By the 25th May 2018 GDPR comes in to force and it affects anyone who trades with anyone within the EU.
Within the UK there are now thousands of experts in the field, guiding companies through the process of readiness, changing contractual terms for their suppliers (and increasing limits of liability for breaches if uncapped liability not an option) and generally keeping compliance departments really really busy.
Potential fines are HUGE (4% of global turnover) and will fund regulators so expect there to be fines. The biggest risk to individual companies however is the claimant solicitors all ready in the wings to take on cases where people feel their data has been breached. Seriously, just do a google search and see how many domain names have already been registered in anticipation.
We would outline the details of the forthcoming legislation and a handy guide of what to do, how and when. But it’s not straight forward and it’s probably best to hear it from those managing it, such as the ICO in the UK.
What have we done?
Whilst reviewing the legislation as a whole got dull quickly, how it affected us (we are ever so slightly narcissistic) did not and we’ve held a number of compliance meetings over the past 6 months. The outcome of which can be summarised as follows in terms of how we have interpreted the act and what we have done about it.
Privacy by design
This is a phrase oft repeated when discussing the act but it really is pertinent. We have reviewed every single one of our processes (that was a fun week) from searching on our site to making a purchase and have ensured that this principle is upheld EVERY SINGLE TIME.
What this means in real words;
- We only use the data you supply when making a purchase to process your purchase
- It is has NEVER been used for anything else and never will be
- We don’t auto-sign you up for anything.
- Anything you do sign up for (news letter, creating an account) is strictly opt-in only
- We have never sold or passed on data, we’re not about to start
Actually, this was the easy bit for us – we didn’t really need to do or change anything, just map it all out. We’ve also never had adverts or banners on the site so that was another area we didn’t have to consider.
Retention of Data
The act is quite clear in that records should only be held as long as they need to be, and to be fair this has not changed from the current legislation in the Data Protection Act.
We do retain purchase records because we are often contacted by customers who have changed PC’s or lost their template and ask us to resend it, sometimes many years after the purchase date.
Because we actually like helping folk out we’ve been more than happy to do this at no charge but after much internal debate we’ve concluded that we need to auto delete purchase records after a suitable period. Presently we are fixed on retention for 60 days and have already deleted thousands of records ahead of May.
In real terms this means we will happily carry on helping folk out who have lost a template purchased a few years ago, we just won’t be able to find the purchase record so it will be imperative that you retain your invoice.
We’ll issue a further update ahead of May, but rest assured we are taking the whole GDPR thing ever so seriously.