You might have heard a lot about the The General Data Protection Regulation or ‘GDPR’ recently. These are the new rules governing how companies manage and handle personal data. It’s scheduled to be enforced on the 25th May 2018. The General Data Protection Regulation (GDPR) was introduced by the European Union and will take place regardless of the UK’s departure from the EU. It basically means that if you want to offer your products or services to customers who are EU citizens you must comply and adhere to the requirements of the GDPR.
Given that we handle a large number of web design clients, we have to take any new legislation very seriously. And you should too… You can think of the GDPR as an updated version of the DPA (Data protection act) which it replaces. Even if your business is fully compliant with the DPA, while the principles and concepts are similar, some parts of the GDPR are completely new, while other parts have been enhanced. This means there will probably be some additional measures you will need to take in order to make sure you’re fully compliant. Consequently, this could have significant implications for several areas of your business, such as budget, IT, personnel, governance and communications.
So how can you make your website GDPR compliant?
Before anything else, you should perform a personal data audit. This essentially entails you going through every inch of your website looking for where you collect data. This includes any 3rd party processes that collect data on your behalf – things like MailChimp for example. (It’s worth making notes on whether something is a local process or a 3rd party process to make it clearer for yourself when reviewing it).
For each local process you need to consider the following points:
- What are you using the data for?
- Where is it being stored?
- Do you really need the data?
For the 3rd party processes you need to review their respective policies to ensure they are GDPR compliant. I would like to think the larger suppliers would already be fully compliant but you should not assume this is the case.
Remember, you are liable for ANY data you keep and/or use, so if you don’t need it, we recommend deleting it.
Outlining what data you collect, where it’s stored, why it’s stored and what you use it for, should already be outlined and highlighted in your Privacy Policy. And the same should go for your 3rd party suppliers.
If your company is large enough, or if you handle a lot of data, this might mean you need to consider employing a Data Protection Officer – someone whose job would be to monitor internal compliance of the GDPR within the business.
This all might seem over the top, but with maximum fines for serious offences reported to be 4% of a company’s turnover or £20 million (whichever is greater), it’s also important to understand why it’s needed and the intent behind it. At it’s core, the GDPR is about protecting people like you and me, and ensuring that we can be sure our data is safe when we decide to hand it over to a business.
We can’t give legal advice (but we do know people who can), if you’d like assistance ensuring your website is fully GDPR complaint, then please do get in touch.