Will the General Data Protection Regulation apply to you?
The General Data Protection Regulation (GDPR) will come into effect on the 25th of May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR so you need to be prepared. The GDPR has already been passed into UK law and will be enforced from May next year.
The GDPR will effectively replace the current Data Protection Act 1998 (DPA) in the UK with the aim to harmonise regulations across the UK for the protection and privacy of all personal data collected about individuals. The aim is to enable information to be freely shared internally across borders for companies that operate across the EU, but at the same time aims to make it clearer and give more control to individuals as to what companies can do with the data they hold on you.
Many small marketplace traders need not be overly concerned about the implications of the GDPR but you still need to be aware of it’s reach and ensure you comply if necessary – fines can be up to 4% of your turnover (Global turnover if you’re an international business).
The full impact of the GDPR is only applicable if you are a data controller and/or processor, i.e. you store information on your customers. If you purely trade on marketplaces and take payment through services such as PayPal then the impact of the GDPR may be minimal for you. It’ll be down to the marketplace and payment provider to keep the customer’s data safe and secure. However, if you download your customer data and store it on your local hard drive or on a web server then the GDPR definitely applies to you.
The same situation arises if you have your own website. If the website is a hosted service (e.g. Wix, Create.net, ekm etc) then you won’t be storing customer data yourself. Again, download your customer data and you need to take a lot more notice of the GDPR.
Ultimately you should familiarise yourself with the GDPR requirements which, although similar the the DPA, classify more identifiers as ‘personal data’. Under the GDPR even an IP address can be construed as a personal identifier.
If you’re unsure as to how to proceed, the Information Commissioners Office has a data protection self assessment survey to help you get ready for the GDPR.