GDPR stands for the ‘General Data Protection Regulation’ which comes into force in the EU on May 25th 2018. The UK will have it’s own version based on the GDPR, which basically this means the old Data Protection Act 1998 is having a much needed update!
The new GDPR data protection regulations affects the information you collect to process an order and run your handmade business, the data you collect for marketing and knowing the companies you chose to use to ‘look after’ that data for you including Etsy, Paypal, Mailchimp etc.
Why is it changing?
Our lives and use of technology have changed beyond belief since the last Data Protection Act in 1998! The world is a different place.
In 1998 Google was just starting up, Yahoo was the go to directory and it would still be another 6 years before Facebook launched! (Remember Titanic and how Celine Dion’s heart must go on….)
So you can see the online world has made massive leaps forward in the last twenty years, so it is time for the Data Protection Act to catch up!
But what does it actually mean for you?
The priority of the new regulations is to give everyone control of their personal data in this tech world and to ‘simplify the regulatory environment for international business by unifying the regulation within the EU.’
Yes, it is a mouthful.
And yes, that also applies to small creative businesses! In fact all businesses.
And yes, even though Brexit is happening, the UK are still adopting the new regulations which makes sense as we would need to comply anyway to handle the data of any EU citizens. (Though in the UK it will be called the UK Data Protection Bill, (the UK interpretation of GDPR). It will be published in Autumn 2017. It will become our law.
I urge you to get the full information from the horse’s mouth here
If you struggle with the detail of the full GDPR and its 100 articles, the UK Data Protection Bill will be easier. Oh, and keep an eye on the ICO website, their guidance is subject to continuous change. Tweaks and changes can be made right up to the last minute!
But here are the must know highlights, as we know them:
Before you read on please get familiar with these meanings:
Data Subject – the individuals whose data you are collect and use. This is who the law is designed to protect.
Data Controller – you, or the person responsible in your business for managing the collected data.
Data Processors – the companies you use who process the data for you, eg Paypal, Mailchimp etc.
- The GDPR applies to any information relating to an identified or identifiable individual (the data subject) including (though not limited to): Name, address and unique identifying numbers; Demographics; Behavioural data; Social data; Sensor data; User generated content.GDPR is only concerned with personal data; anonymized data is out of scope. However if the anonymised data can be tracked using various data sources to an individual then it is classes as personal.
- You will no longer need to register with the ICO.
To comply with the old (still current until 25th May 2018) Data Protection Act 1998 you need to register as a data controller, which includes paying the ICO (Information Commissioner’s Office) an annual payment of £35.
UPDATE: However you will need to pay a ‘Data Protection Fee’. As ‘a provision in the Digital Economy Act means it will remain a legal requirement for data controllers to pay the ICO a data protection fee. These fees will be used to fund the ICO’s data protection work.’
I won’t share my personal feelings on this but you can read more about it on the ICO blog here.
A big change here is that you can no longer charge an administrative fee for people to access the data you have on them and you have to respond with all the data you have within a month.
- Breaches in data security must be reported immediately to data protection authorities (e.g. Information Commissioner’s Office (ICO) in the UK.) within 72 hours (preferably 24hours).
- Consent must be freely given, specific, informed, and unambiguous. When you are collecting data for marketing this is crucial! No pre-ticked boxes allowed!
The tracking of consent is important as data controllers must be able to demonstrate when consent was given and know the legal basis for the processing.
You are not legally required to get ‘new’ consent from existing data subjects; however you do need to make sure that consent for all existing and new data subjects complies with the new regulations from 25th May 2018. (Keep an eye on your in box as you should start to see businesses who you have previously ‘signed up to’ asking for your renewed explicit permission!)
- Ensure all your Data Processors are complaint with GDPR (eg: Etsy, Paypal, Mailchimp etc). This is your responsibility. Do not use processors who are not compliant.
- Penalties up to €20M or 4% of global turnover, whichever is bigger, are on the cards for non-compliance. Many big businesses are spending astronomical amounts of money to ensure they are compliant in time. So this is serious stuff for all business owners.
I’m sure as a data subject you want to know that your data is being looked after, so make sure you offer the same courtesy to all your data subjects by complying.
Note: I have only highlighted a few of the important issues here for small creative businesses.
It is your responsibility to make sure you know exactly what you need to do to comply.