Before we delve into how you can make your website GDPR compliant, we should probably explain what it is. The General Data Protection Regulation (GDPR) is a new EU regulation which is ultimately aimed at helping to strengthen data protection for EU citizens and residents both within the EU and the rest of the world. In simple terms, it’s basically shouting to businesses and organisations, “If you wish to cater your products or services to customers who are citizens in the EU, you need to make it a priority to look after their personal data”.
Essentially, anyone who collects and processes personal data will need to comply with the new regulations. In addition to organisations and businesses who run websites or apps, those who use internal databases, CRMs or even just plain old email will need to stick to these regulations. Overall, the GPDR is a very large document, though we’ve gathered some of the most important and relevant points below. Plus, we know it can sometimes be tough going and so we’ve added some snazzy pop-culture references throughout. Can you spot them?
The GDPR is a group of rules which applies to all EU member states, with each member designating a Supervisory Authority (SA) to oversee and ensure compliance of the legislation. SAs will work together by virtue of the cross-border nature of digital data.
A major part of the GDPR is about transparency and informing data subjects about how long their personal data is going to be used, by whom and for approximately how long for. GDPR requires data controllers to state what is being used and the exact reasons why. As well as this, they should inform data subjects of how long the data will be stored for. They must also state who the subjects should contact according to the data controller’s processing actions.
Before any data can be processed, provable consent must be given to the data processor by the data subject. Then, the data must only be used for the purposes that consent has been given. For example, if someone contacts you through your website with an enquiry, that does not then give you the permission to add them to your marketing list. Furthermore, verifiable consent must be given by a minor’s parent or guardian before their data can be used. Plus, consent must be able to be withdrawn by the data subject at any given time.
The GDPR requires the data controller to have processes in place in case of a data breach. Of course, it depends on the severity of the breach, though overall the data controller has a legal obligation to report a data breach within 72 hours.
According to the GPDR, a data subject has the right to erasure of their data. This ultimately means that if an individual asks you to remove their information from your systems you have to comply. This means all backups, references, the whole lot.
The GDPR replaced the data protection directive from 1995. Though, it was adopted on 27th April 2016 and is set to come into force on the 25th May 2018.
The maximum sanction for non-compliance with the GDPR is 20,000,00 Euros or up to 4% of your annual worldwide turnover, whatever one is greater. And yes, you read that correct.
A personal data audit will help you identify each of your data processors. You should list them with either 1 or 3 to help you track which are first and which are a third-party data processor. For every data processor you should consider:
-What are you using the data for?
-Where is the data being stored?
-Do you still need the data?
For every one of these third-party processors, you should double check their privacy policies and ensure that they are GDPR compliant. US-based data processors should be Privacy Shield compliant. Though, if the third party isn’t yet compliant with GDPR or Privacy Shield, you should contact them and find out if they plan on being compliant and when they want to do so. If they have no plans in becoming compliant by the 25th May 2018, you should seek to replace them with a similar but compliant provider.
As we’ve already stated, a huge part of the GDPR is communicating with users about how and why you are collecting their data. So, be honest. You should be upfront and tell them exactly why.
Any weaker parts of your website should come to light during your personal audit. One example could be the non-compliant third-party data processor as described above. However, other examples may be insecure email accounts or website traffic. Though you should also consider contact form submissions that have been saved to your website’s database. Whatever the weak links are, you should aim to either strengthen them or remove them completely.
Even though the GDPR may seem rather intimidating and over the top, it’s important to remember why it has been put into place. The GDPR is about protecting people from individuals that stalk the internet. The internet is still highly unregulated, and so is in need of greater levels of international legislation; the GDPR is a contributor to this. So remember, even though the GDPR may seem over the top, it will help the internet take care of yourself and each other.