You – the Data Controller
In a nutshell, GDPR is all about consent and looking after individual customer data (the Data Subject) appropriately. The obligations you will have as a website owner (and therefore the Data Controller) will be as follows:
- Tell the user who you are, why you collect the data, for how long, and who receives it.
- Get clear consent before collecting any user data for every purpose that you intend to use it for (i.e.someone agreeing to send an enquiry does not automatically mean they will want to be added to your marketing list).
- Let users access their data and take it with them if they choose.
- Let users delete their data if they wish.
- Let the affected users and the Information Commissioners Office (ICO) know if data breaches occur.
The consequences of failing to comply with the new GDPR legislation can lead to fines of up to €20m or 4% of global annual turnover.
Crucially, this data applies to all data records, including historic data collected on the website prior to the new regulations coming into force in May 2018.