Is Your Website GDPR Compliant?
22 February 2018
How to get your Website GDPR Compliant ready for the General Data Protection Regulations
With the General Data Protection Regulation (GDPR) coming into effect on 25th May 2018, it’s important you know how to make your website GDPR Compliant. This new law is designed to offer individuals greater protection in respect of their personal data whether as an employee, a customer, a supplier or a potential client.
The new law applies to businesses or organisations in the European Union. Those outside the EU who offer goods and services (whether paid or not) to people living within the EU, or monitor their behaviour, must also comply. GDPR becomes the global standard for data protection.
What’s changed under GDPR?
Under GDPR people will have new rights to access any data which companies hold about them. Companies must obtain consent from people for the data they collect and there will be a new level of fines for breaching the regulations. Greater accountability will be required for the processing of data.
What is Personal Data?
Any data that can be used to identify a living person directly or indirectly is classed as personal data.
- Email address
- Social security number
- Location data
- IP address
Under the new law, not all data is equal. Some types of data are considered to be more sensitive than others and require more careful handling.
What Is Sensitive Personal Data?
Sensitive personal data includes details like:
- Health status
- Sexual orientation
- Religious beliefs
- Political beliefs
An individuals rights under GDPR?
A big part of GDPR is making the data collected by companies/organisations more accessible by the subjects it has been collected from. As explained by the ICO, data subjects will have the following rights concerning their personal data:
- Restrictions on processing
- Data portability
- Revision of automated decisions or profiling
Things you’ll need to consider:
- What data do you hold?
- What do you do with it?
- Who has access to it?
- How long do you keep it for?
- Do you have consent to hold it?
- Do you record the decisions you make in respect of it?
- Do you have a clear process to remove and destroy unnecessary data?
You now need to take responsibly for your data and begin to include privacy in your systems and processes. To ensure you are fully compliant, it will be important to raise staff awareness across your business and educate them on the importance of collecting, processing and storing personal data.
The GDPR refers a lot to data processing. This simply refers to any operation that is performed on personal data – collection, storage, amendment, deletion etc.
Your clients will need to be confident that you can be trusted with their data and personal details.
What not to do:
- Don’t take on data you don’t need
- Don’t keep it longer than you need it
- Don’t use it for purposes other than what the owner has given their explicit consent too
Get your policies in place
GDPR will mean you’ll need to have clear statements and policies in place with regards to data processing within your business or organisation.
Examples of GDPR best practice
If you are using forms on your website then you need to request the explicit consent of every user before any data collection takes place. Requests must be in clear, plain, easily understandable language free of legalese. It also must stand alone from other matters or requests and not be buried in other text. It will no longer be acceptable to use use pre-populated check boxes.
Here is an example of a GDPR compliant form’s explicit consent field.
You also need to provide users with a way to withdraw consent and purge personal data collected on them; i.e. the ‘Right to Be Forgotten’. The easiest way to do this is to have a dedicated email (firstname.lastname@example.org, for example) for them to get in contact with you.
You’ll need to appoint a Data Protection Officer for your business who’s job it is to manage these requests alongside other GDPR related admin.
It is also a requirement of GDPR that you verify requests to remove or edit data via email. The easiest way to manage this is to ask your customers/users to send their email to you using the email account that they subscribed/enquired with so you can verify their identity and right to edit the data you hold.
GDPR doesn’t need to be scary. It is designed to protect all parties involved. As long as you have a clear policies in place with regards to the data you collect and hold, then you should be covered.
Please note: This post is a commentary on general principles and should not be interpreted as advice for your specific situation.