The General Data Protection Regulation (GDPR) is a Europe-wide directive that comes into force on 25th May 2018, in what is, in effect, the biggest shake-up of data protection regulations in Ireland possibly ever.
GDPR, in brief, will set the standard for data protection in Europe by effectively putting the individual in charge of their data and how it is used. There are fines for non-compliance.
Under the new GDPR regulations, consumers in Ireland will have the right to ask for data held on them, and to have it changed or erased. Businesses are therefore obliged to make sure personal data is collected and processed lawfully, transparently and for a specific purpose.
What Action Does My Business Need to Take to Comply With GDPR?
1. Cleanse. Is your business storing personal information of customers or potential customers? Do you know where it came from, what it was collected for and whether it is still necessary or relevant? A ‘data cleanse’ is a good place to start – in other words, the removal of duplicates and inaccurate addresses. Also have you looked at the security of your data storage & who has access to it online and off line. Would you know if your website has been hacked and data stolen? You are required to notify the Data Protection Commissioner within 72 hours of a breach unless the data is encrypted.
2. Re-Permission. Businesses will then need to seek consent or ‘re-permission’ to continue using that personal information by clearly setting out what customers are signing up for and how their data will be used.
If you use a newsletter facility we are advising all customers to get their clients to confirm sign up.
3. Consent. Gone are the days of pre-ticked boxes or small print opt-outs; customers must explicitly be given the opportunity to opt-in and know exactly what that entails.
Check your website and see if you request sign up to a newsletter.
GDPR has implications for cookies too; whilst they are governed under the Privacy and Electronic Communications Regulations (PECR), or the ‘cookie law’ (which is the process of being updated and brought into line with GDPR), if you are unable to prove consent on an individual basis, you risk falling fowl of the new GDPR regulations. Since many businesses rely on implied or opt-out consent, the reality is it will become much harder to prove lawful consent to use this data.
We are advising all clients to ensure their website has an SSL cert, cookie notice, privacy statement & Google webmaster tools in place.
Not GDPR ready? Contact Aura Internet for advice on making sure your website is GDPR compliant.