Many of our users have been asking us about GDPR: what does it mean? To whom and to what does it apply? How does it affect me as a business? We know that while a lot of information is circulating the net, part of this information may be incomplete, incorrect or misleading.
This is why we contacted one of the leading British law firms, Fladgate, a firm that specializes in intellectual property. They were kind enough to offer complete and professional answers on the subject, included in this post.
Below you will find readable and easy to understand guidelines for GDPR, as it relates to topics relevant for Elementor site creators. It is drafted in legal writing, so it’s a bit different from our usual blog lingo, but we believe it is the best (and only) way to understand GDPR rules clearly. We would like to thank Eddie Powell of Fladgate, for composing and clarifying these elaborate and comprehensive guidelines for our community.
The questions answered in this post include:
What is the GDPR and why is it important?
The GDPR stands for General Data Protection Regulation. It is the new EU formulated set of rules governing how businesses hold and use individuals’ personal data.
Most people have heard about the fines that can be imposed on businesses that break the rules. These can run up to €20 million or for particularly big groups of companies 4% of group global turnover, which could be a massive amount of money.
More importantly, however, the publicity associated with failure to comply with Data Protection rules can significantly damage the reputation of a business, and lead to customers and suppliers not trusting it. In addition, new business will be affected if customers do not trust the business with the information, and that it will maintain a high standard of privacy. Customers want to feel in control of their personal information.
The rules apply to “personal data”. Personal data includes obvious things such as people’s names, addresses and contact details etc. It will also include a list of email addresses where you can identify the individual from their address (e.g. [email protected] – you can tell that Bob Smith works at Universal Widgets) and IP addresses. Information will stop being personal data if you anonymise it so that you can never work out who an individual is from the set of information.
GDPR says you cannot just collect, store, use and transfer this personal data (all of these are called “processing”) simply because they are stored on your business’ system. You must think about what you want to do and apply the rules.
You need to have one of 6 grounds that the GDPR specifies. The key ones for our purposes are:
- performing a contract with the individual or using the information to put a contract in place;
- complying with a legal obligation (not a contract with another company) to which the business is subject – such as compliance with anti-money laundering rules or prevention of crime;
- where the individual has given their consent (which must be specific, informed and unambiguous) to what you want to do with their information; and
- where the processing you want to carry out is necessary for the business’ legitimate interest, but balanced against the rights and interests of the individual concerned, who will be interested in their privacy.
There are special rules where you are dealing with children where you must verify their consent with their parents. There are also special rules for dealing with information about people’s criminal convictions and for what the law calls “special categories” which includes information about:
- Sexual orientation
- Political beliefs
- Trade union membership
- Genetic and biometric data.
It is also worth remembering that there are special rules (not part of the GDPR) for email and SMS marketing – do not assume that because you have someone’s email address or contact details you are okay to send marketing communications via these channels to them. You must have given them the ability to opt out of these communications when you collected the information, and always include the ability for them to want to unsubscribe from future marketing communications.
Plan & Inform
If you want to use personal data for something, such as a new software implementation, a new database project or to provide a more personalised service to customers, it is really important not to just assume it is okay to take existing personal data that may be on the business’ systems and use it. You need to think about the bases that have been discussed above and, in particular, think about whether there may be any special category data that might be included, because the rules about these are so much stricter.
If you collect further information for your stated purpose, then make sure you collect only what you actually need. Do not ask individuals to provide more than is required for you to achieve the purpose they have been told about.
The individual needs to be told in very clear terms about what is happening with their personal information. This includes:
- your company details and contact details;
- what is the purpose of the processing of data;
- who you are going to send the data to;
- whether you are intending to export the data to another country;
- how long you will keep the data for; and
- information about rights to withdraw consent and other rights arising under the GDPR.
This information must be provided under the GDPR when the information is collected or (if the information is received indirectly) within a month of receipt. Your business should have standard forms that will allow you to give this information – they should always be used when new personal data is collected.
Once you have complied with the above, then execute your planned project, but stick to it and make sure you delete any personal data which is not needed or could not legitimately be kept. Remember that if you change your plans or decide to do something else with the personal data, you need to go back over the steps again and redo the exercise.
Be especially careful about using personal data which was gathered for your business to use and you now want to pass it onto a third party.
You need to think about the basic compliance steps above and make sure that you have satisfied the legal grounds for the processing and the individual has been given all the necessary information about it.
If the recipient is carrying out a job for you (such as a payroll services provider) on your instruction, then they will be your “processor” and you must have a written contract with them which includes certain guarantees about security and compliance.
It is very unlikely that you will be able to receive or transfer “special categories” of data, and if this becomes necessary you should make sure that you check with your business’ compliance team.
There are also special rules if you want to move information to a country which is outside the EU, where the laws on the protection of personal data may not be as strict. You may need to use standard forms of contracts with the business or organisation who is going to receive the personal data or make other arrangements which will ensure that the individual’s rights are respected.
The GDPR gives individuals a number of rights against businesses holding their personal data. These include
- Rectification – any mistakes or inaccuracies must be corrected;
- Access – a copy of the data, and details of what it is being used for, has to be supplied;
- Cessation of processing – stop all use of someone’s personal data
- Erasure (the right to be forgotten) – deletion of all records about the individual
- Portability – transfer of personal data held in a machine-readable format to the individual or to another provider.
The GDPR does not specify security levels; it just says that businesses have to have an adequate level of technological and organisational security, so your company will have security procedures in place which is designed to help you comply with this requirement. Always obey them.
Remember it is not just large scale cyber-attacks that can be a breach of personal data security. It is often the little things that cause the biggest problems such as personal data stored in mobile devices which are lost, or unencrypted laptops which are left in public areas. One of the biggest causes of personal data loss is emails going astray because of auto-complete putting the wrong email address in.
GDPR imposes a duty on businesses to notify the authorities about any breaches in security, and your company will be under an obligation to keep a record of any breaches, no matter how minor, so that management can make a decision about what needs to be notified. Make sure that any loss involving personal data, even if it is quickly corrected or is unlikely to cause any damage, is reported in accordance with your company’s policy.
Eddie Powell is a partner in the Commercial Sport and IP team at Fladgate LLP solicitors in London. For more information see https://www.fladgate.com/lawyer/eddie-powell/
What steps have you taken to make your site GDPR compliant? Let us know in the comments below.