We, like all companies who keep customer contact details, are registered with the ICO and comply with the DPA (Data Protection Act). On 25th May 2018 however, the EU will be changing this law and most of the new act is based on the current DPA, so if you’re compliant with the current DPA you’re most of the way to being compliant with the new GDPR (General Data Protection Regulations).
Most of the old and new data protection laws are about how you manage the data you store about your clients therefore you would be responsible for being compliant with the data protection act and looking after your customers data. So to ensure your company is compliant to the GDPR 2018 it is your responsibility to contact the Information Commissioners Office to check what you need to do.
Changes to Data Protection Act to GDPR
As we understand it… the changes to the data protection laws are:
- Was just UK related but now relates to whole of Europe
- Bigger penalties for non-compliance
- A dedicated protection officer is mandatory now (i.e. you specify someone in your company to be in charge of the data)
- Data breaches must now be reported
- Customers have the right to ask for their data to be removed (permanently deleted)
- Protection Impact Assessments will now be mandatory and is relevant for “scoring” or “matching” or processing sensitive data) – see when would a PIA be necessary
- Individuals must opt-in whenever data is collected and there must be clear privacy notices
- Marketing consent must be explicit and must allow the user to opt out at a later date
This isn’t a definitive list of the changes but it’s the main gist – although please don’t rely on our little list to determine whether you’re doing enough to protect your customers data, you’d need to read the legislation and ensure you are compliant to the new GDPR laws as a company.
What is GDPR and what impact will it have on websites?
If you have customer registration on your website, for instance for eCommerce websites or subscription based websites, your customers have the right to ask for their data to be removed (permanently deleted).
To comply, you could simply add a line to your privacy policy (and/or the registration form content) stating who to write to, email or call if they want their details removed. You must action their request within one month of receiving it. Ideally however, you should get your developer to amend your website so that customers can request their details be removed online themselves. (This would not mean you have to remove the customers previous orders - because you'll need these for your accounting purposes).
Individuals must opt-in whenever data is collected and there must be clear privacy notices
Again you could simply add a message to your online registration form content which states that the details (entered in the form) will be stored only for the purposes of processing their order and that they won’t be contacted by (you) or a third party for marketing purposes and that if they don’t want their details to be stored they must not fill in the form. Ideally however, you should get your developers to create a “tick this box” to “opt-in” to have your details stored which stops the registration form being completed until they tick a box).
Marketing consent must be explicit and must allow the user to opt out at a later date
Before (with the old/current law) you could have “tick this box if you DON’T want marketing emails” but now it must be more obvious and in plain English – i.e. tick this box if you DO want marketing emails and the customer must be able to, at a later date, opt out of those marketing emails (i.e. from their “update my details”.
Summary of the impact of GDPR on websites
In summary if you just store customers details, i.e. on an eCommerce website, for the purpose of fulfilling their order there wouldn’t be much to change (just the wording as explained above) – but if you use that customer data to bombard them with marketing emails, post, calls, texts then you need to ask more permission first. If you want to sell your customer data to a third party you need to separately ask for consent from the customer to do that.
For more information please see: What is GDPR with the ICO? and: GDPR for organisations by the ICO
See also How to prepare for GDPR and GDPR Compliance for Small Businesses
Written by Kirsty Paget