GDPR is looming like a big confusing monster. If you haven’t already got your head around the new regulations, this is a summary of the main points with some checklist steps to help you get your website ready for GDPR.
First, some general explanation…
What is GDPR?
The General Data Protection Regulation (GDPR) is a replacement for the 1995 Data Protection Directive. It comes into force on 25th May 2018 and is designed to make the Internet a safer place for everyone by enforcing the way in which all organisations that are in the EU or deal with the EU hold and use personal data.
GDPR has been designed to create a greater degree of transparency as to how personal data is being used, what data is being held, by whom, for what reason, and how long for. It’s important that the subject be able to easily contact the data controller about any of the information stored about the subject.
GDPR has these key requirements
- Privacy
- Accuracy
- Access
- Consent
- Security
- Responsibility
What rights will users have under the GDPR?
- Information
- Access
- Rectification
- Erasure
- Restrictions on processing
- Data portability
- Objection
- Revision of automated decisions or profiling
What is a data controller?
A data controller is any person or organisation that collects, stores or processes personal data, whether on a website, database, CRM, app, or simply through email.
What is a data processor?
A data processor is any organisation that processes data on behalf of a data controller.
Doesn’t Brexit mean the UK is exempt?
NO. The UK will still be a part of the EU when GDPR comes into effect. Additionally, we’ll still need to adhere to GDPR if we want to trade with members of the EU, and the government has confirmed that it will be implementing GDPR regardless of Brexit.
What are the consequences of not complying with GDPR?
In light of the above, you probably won’t want to get caught out being non-compliant with GDPR. The maximum fine is 20000000 Euros or up to 4% of your annual global turnover, whichever is greater, so there’s an incentive to get your house in order!
I don’t process personal data, but I use third party systems that do.
It will be your responsibility to ensure that any third party applications or web services that process personal data on your behalf, are compliant with GDPR.
Privacy By Design
Privacy should be a core part of the design process of websites, applications and storage systems. A user’s privacy should be paramount and set to the highest levels by default – a user can always opt to downgrade their security options if they prefer. Additionally, data should only be stored and processed when necessary.
What is Pseudonimisation?
This refers to anonymisation of data that you hold in order for it not be obviously linked to any particular individual. This may mean the removal of the name fields from a database table, or splitting data between tables so that the name is not in the same table as the corresponding data. This would reduce the risk of data breaches compromising an individual’s personal information. This process has yet to be implemented in mainstream database backed applications, but there will likely be a change of architecture in the future as corporations try to catch up with regulations. There is a degree of interpretation required with pseudonimisation as this part of the regulation is the most ambiguous.
9 Steps you can take to make your website GDPR compliant
1. Learn about GDPR
It’s probably fair to say that something as important as this, with the possibility of such hefty consequences for not be adhered to, should necessitate you doing a little research. This guide is intended as a quick summary of how to make your website compliant, but it’s better idea to read more in-depth guides, such as this one by the ICO.
2. Create Awareness
If you have employees, it’s important that everyone in your company is aware of the GDPR.
3. Review your currently stored information
If you currently store personal information, you may be required to audit it for details such as where it came from, what consent was given, how it is stored, and who it is shared with.
4. Review Your Privacy Policies
You may need to alter your website’s privacy policy to include more transparency regarding how you store data, for how long, for what purpose and what steps you take to safeguard that data. You’ll also need to provide contact details and make clear ways in which your data subjects can contact you to request removal, or amendment of stored data. Check out this sample website privacy notice to get a clearer idea of what it should contain – but don’t just copy and paste this – a privacy policy should be tailored to your business. It’s also a good idea to have a privacy notice that you can include within a form as a scrollable text box or pop-up modal window, which is concise and clear.
5. Review Customer Consent
Look at how you’re currently gaining consent from your website users and evaluate whether it is clear enough. Consent should be separated out for different purposes, so your email newsletter should gain a separate consent from your terms and conditions. If you use multiple communication methods, you should also provide granular control over which methods a customer consents to being contacted by. Check boxes should be opt-in rather than opt-out. Also look at whether it may be necessary to re-obtain consent from certain customers or users if consent records are absent or not clear or comprehensive enough.
6. Keep Consent Records
Under the GDPR, you must be able to prove that you obtained consent for your data collection methods, so you’ll need to be able to store form submissions that declare unambiguously that consent was provided, and for each separate purpose.
7. Ability to Withdraw Consent
Under GDPR data subjects have the right to withdraw their consent at any time, and must be made aware of this. You must make it easy to contact you to withdraw consent. If someone asks you to remove their information from your systems, that you must comply, removing everything that could identify the individual within your systems.
8. Put in place data breach procedures
As a data controller, you will have the responsibility to declare a data breach to the relevant authorities if such an occasion arises. This will be dependent on whether the data that was breached can be linked to identifiable individuals.
9. Assign a Data Protection Officer
A Data Protection Officer is an appointed person within your organisation whose responsibility it is to ensure internal compliance with GDPR. DPOs are requirements for public organisations or any organisations that process personal information on a large scale.