Terminology and roles
GDPR defines a number of roles which determine responsibility and the guidelines for handling of personal data:
- Data controller – This refers to a Newenglish Design client who are the operators/owners of any website or application that Newenglish Design have developed, host and/or support
- Data processor (or data sub-processor) – This refers to Newenglish Design as we are party to personal data through providing our services
Responsibility and obligations
All Newenglish Design clients are responsible for their own adherence to GDPR. It is not the responsibility of Newenglish Design to enforce or implement any rules or changes for data controllers (i.e. our clients).
Newenglish Design, as data processors, shall provide sufficient technical and organisational practices that meet the GDPR guidelines for data processors. This is to ensure any handling of any data on our client’s behalf is confidential, secure and responsible. We may disclose data to service providers who render services to us or our clients, all of which are contractually obliged to act only on our instructions and in accordance with applicable laws including GDPR.
Website & application changes to become GDPR-compliant
The GDPR laws which have come into affect are globally impactful, being law in the UK and EU countries. Furthermore, other countries which serve UK and EU citizens are also required to adhere to the same guidelines.
As such, any website, application or software developed prior to GDPR coming into affect on 25th May 2018 may require further changes to ensure compliance with the guidelines, and how they specifically apply to each client
These changes may be subject to additional investigation & development charges as advised by Newenglish Design on a case-by-case basis due to the diverse rules and nature of the website/application/software.
Review and change process
- The extent of changes required will depend on several factors:
- The type of data captured and stored by your website/application/software (i.e. is is personally identifiable, is it sensitive)
- The intended usage for that data (i.e. for order processing, marketing, promotions etc)
- How the data is captured (by online enquiry form, by user registration etc)
- The length of time and legal basis for storing this data (i.e. stored for 6 years due to HMRC invoice and tax purposes)
We advise the following:
- Client should initially involve their Data Protection Officer (if appointed/applicable)
- Client should review and formalise their own GDPR policy wording and make key decisions on the above factors such as data capture methods, intended usage, retention period, security. Existing processes may need to be reviewed and revised inline with GDPR
- Client to make their policy available via their website, email signature and other communication forms
- Newenglish Design to review the website/application/software to determine what areas contravene the agreed GDPR policy
- Newenglish Design to recommend technically feasible solutions to ensure GDPR-compliance
- Newenglish Design to estimate costs for implementation where applicable
- Client to instruct Newenglish Design to proceed
Data Subject Rights
GDPR includes several data subject rights which data controllers are obligated to respect
In the first instance, it is the responsibility of the data controller to respond to all requests and fulfil where possible – via any content management system (CMS) or administration area.
As a service provider (data processor), Newenglish Design may be required to manually intervene to technically carry out certain tasks not available through the existing CMS/Administration. All manual requests will be carried out for free for clients who are covered by a support & maintenance agreement. Otherwise, requests will be chargeable at our standard agreed hourly rate.
The data subject rights that Silver Innovation can manually assist with are as follows:
- The right to ask for a copy of data – typically a comma separated file (CSV)
- The right to ask to correct any data – such as errors, mistakes or inaccuracies
- The right to ask for data to be removed – includes audit records
Retention & backups
Newenglish Design, as a data processer, retain backups for 3 months for the purpose of providing restoration of data in the event of a disaster recovery scenario. These backups are stored securely and accessible only via an encrypted platform.
Newenglish Design, as a data processor, will comply with the GDPR guidelines surrounding data breaches, such as notification of clients within 72 hours of a breach being detected etc. Further details can be found here.
Newenglish Design recommend all websites/applications are operated under a secure https:// connection to ensure encryption is in place to secure data in transit
Specific data encryption is implemented on a case-by-case basis based on the level of sensitivity of the data and any specific requirements or instructions from clients (data controller).