

What will I be expected to do?

The extent of what you need to do is governed by two factors – 1) what your online presence does and 2) what systems you already have in place.  Clearly, a small brochure site with no means of capturing data will have little GDPR exposure, whereas a full-service E-Commerce website where payments are taken on the site will have a more involved process.

The first step will be to do a full, frank, audit of every process of your online system.  What data is requested, where is it stored, who has access to it and in what shape is it maintained?   For example, some E-Commerce data is encrypted to protect users, if so how is it made useful i.e. decrypted or assigned to a customer?

The second step will be to work out how you would get a copy of this data to a customer.  It may be stored in emails, in a database or with a third party.  Be very careful how you handle these requests; if you decide to store user requests inside a system, then you may end up with a generating more data about a customer – say for example of this request meant adding them to a CRM system.  A minimal process for handling requests would be suggested to avoid a vicious circle.

The third step would be how to manage your processes if a user requests their data be removed.  This is most likely going to be the biggest challenge for businesses due to the wide variety of possible ways data is handled inside a system.

What possible situations would I need to look into?

Here are a few scenarios which highlight the thinking required:

  • I run a subscription website where payments are taken monthly, if a user wishes their data to be removed how can I achieve that whilst still maintaining service?
  • How can I ensure customer data is removed from every server, PC, email account, backup drive, cloud service, paper records?
  • Will it be sufficient to anonymise a customer’s data (for example keep their order details but remove identifiable contact details) in order to maintain the system’s integrity?  If not how will you ensure that removing data won’t break a system?

Most “off the shelf” systems won’t have anything in place yet to deal with GPDR requests.  For example, you can delete a customer in E-Commerce websites back-ends, but most don’t really delete the data, they just hide it off to prevent orphan data from corrupting a website.

What about Third Parties?

To clarify, what do we mean by Third Parties?  For example, they are organisations such as:

  • Website and Email hosting companies
  • Email Newsletter Software companies
  • Backup/cloud storage providers
  • Payment Gateway Providers
  • IT Providers (who in turn then may manage other software such as Office 365, Exchange etc)
  • CRM Systems

The liability remains with you, the business owner.  You won’t be able to “fob them off” to a hosting company or a payment gateway – by implication, every service you use should be as trusted with GDPR as you are.  As most of these Third Parties store information on your behalf, then you will need to confirm that when you remove data, it is actually removed and not kept for a period of time afterwards i.e. for backup or data retention purposes. Work with them – they should already be aware of the requirements and ignorance is not an option at this stage.

Being upfront with customers

The days of “implied consent” and “automatic opt-ins” have probably gone with GDPR.  So make sure that your systems and websites explicitly ask users for their permission to store and use their data.  Go one stage further – tell them exactly how it will be used and who else will have access to it.  Extend your terms and conditions to be transparent and frank.

The more information you give up front, the lesser the requests will be from customers requesting this information.  This will hopefully lighten the burden on your own staff too.

If you are starting a new project, you can look to build GDPR into each process from the beginning (so-called privacy-by-design).

But we’re leaving, and Brexit will make all this null and void?

In researching this blog post, this argument came up time and time again.  Taking a step back though reveals that the vast majority of EU directives will be carried through into UK law regardless of whatever happens with Brexit.  In simple terms, we can’t just un-adopt all EU regulations on the Brexit date as the UK simply does not have the time to come up with its own versions of the corresponding laws.  So what will happen in general terms is that the current EU regulations will be “copy and pasted” into UK law and then over time be reworked or replaced in Parliament, a process that will take many many years.

There is always a small chance that GDPR will not be adopted by the UK or we find a way around it on May 25th.  Having a business model that relies on this playing dice doesn’t make sound sense to us though.  With a threat of fines up to 20 million Euros, it certainly needs not be taken to chance.

Didn’t we do all this with Cookies and the EU a while back?

In 2011 the Information Commissioners Office, from suggestion from the EU’s own policies, brought in the “Cookie Law“.  This directive was designed to ensure that users of websites were made aware that their information was being collected and used via Cookies (small text files stored on user’s devices).  The intention was to let users have an informed choice – allow their information to be stored or to opt-out.  As Cookies are an essential part of some websites (for example an E-Commerce checkout wouldn’t work without them) turning them off is rarely a viable solution although any user can turn cookies off in their browser.

The end result seemed to be a middle ground with websites serving a notice to users letting them know, on entry, that Cookies were being used and giving them a link to find out more.

However, this does not have any impact on GDPR.  In the most basic of explanations, the Cookie Law was about letting users know that information could be captured via one specific measure – Cookies.  GDPR is a much broader set of regulations which are more about how companies handle storage of customer data, how they can obtain copies of the data and request its removal.

If you’d like to discuss any aspect of GDPR and its potential impact on your business – both websites and general IT, please get in touch for a friendly chat.