What is GDPR?
When the European Union General Data Protection Regulation (GDPR) comes into force on May 25, 2018, what will happen to currently-available domain registration data in WHOIS? GDPR has rapidly devolved into a touchstone for everything from vendor FUD to political frothing. It has been hailed as a huge step forward for privacy and assailed as the worst thing to come out of Europe since the Bubonic Plague. Let's push aside the hyperbole and let facts and reason rule the day.
The General Data Protection Regulation (GDPR) is a binding legislative act from the European Union for the protection of personal data. The Regulation tackles the inconsistent data protection laws currently existing throughout the EU’s member states and facilitates the secure, free-flow of data. It replaces the outdated Data Protection Act 1998 and all data protection legislation in EU member states.
It comes into effect on 25th May 2018. Although we are in the process of Brexit, working towards GDPR compliance remains crucial.
What are the consequences of non-compliance?
Potentially a fine – and a hefty one – up to €20,000,000 or 4% of global annual turnover, whichever is higher. That is a scary figure. However, many experts believe that as this is the maximum, this is the figure often brandished around and in reality, a fine made against an SME would be much smaller. This does not mean it is not something you need to worry about. Whilst the ICO does not plan to hit lots of SMEs with a maximum fine, you are still putting your reputation at risk by not showing a willingness and honest attempt to adjust and comply with the new GDPR regulation.
Why GDPR, why now?
There is a need in Europe and beyond to address many outdated Data Protection Legislations and bring them up-to-date with technological advancements and align standards. There is a huge amount of personal data at risk. GDPR seeks to address that. Some of the current issues include:
- Outdated legislation – In the UK, data protection is enforced using a legislation created in 1998.
- Inconsistent landscape – When data is shared between different states, the data is subject to inconsistent laws, rules and regulations.
- Limited control by users – The law does not help individuals ask questions of organisations about how their data is collected, processed and stored.
- Lack of security – Law does not require specific security standards when storing customer’s personal data.
I’m worried, this seems big
Gdpr Coming To Canada
Well, it is, but we believe GDPR is a good thing, not just another piece of bureaucracy. It will force all businesses into reviewing how they process and hold data. It’s nothing to worry about as long as you review your processes and act upon them.
Ok, what do I need to do?
If you haven’t started preparing for GDPR, we would suggest you need to now. In a nutshell, once GDPR comes into force, your business must:
- Keep a record of all data gathering you perform and consider if you have the required agreements in place
- Carry out a privacy impact assessment (PIA). More information can be found here on the ICO website
- If applicable to your organisation, designate a data protection officer (DPO)
- Review processes for the collection of personal data
- Be aware of your duty to notify the relevant authority of a data breach and have a process in place for carrying this out
- Implement “privacy by design” and “privacy by default” in the design – this is where we come in, see below.
Specific activities need to include
Review how you obtain consent. For example, do you ask your customers for permission before you use their data? Do you tell them what it will be used for. Consent must be ‘explicit’ which means they have to actively agree by ticking a box – having the box ticked by default is not an option. If you have obtained personal information by a ‘default consent’ method previously, you must seek provision to contact all your database, asking them to ‘opt in’ to specific activities. If they do not reply, they must be removed from the database.
- Implement a process that allows your customers the right to request the data you hold on them and also their right to remove that data. If you do not have a legal obligation or a valid reason to retain that data, customers have the ‘right to be forgotten’ i.e. all data delated.
- Review your Terms & Conditions and Privacy Policy to include your processes relating to the above.
- Create a policy and process for notifying the ICO of a personal data breach. You must do this within 72 hours of becoming aware of the breach, where feasible. Whilst we understand we may be part of this process, the ICO has a useful resource here. The notification must state; 1. Its nature; 2. The approximate number of people affected; 3. The contact information for your organisation’s DPO (if one has been appointed)
What are we doing as part of GDPR?
For clarity, the GDPR often refers to the ‘Data Processor’ and the ‘Data Controller’. You are the ‘Data Controller’ and your organisation’s GDPR responsibility rests with you. However, as your ‘Data Processor’, we can assist you in this process by detailing our actions as GDPR makes it clear that any business processing EU data must be compliant.
Your hosting
- We use UKFast for your hosting solution. They are an ISO 27018 certified business. The certification provides standards that hold up against audits, customer enquiries and government reviews.
- You are part of a Jellyhaus Dedicated Solution. Only sites designed and built by Jellyhaus rest on this solution.
- The solution has a dedicated Cisco Firewall to help detect and prevent malicious attacks on your data.
Your application/website
- We implement ‘Privacy by Design’ when creating websites, following industry guidelines on the coding and creating of software applications.
- We custom code all our websites so if you need a specific mechanism for customer’s ‘right to be forgotten’ or ‘right of access’, we can implement it for you
How we will be compliant
- Over the coming weeks, we will be updating our policies and procedures to enable effective implementation of GDPR and how we can assist you in the event of a data breach and/or customers’ ‘right to be forgotten’.
I’d like to know more
GDPR will affect everyone in different ways, depending on how much data you collect and how you are already collecting it. The ICO have a comprehensive guide to GDPR, which can be accessed here.
The General Data Protection Regulation, or GDPR, replaces the current Data Protection Act (1998) and comes into force on 25th May 2018. Regulated by the ICO, the GDPR strengthens the rules around personal data and requires organisations to be more accountable and transparent. It also gives people greater control over their own personal data.
Designed to help safeguard data protection rights for individuals, the GDPR introduces a single set of rules across the EU when it comes to how organisations handle data relating to identifiable individuals. That means if your business holds personal information such as names, addresses, staff records, customer lists and even online identifiers (such as a computer’s IP address), you could be subject to certain requirements of the GDPR.
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA). If you are complying properly with the current law, most of your approach to compliance will remain valid under the GDPR and can be the starting point to build on. However, there are new elements and significant enhancements, so you may have to make changes and do new things.
The GDPR toughens up penalties already existing under the DPA which include:
- Fines up to £500,000
- Prosecutions, including prison sentences for deliberate breaches
- Obligatory undertakings, where your company has to commit to specific action
When the GDPR begins in May, these penalties will get heavier:
- Businesses in breach will see a dramatic increase in fines. Penalties can reach an upper limit of €20 million (or four per cent of annual global turnover if that is higher).
As well as regulatory fines for non-compliant businesses, bear in mind the possibility that individuals might also sue you if they suffer as a result of how you handle their data.
The GDPR’s implementation on 25th May happens before the date of the UK’s withdrawal from the EU, so all businesses will definitely need to be compliant with the GDPR. Although the UK’s data protection status after Brexit is still unknown, the government has suggested that it intends to implement equivalent GDPR rules post Brexit (see the Data Protection Bill announced in the 2017 Queen’s Speech) to make sure frictionless movement of data between the UK and the EEA continues.
The Information Commissioner’s Office (ICO) website has a vast range of tools to help small businesses, including a self-assessment toolkit created with small organisations in mind. You can use the checklists to assess your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure. Click here to view the ICO self-assessment toolkit. Further useful links are outlined below.
Some of the official documentation is still being developed – for instance, detailed interpretation of the rules for establishing consent from individuals. The ICO expects the Article 29 Working Party to finalise their guidelines by the middle of April.
Many resources are available to support small businesses. Here are some links you may find useful:
- Lawbite | The GDPR Checklist – free 15 minute consultations also available
The ICO also has a helpline specifically for GDPR enquiries. Call the helpline on 0303 123 1113 (local rate – calls to this number cost the same as calls to 01 or 02 numbers). If calling from outside the UK, you may not be able to use the 03 number, so please call +44 1625 545 700. Their normal opening hours are 9 to 5 Monday to Friday.
HETAS has been registered with the ICO as a Data Controller since 2016. HETAS will be reviewing the terms and conditions we apply to our registration schemes, to reflect the GDPR, and will publish any changes through our website.
Gdpr Is Coming 2020
You can contact the HETAS team on 01684 278170 or click here to email.