Before we delve into how you can make your website GDPR compliant, we should probably explain it. The General Data Protection Regulation (GDPR) is a new EU regulation that is ultimately aimed at helping to strengthen data protection for EU citizens and residents both within the EU and the rest of the world. In simple terms, it’s shouting to businesses and organizations, “If you wish to cater your products or services to customers who are citizens in the EU, you need to make it a priority to look after their data.”
Necessarily, anyone who collects and processes personal data will need to comply with the new regulations. In addition to organizations and businesses that run websites or apps, those who use internal databases, CRMs, or even plain old email will need to comply with these regulations. Overall, the GPDR is an extensive document, though we’ve gathered some of the most important and relevant points below. Plus, we know it can sometimes be tough going, and so we’ve added some excellent pop-culture references throughout. Can you spot them?
ONE DATA PROTECTION REGULATION TO RULE THEM ALL
The GDPR is a group of rules which applies to all EU member states, with each member designating a Supervisory Authority (SA) to oversee and ensure compliance of the legislation. SAS will work together by the cross-border nature of digital data.
SIR ISAAC H NEWTON NAME & WHY HAPPENED THE NAME HERE?
A significant part of the GDPR is about transparency and informing data subjects about how long their personal data is going to be used, by whom and for approximately how long for. GDPR requires data controllers to state what is being used and the exact reasons why. As well as this, they should inform data subjects of how long the data will be stored. They must also state who the items should contact according to the data controller’s processing actions.
THE DIGITAL AGE OF CONSENT
Before any data can be processed, specific consent must be given to the data processor by the data subject. Then, the data must only be used for the purposes that permission has been given. For example, if someone contacts you through your website with an inquiry, that does not then permit you to add them to your marketing list. Furthermore, a minor’s parent or guardian must be given verifiable consent before their data can be used. Plus, permission must be able to be withdrawn by the data subject at any given time.
BREACH, BREACH!
The GDPR requires the data controller to have processes in place in case of a data breach. Of course, it depends on the severity of the offense, though overall, the data controller has a legal obligation to report a data breach within 72 hours.
A LITTLE RESPECT
According to the GPDR, a data subject has the right to the erasure of their data. This ultimately means that if an individual asks you to remove their information from your systems, you must comply. This means all backups, references, the whole lot.
WHEN DOES THE GPDR COME IN TO FORCE?
The GDPR replaced the data protection directive from 1995. Though, it was adopted on 27th April 2016 and is set to come into force on 25th May 2018.
WHAT ARE THE Outcomes OF NOT Conforming to GDPR?
The maximum sanction for non-compliance with the GDPR is 20,000,00 Euros or up to 4% of your annual worldwide turnover, whatever one is greater. And yes, you read that correctly.
Things being what they are, HOW Might YOU MAKE YOUR Site GDPR Agreeable?
Take a personal data audit.
A personal data audit will help you identify each of your data processors. It would help if you listed them with either 1 or 3 to track the first and which are a third-party data processor. For every data processor you should consider:
-What are you using the data for?
-Where is the data being stored?
-Do you still need the data?
For every third-party processor, you should double-check their privacy policies and ensure that they are GDPR compliant. US-based data processors should be Privacy Shield compliant. Though, if the third party isn’t yet compliant with GDPR or Privacy Shield, you should contact them and find out if they plan on being obedient and when they want to do so. If they have no plans to become compliant by the 25th May 2018, you should seek to replace them with a similar but compliant provider.
Detail the individual information review on your site’s security approach page
As we’ve already stated, a considerable part of the GDPR is communicating with users about how and why you are collecting their data. So, be honest. You should be upfront and tell them exactly why.
Strengthen the weakest link
Any weaker parts of your website should come to light during your audit. One model could be the rebellious outsider information processor, as depicted previously. However, other examples may be insecure email accounts or website traffic though you should also consider contact form submissions that have been saved to your website’s database. Whatever the weak links are, you should aim to either strengthen them or obliterate them.
FINAL THOUGHT
Even though the GDPR may seem somewhat intimidating and over the top, it’s important to remember why it has been put into place. The GDPR is about protecting people from individuals that stalk the internet. The internet is still highly unregulated, and so needs higher levels of international legislation; the GDPR is a contributor to this. Remember, even though the GDPR may seem over the top, it will help the internet take care of yourself and each other.
