GDPR

As a well-established and trusted digital development agency many of our clients rely on us to provide expert advice when it comes to all things digital. The General Data Protection Regulation, also known as GDPR, is just one example.

As this new regulation is so important for every business that deals with customer data we have decided to share our approach to it and how we have been working with many of our clients to prepare for when it comes into effect.

If you have any questions about GDPR feel free to contact us.

What is the GDPR?

The General Data Protection Regulation is a European Parliament regulation that comes into effect on the 25th of May 2018. It aims to give people more control over how their personal data is used, and supersedes the Data Protection Act, which was created in 1998. The new rules about how companies store, use and share an individual’s data aim to promote transparency for the individual, and to create a clearer legal environment for businesses to operate in.

What kind of data does this apply to?

Often referred to as ‘personally identifiable data’, if an individual provides information about themselves that could be used to identify them, it will be covered by the GDPR. For example, their name, their IP address and their email address can all be used to identify an individual (both on their own, and in combination). Some data – for example a central London postcode – cannot be used to identify an individual if supplied on its own, so would not be deemed as personally identifiable.

Parental consent is required to process any data relating to children of 16 years or under.

How does this affect me as an individual?

It helps to put yourself in the shoes of the individual/customer, to think how this affects you. The GDPR is designed to make you feel secure about sharing personal data. The businesses that you interact with online will not be permitted to quietly ask you to ‘opt out’ of sharing your data, such as hiding a marketing tickbox that is already ticked to consent as default. They should inform you of anyone who will see your data outside of their company (for example marketing companies or data processing companies) and explain why it is needed.

The data is yours – so companies should provide support to you if you would like them to delete it, or to view the data that they have and to make any changes to it.

How does this affect me as a business?

When a customer is asked to supply personal data about themselves, it is important to give them a clear and concise explanation of why the data is required, what it will be used for, and how long it will be stored for. This information shouldn’t be hidden in obscure legal terminology and must be able to be understood in layman’s terms. If it is difficult to justify why the data is required, the GDPR guidelines suggest that it probably shouldn’t be collected at all.

In line with the information that you provided the customer, data must be deleted when it is no longer required, although there is an exception for data that needs to be archived for ‘public interest’ or research purposes. The GDPR encourages companies to build a trusting relationship with their customers using clarity about data processing and offering them the ability to decline sharing their data.

It is important for a business to record how consent was presented to users, who it was shown to, and how they interacted. A customer can request a list of all their personal data from a business, and request updates to it or request for it to be deleted. Note that the updates they can request can include withdrawing consent entirely.

What can happen if I don’t follow the regulation?

There can be fines of up to 20 million euros for a company or controller that is found not to be complying with the regulation. It is just as important to Enigma as to our clients, because responsibility for compliance rests with us too.

What are Enigma doing to support the GDPR?

Clarity and Information
Our design team always aim to make user-friendly and clear interfaces, and we will keep doing this! We’ll provide support for displaying clear and concise information to users on things like sign up and delivery interfaces so that customers are able to see how their information will be used, and can advise on how to comply with GDPR and UI best practice.

Supporting the individual’s rights
Our systems are being enhanced to make it easy to record decisions on consent by the individual, and to comply with any requests to view, edit or delete their personally identifiable data. Software developed on our Core platform will inherit even more compliancy after we have updated it to include things like 2 step verification of account changes and automated data processing.

Data Breach
In the unlikely event of a data breach, Enigma or the company who ‘owns’ the data will inform the appropriate data protection agency within 72 hours. We will also notify affected users, unless their data was encrypted and is therefore still secure.

Security
We already comply with the GDPR requirements for security – any data will be processed under SSL and personal data will be securely encrypted when it is stored. We take pride in ensuring all our systems, client and customer data is protected and private.

A Summary of an Individual’s Rights under GDPR

• The right to be informed – Typically this will be via a Privacy Policy, which MUST be clear & transparent
• The right of access – Individuals have the right to access their personal data and supplementary information; this allows them to be aware of and verify the lawfulness of the processing
• The right to rectification – Individuals can have their personal data rectified if it is inaccurate or incomplete
• The right to erase – AKA ‘the right to be forgotten’ – deletion / removal of personal data
• The right to restrict processing – Allows withdrawal of permissions for certain uses of the data
• The right to data portability – Allows individuals to obtain and reuse their personal data for their own purposes across different services – this means data must be stored in a structured commonly used, machine readable form, for example via CSV
• The right to object – ...to processing of their data including direct marketing, profiling, statistics. You must offer a way for individuals to object online
• Rights in relation to automated decision making and profiling – in particular to analyse or predict their personal preferences (Google Analytics, eCommerce tracking, etc)
• The right to make a complaint with the Information Commissioners Office (ICO)