The GDPR comes into force as of May 2018. This far reaching piece of Data Protection legislation really shakes up the private sector, giving private individuals a lot more rights, and gives private companies a lot more responsibilities. Crucially, those responsibilities can come with a hefty fine if they're breached - up to 2% of your annual turnover, or €10 million.

To be absoutely clear, the GDPR applies to any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to your data. That includes mailing lists, customer lists, orders, enquiries and emails and covers any information stored electronically, or on paper. 

In this series of articles, we are going to provide some general guidance on some of the basic elements of the new Regulations; how they affect you and your website. Do remember that this legislation represents a new legal requirement. That means that if you have any concerns, seek legal advice. 

We have created a sample GDPR Privacy Policy, which may help you prepare for the GDPR. Feel free to click here and add it to your website!

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data 

- The GDPR

Right to Know

Everyone has a right to know if a company holds their personal data, as well as a right to see that data. That means anyone can email you and request to see their information at any time. 

This seems like common sense. After all, if someone is holding your personal details, you should know about it!

As a business, your responsibilities are to respond quickly and efficiently to the request. You should share everything you know about them and everything you have. This should include:

  • Any and all contact details
  • Their order history
  • Any notes which mention them by name
  • Where you got this information
  • Why you need this data
  • How long you will store this data
  • Who has access to this data

You might have spotted that a lot of this links up nicely with the importance of obtaining consent. So long as you're following the rest of our advice, there shouldn't be any surpises lurking. 

However, should you find something unexpected or embarassing, you still have to hand it over. It is now a criminal offence to delete information after you've received a request, so be careful!

If in doub, you can always direct your customers to the 'My Account' section on your Zone1 website. This includes all of the information that you store on them, and can make these requests much easier to handle!

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay

- The GDPR

Right to be Forgotten

Anyone has the right to request that a company deletes their data; you have the responsibility to respond to this request quickly.

Just like the Right to Know, this just seems like common sense. However, there are a couple of very important points that you must remember.

First, you might have a legitimate reason to retain a person's data. The most common example of this is for accounting purposes, where you need to retain a record of a transaction for your bookkeeping. That can be enough to decline the request, but only for that specific purpose. Once you've completed those accounts, you must delete the data!

To be clear though, you can't simply say no - there must be a valid reason. 

Equally important is to remember that anonymisation is as good as deletion. That means that if you remove every personal identifier from an order (name, address, etc.), but retain the more generic information (price, quantity, postage costs), you have 'Forgotten' your customer. You'll have fulfilled their request, but can still use their order for reporting purposes. 

When someone wants to be deleted, you just have to erase their name, not their digital footprint. 

1st January 2018