A new set of rules and regulations came into effect in May 2018. Rules and regulations that are designed to help protect your privacy and to control who has access to your personal information.
Today we are talking more about those rules.
Before you groan and close down the browser, please bear this in mind:
These rules are here for your protection.
You now have more rights available to help you control access to your data
This is a good thing.
So, today, let’s look at some of these new rules, what it means for you, and what I have done/will be doing to make sure your information is safe.
- Your rights under the new regulations
- Information on the data I collect when you visit my websites
- Information on the data I have access to through other websites
- Information on the data I hold when we are working together
- How long will I keep information about you?
- Where is your information kept?
- How is it kept secure?
- Information about Paypal
- A disclaimer
The General Data Protection Regulations (GDPR) are the EU-wide rules that came into effect on 25 May 2018.
As an individual, if you’re dealing with a business, website, or organisation within the EU then these regulations protect you.
Not only that, if you’re dealing with a non-EU business or website but you are an EU citizen, then these regulations still protect you.
As an individual, you have new or improved rights, when it comes to your personal information:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
The right to be informed
You need to be told about who is collecting your personal data, why they are doing it, what they will do with it, who it will be shared with, and for how long it will be kept.
You must be told this at the point your data is collected.
There is additional information further down this article about what sorts of things I collect via this website.
If you choose to do business with me, I will let you know about the information I will be collecting in order for us to carry out that business contract.
The right of access
You have to be allowed access to your personal data so that you are aware of what is held by any business or organisation, and so you can verify the lawfulness of the processing.
This has to be provided free-of-charge, within one month of you requesting it.
If you want to know what data I hold about you, please email me at email@example.com, requesting a report on your personal data. Alternative contact options are available here.
The right to rectification
If any of the personal data I hold about you is wrong, or is incomplete, you have the right to ask for this to be corrected.
Generally, this should be corrected free-of-charge, within one month of you requesting it.
If you think I have any of your details wrong and you need them to be corrected, please email me at firstname.lastname@example.org. Alternative contact options are available here.
The right to erasure
All EU individuals are now provided with access to 80s synthpop duo Andy Bell and Vince Clarke.
Or… if you would like the more prosaic version, you now have the right to have your personal data removed (erased). This is also known as “The right to be forgotten”.
In reality, businesses may refuse to delete your data if there is a valid reason for keeping it. For example, I need to keep certain records for up to 7 years in order to meet my tax reporting requirements. As such, I cannot delete it, even if you ask me to. You still have the right to make this request, of course, and businesses must comply if there is no reason for them to keep your personal data any longer.
If you would like to make a request to have your personal data deleted, please email me at email@example.com. Alternative contact options are available here.
The right to restrict processing
This is an alternative to erasing your data. You can request that a business retains your personal data but stops processing it.
“Processing” means whatever it is that the business does with your data. This will vary from business-to-business, and should have been laid out clearly for you under your right to be informed about why your personal data is being held and how a business plans to use it.
Restrictions are usually put in place for a temporary period.
If you would like to make a request to have your personal data restricted, please email me at firstname.lastname@example.org. Alternative contact options are available here.
The right to data portability
This one doesn’t really apply to me or my services.
It does apply where you have given a business or organisation your permission for them to process your information and they do this in an automated way. This right allows you to request that all your personal data be downloaded so that you can give it to another organisation. Or, if it’s technically possible, for that data to be transferred straight to the other organisation.
This could apply, perhaps, if you were switching mobile phone providers and you wanted all your data downloaded so it could be passed to your new phone provider.
The right to object
Even after you have given your permission for a business or organisation to start collecting and using your personal data, you still have the right to object at any time.
This is particularly relevant when it comes to direct marketing. If you have given your permission for a business to contact you with marketing material, you can object to this at any time in the future. That business must comply with your request straightaway.
If you are in receipt of marketing material from me and would like to be removed from my mailing lists, please email me at email@example.com. Alternative contact options are available here.
Automated decision making
This one doesn’t really apply to me or my services.
It applies where a business is making automated decisions about you (approving or declining something, for example) or is using the data it holds about you to profile you in some way.
Data I hold because you visited my website
By visiting my website you are potentially allowing certain personal information to be collected. This is true of most websites you visit.
Cookies consist of portions of code installed in your browser to help make the website work and to provide services. All websites are required to warn you about these when you first visit and you have the option to not allow cookies to be stored on your computer.
Like many websites, I use Google Analytics in order to monitor and analyse the visitors that come to my website. This helps me to work out which sections of the site people are responding to and which bits they don’t like.
I am not allowed to provide any personal information about you to Google as part of this service.
Under the new GDPR rules, the definition of personal information has been expanded to also include your IP address (the internet address of your computer). To make sure this information is not collected, my websites automatically alter the information they collect to make your IP address anonymous. Therefore, you can be reassured that no personal information about you is collected or passed to Google as part of the analytics I run on my websites.
Other websites should also be taking these precautions if they are using Google Analytics. You are also able to install a Google tool that stops Google Analytics working on any website you visit.
Other tools on my website
In order to give you a better experience when using my website, I have various tools installed. For example, if you want to leave a comment under a blog post then there is a facility to do that. Please be aware that these tools often collect personal information about you. In the example of a comment, your name and possibly your WordPress.com username (if applicable) will be collected and both stored by my website and displayed to other users.
Data I have access to through other websites
I do not control the data that is entered into or collected through other websites.
Where I am given this information, I am required to keep it safe and secure and to use it in accordance with the GDPR rules. I am also only allowed to use your personal information to carry out that particular transaction. This means that I cannot take your address and use it to send you marketing material about me and my products. I can only use it to send you the print that you have ordered.
Data I hold because we are working together
If I am working on something with you or for you, then I will collect and hold some information about you.
This is to allow me to complete the work for you, and to allow me to meet my obligations as far as holding appropriate business records.
As a minimum I will record your name and email address so that we can communicate about this order. In most cases, I will also record your address information, so that I can correctly identify which country you live in and so that I can post any physical items to you (where appropriate).
This information is gathered using the “lawful basis for processing contracts”. This means that you have asked me to provide a quote for work or we have entered into an agreement for me to do work for you, and I need this information in order to fulfil that agreement.
It also means that I will only use your information in order to fulfil that agreement. I will not use your information for other purposes, such as signing you up to a mailing list.
How long will I keep information about you?
In most cases, I will keep hold of your information for six years after the end of the current tax year. This is so that I can meet my obligations here in the UK for holding business records for tax purposes. After that time, your information will be removed.
Where is your information kept?
This section has been updated in December 2020 as the UK leaves the European Union. It also reflects the invalidation of the EU-US Privacy Shield.
In most cases, you have to give explicit consent before your personal information can be transferred outside of the EEA. From 2021, the UK is outside of the EEA. If you are in the EEA, please bear that in mind if you choose to send me your personal data.
Most of my records are held within the UK and will not be transferred outside of the UK, with the exception of my email records and invoices.
- My websites are hosted by a company called Kualo using servers located within the UK
- My own records are held on a computer and backup drive physically located within the UK
- They are also backed up to an online cloud service supplied by Amazon Web Services that is located within the UK
- My email records are held within Gmail, which does transfer and store information outside of the UK (see below)
- I have stopped using Mailchimp to send my newsletters as they are located outside of the EEA – all my subscriber data has been deleted from their systems
- I use Paypal to process my invoices and to collect payments – Paypal’s systems are located outside the UK – Please see the section below for more information about Paypal and your data
It is possible to pass information out of the EEA where appropriate permissions have been given and precautions are in place. Google’s G Suite, which includes the Gmail email service I use, used to be certified under the EU-US Privacy Shield framework as meeting specific safeguarding requirements. The EU had stated that data can only be transferred to the US (without needing to obtain your explicit consent) when the receiving company is certified under the Privacy Shield framework.
However, the Privacy Shield was invalidated in July 2020 by the Court of Justice of the Europe Union and it is no longer possible to rely on the framework when transferring data outside of the UK (or EEA).
“The reasoning behind this decision is that the current level of protection given to personal data under US law cannot be considered to be equivalent to that provided by the GDPR. This is largely due to US surveillance programs and the lack of an adequate remedy for EU users.”
Instead, Google have moved to rely on Standard Contractual Clauses with their users – an alternative provision for allowing transfers outside of the EEA – and this is what I am relying on when using the G Suite email system (and, consequently, when your email data is transferred to Google’s overseas servers).
With that being said, please still think carefully about what information you are including when you email me, as email is not a secure form of communication.
How is it kept secure?
- My website data is secured using passwords and both sites are protected by Wordfence monitoring and safeguards
- My website hosting company employ a range of protection measures to prevent attacks on my websites
- You can read more about other web security measures in this blog post
- My own records (including the physical and online backups) are encrypted and password protected
- My computer system and network is protected by the usual firewalls and virus protection software
- My email records are protected by 2-factor authentication, as well as Google’s built-in protections and encryption
- Paper copies of any records are held in a locked file
In order to prepare an invoice for you, I need to add your name and contact information into Paypal. Because Paypal’s servers are located around the world any information entered into Paypal may be transferred outside of the EEA. Because of this, I need your explicit consent before I provide your information to Paypal so that an invoice can be prepared.
You will need to confirm to me that you are happy for me to provide your name and email information to Paypal for the purposes of preparing an invoice. Or, if not, please let me know so that we can discuss alternative payment options.
These new rules are here to help.
Yes, there’s a lot to take in. But you should be reassured that businesses and organisations – like mine – are required to take steps to comply with these new rules. If we don’t, there are significant punishments that can be handed out.
Make sure you understand your new rights and use them when necessary. And if you have any questions about what I’m doing with your data, please get in touch via firstname.lastname@example.org.
I am not a regulatory compliance expert. The information in this post is my understanding of the new regulations based on the preparatory work I have done to make sure my business is ready for GDPR. If you are a business, please make sure you carry out your own research and preparations. If you are an individual and would like to know more about your rights, I recommend visiting the Information Commissioner’s Office website.