General Data Protection Regulation – or GDPR – will be one of the biggest things to hit businesses in 2018, with legislation to be enforced on 25th May that poses potentially crippling fines for organisations that fail to comply.
The maximum penalty for flouting the rules is €20 million or 4% of global turnover, which would certainly be enough to close down many businesses. To avoid these steep ramifications, preparation is key, starting with your website.
Consent is a key part of GDPR legislation and it is important for any website that collects personal data – for whatever reason – to obtain specific permission to use it in the course of their business. Visitors to your website must understand exactly how you are planning on using their data and must agree to each specific purpose. That means if you have someone’s email address because they have placed an order with you, you are only allowed to market to them if they have agreed to this.
Take the example of a recruitment firm; if a candidate has provided their details when applying for a role, you are not allowed to use this information to approach them with other opportunities unless you have obtained their explicit permission to do so. It’s likely that your website will need updating to reflect these changes, starting with forms and cookies.
Similarly, privacy notices may require rewriting in line with GDPR rules. They must be simple to understand and free of jargon. It is worth asking your web developer to carry out an audit of cookies and ensure that all notices comply with GDPR best practice.
Access to data
A key part of GDPR is being aware of who has access to personal data that is logged and stored on your website in the content management system. The first step to compliance is to understand exactly who these people are and compile a list. You should then examine the list and ask whether all those people genuinely require access to this data. If the answer is no, their permission should be revoked and measures must be implemented to control future access.
There must also be a robust process in place for deleting data that is no longer relevant or required, as companies are not allowed to hold on to this for any longer than is absolutely necessary.
Business owners should also audit any external agencies they use that might have access to their data to check their procedures are compliant. As the data owner (controller), you are ultimately responsible for this, even if you have outsourced elements of the process, so keep a register of measures you have taken to ensure everybody is acting in line with GDPR regulations. Agencies should be able to explain clearly what measures they have taken to maintain maximum security of the data you provide them with.
Finally, any data that is submitted to your website must be encrypted in order to comply with GDPR. This will stop people from hijacking the data; your website developer should be able to install the necessary measures to ensure this is the case. An SSL certificate should be fitted to your site to encrypt the data.
You can check whether you have one of these already by looking for the padlock symbol in the address bar of your browser when you visit your site’s homepage. If this appears to be missing then it is important to speak to your web developer to rectify this.
The above is by no means an exhaustive list, but completing these actions will set you off on the right foot for becoming GDPR compliant in 2018.