Our Flagship Product: Synapse

GDPR is the new standard in Data Protection. When it comes into effect on 25th May 2018, every business in the EU will need to comply with a new set of guidelines that control and protect the data that’s used and collected on a daily basis.

One of the most important obligations you have as an organisation is the requirement to gain consent from your users. The critical words that have been added to this obligation are ‘unambiguous’ and ‘affirmative’ – this means that it is no longer acceptable for inaction or automation to be counted as consent. Your users need to actively opt in, with the ability to see exactly what they are agreeing to and how they can retract their consent if they change their mind.

This is one of the many rights of the individual that have been clarified and expanded to offer a higher level of protection under GDPR. Each addition gives your users the ability to control their data in a new way, which in turn gives you and your business an obligation to comply with this.

The right to be informed

Your users have the right to know about the collection and use of their data. You should provide this to them when you collect their data, though the format this explanation is up to you. This could be via a privacy policy, just-in-time notice or pop-up. No matter what, however, the GDPR states that the information must be easy to read, free and accessible.

The information you are likely to need to provide is:

The right of access

Beforehand, individuals could request access to their information but it was often made difficult by organisations. Now, it must be provided for free and in a commonly used formats. What’s more, if the request has been raised online, the data you provide must also be given in a digital format.

The information you are likely to need to provide is:

The right to rectification

If you have collected inaccurate or missing data regarding a user, that individual has the right to have it corrected or completed. This is especially necessary if the data is misleading in any way. You may receive a request for rectification verbally or in writing, and must offer a response. If you believe the information is not inaccurate, you can refuse to rectify. Include evidence and point them towards the ICO if they would like to escalate the issue.

The action you are likely to need to take is:

The right to erasure

Often also referred to as the ‘Right To Be Forgotten’, this is not a new concept in Data Protection. Nevertheless, with GDPR the rules regarding this course of action have developed to make things easier on the user. Individuals can request complete erasure of the data that you hold on them in the event that it is no longer necessary for the original purpose, or if they want to retract consent. You are permitted to refuse a request for erasure in certain, very special, circumstances. This could be if you are complying with a legal obligation, operating as an official authority or in the public interest.

The action you are likely to need to take is:

The right to restrict processing

In some cases, there will be a legitimate need to retain the data you are collecting. In these cases, a user will have their requests for erasure rejected, but as an organisation you may still need to change the way you handle their data. This is restricted processing, in which you are permitted to store the data that you have, but not use it.

The action you are likely to need to take is:

The right to data portability

With this right, your users have the capability to transfer the data you hold to another IT environment, such as another provider of your service.

The action you are likely to need to take is:

The right to object

Individuals have the right to object to their data being processed for the purposes of scientific or historical research, for direct marketing, and by an official authority.

The action you are likely to need to take is:

Rights in relation to automated decision making and profiling

Increasingly, data collection and use is becoming an automated process. This kind of automated decision making and profiling is still covered by the GDPR. This means that you will still have to provide reasoning and gain consent for all of your data processing, as well as making your privacy policy clear regarding this. If all of your decision making is automated, there may be further rules that apply to you.

The action you are likely to need to take is:

Zinc is a digital agency that offers support and services while implementing a gap analysis or internal review. We cannot advise on your individual needs, and do not accept responsibility for any non-compliance

To talk about how we can help action the points raised in a gap analysis or internal review, call us today.

Every business within the EU needs to be preparing for the new GDPR. The 25th May 2018 deadline is nearing, and from that day your business is at risk of substantial consequences if it is found to be non-compliant.

If you’re researching GDPR, it’s likely that you’re already aware of many of the obligations that your company has. Nevertheless, to begin with your company will need to undergo a gap analysis that can tell you where you need to improve.

Alongside your gap analysis, there are a few things that almost every business uses in their day-to-day running that could cause problems with compliance with GDPR.

Analytics

Google Analytics is a staple of most marketing strategies. It uses cookies to track every visitor to your site so that you can see where they go and what interests them. However when you consider GDPR, Google Analytics could be putting your company in a difficult position. To make sure that your analytics use is GDPR compliant, make sure you take these steps.

Check What’s Being Collected – make sure that the data that you are collecting isn’t personally identifiable by the GDPR’s regulations. This means that analytics shouldn’t be collecting usernames in your page URLs, phone numbers in form completions or email addresses.

Turn on IP Anonymisation – the GDPR considers an IP address as Personally Identifiable Information. Therefore, you should make sure to protect this by turning on IP address anonymisation. We will be implementing this as standard for any clients who we set up Google Analytics for. If youd like any help with this, please get in touch with our support team.

Forms

Almost every website has a form for customers to use to get in touch. Previously, entering your details into a form like this would likely sign you up to a mailing list and potentially even lead to your details being passed along. Now, your forms need to be transparent regarding the data they are collecting.

Consent – Affirmative consent is one of the most important new additions to the regulations. Your forms need to have a checkbox in which the user agrees to their data being stored, and to being contacted as a result of the form. You’ll need to be clear about why you’re collecting the data, and what you’ll be doing with it.

SSL

An SSL Certificate is already an important addition to any site that handles data, but with the new GDPR obligations it is now vital. Although it’s not required to be fully compliant, an SSL will encrypt any data that your site transmits to ensure that it cannot be intercepted. In the event of an audit, having an SSL will show that you are making every effort to protect your users.

When purchasing an SSL, you need to be aware of the difference between the low-cost and premium SSL certificates. There are number of providers online that offer SSLs at a reduced price. The majority of SSL certificates use the same SHA-2 and 2018-bit encryption; the main difference between these SSLs and the ones provided by premium organisations such as Zinc is the level of warranty available. In the event that your end user loses money as a result of an SSL failure, your provider will reimburse them. Low-cost SSL providers offer a far smaller warranty, putting your company in the position that they may have to compensate a user for their losses in this instance. Zinc Digital offer Thawte SSL Certificates that offer a minimum warranty of $500,000.

Privacy Policy

Most websites now have a privacy policy on as standard, but with the advent of GDPR you will need to update it to be clearer and cover some of the new obligations you have. Long, unintelligible privacy policies are no longer allowed – your privacy policy needs to be written in plain language as well as being easy and free to access.

The information needs to be updated to provide the facts about:

This information should all be known to you through your standard GDPR preparations, and could even help you to discover gaps in your strategy that could lead to sanctions in an audit.

Zinc Digital cannot create a privacy policy for you, but we can recommend suppliers that can provide this service.

Zinc Digital are undergoing a Gap Analysis to highlight the improvements we should be making on our protection regulations. We advise that all organisations take this step as their first point of action. We can then assist you in implementing the changes you will need to make as a result of this.

We can help your business with:

Call us today to discuss your gap analysis and begin your journey to GDPR compliance.

9th April 2018

25th May 2018 is a date that needs to be in the calendar of every business, large and small, in the UK and EU. This is when the new General Data Protection Regulations (GDPR) come into effect. After this date, companies that aren’t complying with the new regulations could be subject to significant sanctions. For a full overview of GDPR and what it might mean for you, please see our Understanding GDPR page.

The new requirements are complex, but they have one overarching goal: to improve the way that data is handled by corporations by protecting individuals. Part of this protection is adding clarity to the definitions of ‘personal data’ and ‘sensitive personal data’. As a business owner, you need to be aware of the new definitions, and what they mean to the way that you will be handling data.

Under the regulations, personal data is protected. Within personal data is a subcategory of sensitive personal data which must have further measures applied in order to comply.

Personal Data

According to the ICO, Personal Data is ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. Put simply, this is any information which could potentially lead to an individual being found, either physically or digitally. This could be:

However it also includes indirect identifiers such as:

Sensitive Personal Data

The ICO defines Sensitive Personal Data as a ‘special categories of personal data’. This is the data that could not only lead to identification, but deals with data that is of a discrete nature or could potentially place the individual in a compromising situation.

One you understand the nature of the data that you or your business handles, you’ll need to know your responsibilities regarding it. This depends on whether you are a controller or processor.

To determine if you’re a controller or processor, you’ll need to answer two questions:

  1. Do you or your business choose the way that data is collected
  2. Do you or your business choose the reason that data is collected

If you’ve answered yes to these, you’re a controller. This means that you’re responsible for implementing the measures that will protect the data you’re in control of. On the other hand, a processor is a business or entity that collects or processes data on behalf of others, without control over it.

For example, a doctor’s surgery or bank would be a controller as they collect the data for their own reasons, but a payroll company or a Digital Agency such as Zinc is a processor as they are acting on behalf of another.

Once you know what your business is classified as, you’ll be able to understand your obligations and get a gap analysis. Zinc Digital cannot offer advice regarding your GDPR compliance, but we can help you implement the suggestions recommended in a third party or internal gap analysis.

To discuss your gap analysis, get in touch with us today.

What Your Small Business Needs To Know About GDPR

29th March 2018

In the digital age, data is king. Every business runs on the data it uses; when making business decisions, advertising to their users or developing new technologies. Until recently, the data laws that protected the general public were from 1998 – a time before data giants such as Google, Facebook and Amazon were collecting the wealth of information on their users on a daily basis.

The EU recognised the need to bring in a new set of regulations to replace the Data Protection Directive (1998) that would recognise the way that data was being used in the modern day, and rectify the problems arising from its misuse. An example is the recent Cambridge Analytica story in which the information from millions of Facebook profiles was gathered and used to interfere with major political events such as the 2016 US Election and the EU Referendum. By implementing these laws, the EU hopes to not only protect the general public from the misuse of their data, but to have a clear set of consistent guidelines for every organisation or individual within the EU.

It’s for this reason that on 25th May 2018, the General Data Protection Regulation (GDPR) will go into force across Europe. It will build on the data protection framework already put in place by the Data Protection Directive, adjusting some of the existing regulations, adding a considerable amount of new requirements for organisations and defining new rights for the individual.

GDPR is a complex set of regulations with many facets, but there are some key aspects that every business should know:

Consent

The data your business collects should be only collected with the express, unambiguous consent of the party. Inaction, assumed consent, or pre-ticked boxes will no longer count as consent.

Data Protection Officer

Whenever possible, your firm should appoint a Data Protection Officer to manage and monitor your data governance. In some cases, this is mandatory; if you’re a public authority, regularly monitor individuals as a company or frequently process sensitive data such as criminal convictions or information regarding health, religious belief or sexual orientation. For other organisations, it’s not a compulsory part of compliance, but remains a prudent decision.

Privacy

New systems should be designed with data protection in mind, and conduct a data protection impact assessment to ascertain if action should be taken. This can be performed internally or through a third party company. Zinc Digital do not offer an analysis service, but can assist with the implementation of necessary actions following your assessment.

EU Transfers

Data that will be transferred out of the EU must still be given an appropriate level of protection – this includes personal data transferred under the EU-US Privacy Shield agreement.

Personal Data

Every organisation should know what personal data they handle, and the related data flow.

Data Subject Rights

Your users now have rights that you should be aware of; the right to be forgotten, the right to data portability, the right to erasure and recitication. They also have the right to request the reasoning behind your data collection, as well as any automated decisions. For more information on Data Subject Rights,

Legal Basis For Processing

If you process any data, which the majority of businesses do, you need a legal basis for this. There are six legal reasons for this

Data Security and Controls

Your company must have sufficient data security controls to protect data. It’s a requirement to report a breach to the ICO or relevant authority within 72 hours, and to the data subject if the breach puts them at risk of having their rights or freedoms compromised.

Principles

The principles of the GDPR must be upheld; organisations must ensure that data subjects have control over the protection of their data through transparency, lawfulness, purpose and confidentiality.

The new obligations that will be asked of organisations apply to every business, no matter the size. Previously, small companies were at a lower risk of consequences. Now that the rules are standardised, the ramifications of breaching the GDPR are also standard. Businesses could be subject to a fine of up to 4% of their global annual turnover, or £20,000,000 – whichever is larger. The financial impact of infringing the GDPR could be devastating to a small business. Companies have a responsibility not only to comply with these regulations, but to demonstrate this compliance by documenting their policies and procedures. As standard, your business should be preparing itself to present evidence of compliance in the event of an audit.

For consumers, there are equally important things to consider. Every internet user will have new and comprehensive rights that will change the way the sites they visit interact with them.

The right to be informed – as a user, an organisation must be honest with you about how your data is being used. The information must be concise, simple and free to access, and easily understandable.

The right of access – individuals can receive confirmation that their data is being processed as well as access to the personal data

The right to rectification – if the personal data is inaccurate, users have the right to request that it is corrected both in the organisation’s records, and those of any third parties that the data has been shared with.

The right to erasure – an individual can have their personal or sensitive data erased in the event that they retract consent, or if is is no longer necessary for the original purpose.

The right to restrict processing – In some circumstances, such as a legal requirement to retain data or an objection denied for legitimate interests, organisations must instead restrict processing.

The right to data portability – Users can gain access to and reuse their personal data as they wish, including moving, copying or transferring the data to another environment. This must be provided securely, and in a usable format.

The right to object – individuals can object to their data being processed for scientific or historical research, for direct marketing, and by an official authority.

Rights in relation to automated decision making and profiling – in the event that an automation leads a significant effect on the user, the individual has the right to object to the action, gain human assistance and gain an explanation for the decision.

Zinc Digital is a digital agency that is working with organisations to help achieve GDPR compliance. Whilst we won’t advise you on your own specific GDPR requirements, we can assist you in implementing the actions advised in a third party or internal gap analysis.

Our accreditations - you're in safe hands...

Accreditations

Sponsored for digital
business growth by:

Northampton County Council