Posted on
Is your website ready for GDPR? | Need-to-know

1. Do any data subjects you are collecting data from, including your employees, reside in the EEA/EU?
If you are collecting data from citizens or employees that reside in EEA then GDPR applies to you, even if you are based in a country outside the EU.

2. Is your organisation aware of what personal data means under the GDPR?
The GDPR’s definition of personal data is ‘any information relating to an identified or identifiable natural person’. There is, however, a wide interpretation – it could mean a nickname, an ID number, an IP address or other indirect identification.

Disclaimer: This questionnaire is for general informational purposes only and is not intended to be legal advice and does not imply a lawyer client relationship. Please seek proper legal advice should you require legal advice or clarification on the law. SmartSurvey Ltd is not responsible for any incorrect or inaccurate information. This survey is anonymous and no personal data is asked for. All data collected is stored on servers in the UK and will not be shared with anyone.

3. Have you assessed the impact of the new definition of consent under the GDPR and how this affects your surveys?
GDPR’s revised approach means you must have clear documentation that the audience is happy for you to email them. And remember, you will need to obtain new consent from any current contacts in your database as well.

4. Do you have a process for breach notification?
There will be a duty for all organisations to report certain types of data breaches and, in some cases, inform the individuals affected by the breach as well.

5. Have you given the data subject the right to access his or her information?
Individuals must have the right to access any personal data that you store about them and this must be provided free of charge.

6. Where a data subject has asked for his or her information, is the information given in a commonly useable and machine readable format?
When asked, you must use “reasonable means” to supply the information. For example, if the request is made electronically, you should provide the information in a commonly used electronic format.

7. Does your organisation have the process of erasing the subject’s data at his/her request?
Make sure you have a process in place for when an individual asks you to delete their personal data. Would you know where to find the data, who has to give permission to delete it and what internal processes are in place to make sure that it happens?

8. Does your organisation hold and process data only if it is absolutely necessary for the completion of its duties?
GDPR will introduce the concept of ‘privacy by design’ and by default to encourage organisations to consider data protection throughout the entire life cycle of any process. Organisations will need to implement internal policies and procedures to be compliant.

9. Have you trained your staff on the GDPR and how to properly handle data?
The majority of data breaches occur because of human error. To make sure staff are aware of their obligations, organisations are encouraged to implement GDPR staff awareness training and provide evidence that they understand the risks.

10. Have you considered if you need to appoint a Data Protection Officer (DPO)?
For many businesses, it will be mandatory to appoint a DPO, for instance if your core activity involves the regular monitoring of individuals on a large scale. You should consider now whether or not you need to appoint a DPO and to make sure they have the required expertise and knowledge.
Consequences of not being GDPR compliant

Penalties for non-compliance of GDPR will be applicable to both data controllers and processors and will depend on certain factors, including;

  • Duration of the infringement
  • Quantity of the data subjects affected
  • Level of impact

For serious violation of the regulations, penalties businesses could be fined up to 20 million euros or 4% of global turnover, whichever is higher?

Visit the ICO website for further updates and an overview of the General Data Protection Regulation (GDPR).