15 May 2018
What is GDPR?
The General Data Protection Regulation (GDPR) is coming into force on 25 May 2018, and is the first comprehensive overhaul of EU data protection in 20 years. Feast has provided the following summary for reference:
Please note that this is for informational purposes only and should not be relied upon as legal advice. Feast encourages you to contact legal and other professional counsel to determine precisely how the GDPR might apply to your organization.
Key principals to know about GDPR
- GDPR expands the definition of personal data and includes personally identifiable information such as name, email address, phone number, birth date etc. It now also includes data that previously could be considered non-personally identifiable information, like IP addresses, geo location, or device IDs.
- Personal data that is collected will be processed in way that is reasonably expected of the consumer
- Personal data shall only be collected for a specific purpose and explicitly communicated how and why it’s needed
- Data held needs to be kept up-to-date and accurate
- EU citizens and residents have a right to access their data and request what information is held, updated, deleted and moved. Any request shall be actioned “within 1 month.”
- Data is to be kept safe and secure (and limited to only those people who need access). A breach shall be reported in a timely manner.
Consent and Legitimate Interest
One of the main tenets of GDPR is consent, the choice to opt-in to having ones data saved or being contacted. You may no longer have pre-checked boxes authorising permission to collect information. Feast will work with you to make sure you’re compliant, but it’s your responsibility to ensure your website adheres to the following rules:
- Opt-in language must be unambiguous
- Opt-in must be specific; you can’t bundle with other offers or marketing and it can’t be hidden in long terms or privacy policies
- A user’s consent may be withdrawn at any time. Often this takes the form of being able to unsubscribe link provided in an email. But they may also contact you via a website contact form or email to make this request.
- Lastly, consent (generally) may not be conditioned to gain access to a service. For instance, you can’t make consent to marketing a prerequisite to applying for a service. However, individual choice may be given (via check boxes)
The fundamental difference between Consent and Legitimate Interest is as follows:
- Consent: “Here’s what we would like to do with your data. We will only do it if you tell us it’s OK”
- Legitimate Interest: “Here’s what we intend to do with your data. We need to, we don’t believe it will harm you. You can tell us you’d prefer us not to.”
Controller and Processor
There are two primary roles when managing data under GDPR; Controllers and Processors.
- Controllers are any person or agency, alone or jointly, determines the purpose and means of processing personal data. Essentially, who holds the data and determins how is it being used.
- Processors are the entity which use the personal data for the Controller and under the Controller’s direction or instruction.
- In some cases, a Controller can also act as Processor and is based on processing actions as to type of personal data, not to the company/agency as a whole. There can also be more than one Controller.
In most all cases, Feast is deemed a Processor, however, in some instance we will work as a Controller on your behalf depending on what services we have been retained for.
Feast stores and holds personal information on databases, servers, and online applications, but Feast will not process the data based on any given service for our own needs or requirements.
As a client of Feast, you are most often the Controller and Feast provides you with access to the data. It’s saved on your behalf, and you can also process the data based on your policies (i.e. marketing, sales, transactions, contact, etc.).
Depending on what we were originally tasked with Feast may have written code to automate some of the above to retrieve and process data on your behalf, however the data is yours and you ultimately you are responsible for ensuring the correct processes are in place.
What are your responsibilities?
As controller, you have a number of responsibilities.
- You are the primary point of contact. If any user/subscriber requests access to their data and enquire what information is held, updated, deleted or moved, this will be facilitated by you. Feast supplies the tools needed to add or edit personal data, however, for best practice, please inform Feast if a user has requested to be permanently removed so that we may ensure all processes are covered
- Only use any usernames & passwords to access your website and related services.
- Don’t share your password with other individuals.
- If it’s determined that additional users are needed, contact Feast and we’ll provide a new login for those users.
- Let Feast also know if select users need limited access
- Only use the data for the purpose it has been provided.
Feast is happy to assist with any requests you may have, but depending on your requirements, or scope of work required, there may be costs associated.
Request to update/remove/do-not-track
As noted above, under GDPR, EU citizens and residents have a right to request any information you hold on them and/or have it permanently deleted. Any request need to be granted within 1 month.
Feast offers you the tools to remove data within its software. If you should have any issues, or concerns when receiving a request for removal, please do let us know and we’ll be happy to assist (additional consultancy or development work may carry a fee).
What are our responsibilities?
Feast embraces GDPR and the strong data privacy and security principles that it emphasizes, many of which Feast have had in place for a long time.
We regularly review our procedures, rotate passwords, employ Two-Factor Authentication and test our systems. Only current staff have access to only what they need to in order to do their job.
We monitor all sites, services and servers and run a regular maintenances schedule to ensure they are up to date, as well make hot-fixes/patches as may be required.
Any requests for data or assistance will be handled promptly and any data supplied will be done so securely.
Where Feast identify any security breaches or areas of concern, we will immediately bring these to your attention and discuss the necessary steps to remedy the situation.
How we protect your customer data
Feast is registered with the Information Commissioner’s Office (ICO), number: ZA151190, as mandated by the Data Protection Act 1998. This requires every organisation that processes and stores personal information be registered.
As a registrant with the ICO, Feast is constantly monitoring and maintaining the data we hold on behalf of our clients. We make updates to our servers, enforce security protocols when information is input on our websites, and limit the access to only those persons who need to process the data.
Where data is stored
All of data-centres are generally stored on servers in the United Kingdom or European Union (depending on our clients’ specific needs) on cloud-based servers and infrastructure. However, as is the nature of the Internet, some information may pass through global data centres.
Under current data protection law, transfers of personal data outside the European Economic Area (EEA) are restricted but transit through a non-EEA country is allowed.
Ultimately GDPR is the right of EU citizens regardless of the location where the data is processed.
Wherever practical we aim to ensure all data is encrypted at input via the website and in transit to the datacentre, keeping a user’s information is safe. Certainly, for any website that has an input for sensitive or financial data we require, install and manage an SSL (Secure Sockets Layer) certificate. SSL is a widely used and accepted industry standard security protocol for establishing encrypted links between a user’s browser and web server.
Any financial transactional information (i.e. bank accounts, credit card numbers, etc.) are handled directly via third party payment gateways, Feast have no access to this data and data remains secure throughout.
When a site has a SSL certificate, it is denoted with a padlock icon (Chrome, FireFox, Opera, Safari, etc. each display slightly differently).
While this is not a requirement of all inputted data (i.e. sign-up, contact forms etc.) it is strongly recommended. Feast will gladly assist in purchasing a SSL certificate if one has not already been acquired for your site (generally this will only affect older websites as all sites have been setup this way by default for some time now).
Any passwords, personal user information, or other sensitive information stored on our servers is encrypted.
Additional protections to your data
At Feast, we’re very careful with all our client’s data and work to the highest standards to keep is safe.
One of the main features of the GDPR is that compliance alone is not enough; data controllers will also have to demonstrate their compliance and prove that they are taking data protection seriously by implementing a range of accountability measures.
What you can do to keep things safe
As stated above, limit the access your organization has to your user’s personal data. Keep passwords safe (and make them tough to crack) and don’t share them.
Have someone in your organisation to act as data protection officer (DPO). Depending on the size of your organisation, this should ideally be a selected member of staff to manage your data and control access.
While Feast can help & advise on what data stored on our servers, we are not responsible for the export and storage of personal data. If you should download personal data (where we have provided such functionality – i.e. user, sales or mailing list exports to a spreadsheet (or similar), the responsibility of that data is solely yours.
A few things to note:
- Should you detect a breach, which is subject to the mandatory reporting rules, it must report the breach to the supervisory authority without “undue delay” and not later than 72 hours after becoming aware of it.
- Notify Feast
- Change all passwords
- Determine how the breach occurred (if applicable)
- Please note that if a breach was found to be a result of negligence on your part, a significant fine may be levied!