General Data Protection Regulation

General Data Protection Regulations GDPR

GDPR was approved by the EU parliament on 14th April 2016 and will be enforced from 25th May 2018.

Does it affect my business?

If you run an ecommerce website, a mailing list or allow customers to register on your site then the answer is YES

If you collect any personal data from your customers at all, even if it is simply a name and address and what they ordered, then you will need to comply with the new regulations.

How long do I have?

The new regulations come into force on 25th May 2018 

What do I need to do?

This depends on how you store the data and what you do with it. The regulations are quite lengthy and it could take you from now until May to read them. Fortunately that won't be necessary as we've provided a neat summary for you and put together an affordable compliance package for our existing customers.

GDPR - The Main points

Below is a summary of the main things you will need to do to comply with GDPR. If you are a customer of Inn2 then we will already know at lot about your website and the backend systems that run it. This is why we can offer existing customers a GDPR compliance package at a very reasonable price. If you search the internet you will find companies offering compliance courses and packages running into £000's. Your price is only £280.00 plus the cost of an SSL if you need one. 

You need clear consent to use personal data. This cannot be an automatic opt in and can't be hidden away in terms and conditions. There is a high probability that you will need to modify your website forms to accommodate this. You cannot gain consent for everything with one tick. Each use of the data must be approved separately.

What data do you hold? Where is it stored? Who is responsible for it? Do you use any third parties do manage your data? Does anyone else have access to it? Did you obtain consent? Make a list of what you have and keep it up to date.

How safe is your data? It is your responsibility to ensure that that any data you hold is kept securely. This may involve encryption. If you collect data on your website, you are strongly advised to have an SSL certificate.

Privacy by Design
Privacy now has to be at the core of an organisation and built in to both technological and organisational systems. Some modifications will be required to your Privacy policy to accommodate GDPR.

Right to Access
Anyone who has information stored about them now has the right to request a copy of that data and an explanation of what it is used for. Your reply must include anyone else who has access to the data which you will have obtained consent for initially. This data should be provided free of charge electronically. 

Right to be forgotten
In the same way as the Right to Access works a data subject also has the right to have all data held about them removed. You need to clearly identify how this will be done and ensure that anyone else who holds this data also removes it. An example could be a mailing list held at MailChimp. You will need to confirm this within 30 days.

Data Breach
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals". This must be done within 72 hours of first having become aware of the breach

Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). 

It's easy to look at GDPR as another peace of legislation creating more work for you and adding to your costs. Given the high profile of data breaches in the news at the moment businesses that are seen to be safe, secure and respect their customers privacy and rights are more likely to be chosen by potential customers.

Although not specified as a strict requirement of GDPR you may want to take a few extra steps and encrypt your emails and hard drive. Some larger organisations are insisting that their suppliers do this to continue working with them. If you want this additional service we will need to quote this on an individual basis. Please ask when you place your order.