Should we be GDPR Compliant?

The General Data Protection Regulation is an EU law implemented on 25th May 2018. It was such a data upheaval touching every company that ever asked for personal data that they gave EU companies 2 entire years to prepare for it before it became active.

What is it?

GDPR governs how a company or individual has collected your personal data, what they intend to do with it and how long they reasonably need to hold it for. It covers security policies and sets out basic regulations for breaches of personal data. In short, if you are a company with someones personal data, you needed to have had the individuals applied consent for you ( and only you ) to not only receive that data, but also they need to know how you intend to use it, any third parties that will use it and how long you intend to retain it for. You also need to make sure the data is stored with a specific level of security whilst you have it.

Why?

Because your data is the most important thing you own. Its who you are, where you live, what your plans are, your preferences, who you bank with, your daily routine, it touches every aspect of your life. That data needs to be protected. Europa.eu lists your personal data as any of the following:

    • a name and surname;
    • a home address;
    • an email address such as name.surname@company.com;
    • an identification card number;
    • location data (for example the location data function on a mobile phone)*;
    • an Internet Protocol (IP) address;
    • a cookie ID*;
    • the advertising identifier of your phone;
    • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

* https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

What’s the penalty of not being GDPR Compliant?

The fines are hefty, and rightly so. Ignorance is not an excuse. An EU company can be fined a maximum of 4% of their annual global turnover or €20 million, whichever is greater. This is not an instant fine though, there are organisations in place to help companies fix their non-compliant mistakes. Fines are generally imposed for companies who do not make any or enough effort to rectify their bad data habits. The first offender of non-compliance was British Airways, who was fined £183m for a breach of customer data. The second was The Marriott hotel chain who were fined £99 million for failing to protect personal data.

What do they have to do?

Websites for EU citizens must already have a cookie acceptance policy. If your website drops a cookie on the users machine, the user must be notified. This includes Google analytics! This policy is actually separate to GDPR and while most websites adhere to it, not all do. If your eu website contains a form that collects any user information, the user must apply consent, this does not include a pre-ticked checkbox, the user must perform an action at the same time as providing their data. The consent is to agree to the companies data use policy and storage security policy.

To summarise the legal requirements, Article 5 (e) of the GDPR states personal data shall be kept for no longer than is necessary for the purposes for which it is being processed.

This includes how long personal information is stored in orders in an e-commerce system. GDPR also covers right to erasure and disclosure should an individual request it.

What is poor data security

Bordering the realms of being ISO accredited for data security, basic security ensures that only those who need the data have access to it and for only when they need. So, no, you can’t keep someones data for 10 years and you can’t forward it to your colleague just because they asked for it.

Poor data security includes

    • Storing plain text passwords
    • Keeping passwords written on a piece of paper in your top drawer
    • Leaving that print out of customers names and addresses in the printer or photocopier
    • Having your computer NOT lock itself after no more than 5 minutes of inactivity
    • Having the same password on all computers in the office
    • Not having two factor authentication on mobile devices with sensitive information on
    • Not being able to remotely wipe a mobile device should it be lost or stolen

For more information on how and if GDPR affects you woocommerce site, see https://woocommerce.com/gdpr/

Should we adopt GDPR?

While we are not obliged to adopt GDPR, 20/21 Creative appreciates the importance of data privacy and security and certainly applies the majority of the requirements of GDPR.

Leave a Reply