GDPR and renegade generation

WHAT IS GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) privacy law that will affect businesses around the world when it becomes enforceable on May 25, 2018. It regulates how any organisation that is subject to the Regulation treats or uses the personal data of people located in the EU . Personal data is any piece of data that, used alone or with other data, could identify a person. If an organisation collects, changes, transmits, erases, or otherwise uses or stores the personal data of EU citizens, they'll need to comply with the GDPR.

The GDPR will replace an older directive on data privacy, Directive 95/46/EC, and it introduces a few important changes that may affect Renegade Generation site visitors and customers.

You can find more detailed information about GDPR on the ICO's website.

 

WHAT IS RENEGADE GENERATION DOING TO PREPARE?

Trust and transparency is always of vital importance here at Renegade Generation, so we consider GDPR compliance a welcome opportunity to prove our commitment to protecting the privacy and security of all who interact with us.

We are reviewing and modifying many of our internal practices and policies so you can feel safe in the knowledge that your personal data:

  • is only collected if absolutely required (with your full consent),
  • is fully secure and protected,
  • can be accessed, rectified, erased, etc in line with your individual rights.

 

The following outlines our approach, the areas we're working on, and steps we're taking:

1. Investing in the process

We have hired a dedicated GDPR compliance consultant to help us meet the new requirements (this greatly reduces the risk of us misinterpreting our responsibilities). We also have the support of our fully compliant website developer, and Renegade Generation Limited is registered with the Information Commissioner's Office (ICO) as a data controller.

2. Data audit and recording

We're conducting a comprehensive audit of all the data we currently collect and hold about individuals (e.g. name, email address, IP address, etc) and creating a map to show how data flows into, out of, and around our organisation. This enables us to complete a gap assessment, identify the lawful basis for processing personal data, and improve record-keeping requirements and procedures where necessary.

3. Data storage, processes and security review

It's critical we understand the processes and technology used to transmit, process and store your data. To further increase security we have adopted Two Factor Authentication (2FA) where possible and ensure no data is transmitted or stored without encryption.

4. Subcontractors, Partners, and Third Party Processors compliance check

We've identified all of our subcontractors, partners and 3rd party processors who come into contact with the personal data we hold, and are in the process of confirming they are all compliant. We are signing and accepting all relevant Data Processing Addendum's that have been issued by these organisations.

5. Privacy Policy update

Our Privacy Policy will be updated to reflect the new GDPR requirements and our updated processes and procedures. This will include spelling out exactly:

  • what data we collect and hold,
  • how we process it and what we use it for,
  • how we transmit and store it,
  • how long we keep it for,
  • who else has access to it (this includes third parties such as email platforms, accounting systems and project management tools),
  • how you can manage it (this includes reviewing it, updating it, deleting it, etc).

6. Cookie notice update

The way cookie permissions are dealt with on a website is changing. Before GDPR, website owners have relied on "implied consent" for cookie notices - where a bar or window is shown to the user and states that by continuing to use the site, users accept the site's Cookie Policy. This is no longer the case as now implied consent is no longer acceptable and website owners need to give users the option to decline cookies and still use the website.

We'll be updating our Cookie Policy, cookie notices and associated wording to meet the new requirements.

7. Website forms update

We want you to be clear about the personal data we collect and what we do with it, so you have all the information you need to make the choice of opting in or opting out. One way for us to do this is to include more information at the point of filling in a form, or signing up for our email newsletter. We will also provide direct links to any relevant policies so you'll have access to additional information if you'd like it.

If you sign up to receive our email newsletter (hint: you can do this in the footer below), you'll see we use MailChimp's Double Opt-In option to provide an additional level of consent. 

8. Website analytics review

Renegadegeneration.com collects data about the behaviour of our site visitors in the form of analytics (we use Squarespace Analytics and Google Analytics). A major part of our GDPR process will be spent reviewing all of the data collected by these analytics providers and identifying any areas we can 'turn off' in order to increase security and ensure we're not collecting anything we don't need.

9. In case of emergency

Like all responsible businesses, we are preparing for what to do if something goes wrong. This involves developing an information security management system (ISMS), and incident management procedure, and a data breach notification procedure.

All of the best practice policies and procedures we put in place to protect your data will go a long way to ensuring we never need to utilise our 'in case of emergency' plans, however we wouldn't be doing our job if we didn't prepare for the unexpected.

10. Training and ongoing responsibilities

Our commitment to data protection and GDPR doesn't end on May 25 when the new rules come into play. We'll be continuing to update our data maps and policies as our business grows, and communicating with you when required so you'll always have the information you need. We'll also be completing any necessary GDPR-related training and familiarisation activities as compliance requirements evolve.

One idea we've had is to develop our own GDPR Frequently Asked Questions (FAQ) list so you will be able to find answers to any questions that might arise.

 

Of course you are always welcome to contact us via our contact form if you have any questions or concerns.

Here's to GDPR and thanks for being a part of our journey,