The EU’s General Data Protection Regulation (GDPR) comes into effect on 25th May 2018 and is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used.
Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
Simply put, any company that operates within the EU which handles and stores personal information will need to adhere to the new rules. GDPR does not discriminate between business giants and small businesses. Furthermore, the penalties for not complying to GDPR will be very severe. Violation of the terms of GDPR can result in a penalty of 4% of your company’s annual turnover or a fine of 20 million euros (depending on whichever’s highest).
Explicit consent of any user is requested before data collection takes place: consent needs to be freely given, specific, informed and non-ambiguous. There must be positive opt-in consent given; consent cannot be inferred from pre-ticked boxes or inactivity
Have a means for users to request to view their data: This needs to be possible for your users, and requests for data must be granted.
“Right to be Forgotten”: Provide your users with a way to withdraw consent and purge the personal data you have collected about them.
Online Payments & GDPR
If you sell online then your will be collecting and storing personal data in the form of customers details.
So you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.
Google Analytics & GDPR
Many websites are configured to use Google Analytics to track user behaviour. Google Analytics has always been an anonymous tracking system. There is no “personal data” being collected, so this will not be affected by GDPR.
Find out more at https://privacy.google.com/businesses/compliance/#?modal_active=none