Skip to main content

9 May 2016

Updates to the Data Protection Act: start getting ready for the General Data Protection Regulation

By:

The Data Protection Act is being replaced with the General Data Protection Regulation in mid-2018 which gives you two years to get your ducks in a row.

In mid-April, the European Parliament approved a replacement for the Data Protection Act. At the moment, the plan is to implement it some time in mid-2018. That may feel like a long way away but it's definitely worth taking a little bit of time to check what sort of changes you need to make before then, to make sure that you comply.

What do I need to know?

Here's a quick reminder of the current data protection act from the Information Commissioners Office (ICO). You should already be complying with this legislation but there's no harm running a quick audit to make sure nothing's falling through the gaps. To help companies to do this, they recently launched a self-assessment toolkit for SMEs - give it a go!

To help smooth your transition over to the new legislation before 2018, they've created a 12-step guide of how to prepare for the new General Data Protection Regulation.

It doesn't matter whether the data you hold is in digital or paper format - you should have a privacy policy that outlines how you manage the data you do hold. It's also worth checking that your workflows don't interfere with the application of your policy.

How does the Data Protection Act affect my work?

I have come across organisations who accidentally over-write their customers opt-out requests due to poor internal processes and/or training. Aside from the legal implications of this, over writing opt-outs will cost you money (sending things to people who don't want them costs you money, whether on postal charges or per recipient costs on email campaigns) and minimally it is likely to frustrate customers.

When it comes to emails, sufficiently frustrated customers may mark your emails as spam and that can contribute to you getting blacklisted. This in addition to the possbility of them taking a complaint out against you as well as making sure to tell their social circle of friends and family of your 'bad behaviour'. It's just not worth it, when you've devised your policy, check your working processes and make sure you train new staff to follow these systems when they join.

When working with clients, we insist on them publishing policy, clearly linked to in their footer and having the page up and running before we launch a website. Helpfully, the ICO have also created a code of practice about Privacy Notices to help you out when writing one.

What happens if the UK leaves the EU?

This is European legislation so should the British public decide to leave the EU it's anyone's guess whether this will still be implemented. But at the very least, this is an opportunity to check your current policy and workflows comply with existing legislation. There's also no harm in flagging the upcoming change with senior management to ensure that it's on their radar.

While we're thinking about it...

Depending on what your site does there are various other bits and pieces that you, as a company, must comply with. There's no harm checking you're up to date with the rest of these at the same time...

  • Equality Act 2010 - this is a large reason why your website should be accessible but this law also applies to the structure of booking fees (lower booking fees if you visit the box office in person have been deemed to be discriminatory to those with mobility issues)
  • Display the registered company details
  • EU Cookies Directive

For those of you selling tickets, merchandise, memberships etc... online, there's also:

  • The Consumer Protection from Unfair Trading Regulations 2008
  • The Consumer Contract (Information, Cancellation and Additional Charges) Regulations 2013
  • The Consumer Rights (Payment Surcharges) Regulations 2012
  • The Consumer Rights Act 2015
  • The Committee of Advertising Practice (CAP) Code

For more details about how these laws affect your work, have a look at this presentation from Roger Tomlinson and Jonathan Brown given at the Ticketing Professional Conference earlier this year. 

Everyone is responsible in some way. Don't be the weak link!

Got any questions? If you want to talk to us about how any of this legislation impacts your website and workflows in particular then do give us a shout and we'll do what we can to help. 

Disclaimer: none of the content of this post - or the linked presentation - constitute legal advice. We're merely taking this opportunity to remind you of the legislation that may be relevant to you so that you can follow up internally and/or with your lawyers.

Check out our latest updates about Privacy.

Get in touch about your next project!