Is your website GDPR compliant?
If you collect, store or process personal information using your website you will need to comply with the General Data Protection Regulations (GDPR). If the data is about your products and services and has no personal elements, GDPR does not apply.
GDPR became part of EU and hence English law on 25th May 2018. This will remain a part of UK law after we leave the EU in 2019. Any company globally dealing with any personal data of EU citizens will need to abide by the GDPR.
Personal information is at the centre of the regulations
Personal information is regarded as any data that can identify an individual such as name, postcode, phone numbers, email address and IP addresses. There is more sensitive data that can be collected on a personal levels such as biometrics, religious beliefs and political views, etc. Even more care needs to be taken with this data.
Nominate someone to look after your data, a Data Protection Officer (DPO)
If your company does handle personal data you will need to appoint a Data Protection Officer. This does not have to be a new recruit. The DPO is the named person responsible for ensuring your company adheres to the law and protects the personal data. The person appointed will need to ensure that processes for capturing, handling and processing data are within the law and that any breaches of data are reported in a timely manner. The DPO may not actually do the work but has the responsibility.
Gaining consent from People freely if you want to collect and use their personal data
The law is there to protect individuals’ data from being abused. The new GDPR law is a replacement for the old data protection law. The law states that any private individual needs to freely give permission to have their data stored and subsequently for what that data is used for. This has a big impact for website owners that are collecting and processing customer information in any form.
It is no longer permissible to assume people give permission if they forget to tick a box. They must consciously tick the box to opt into any data exchange.
Forms that collect and process data on your website need to be clear and the process and words used to sign people up to data storage need to be kept with the records as proof that individual has given permission.
Peoples data rights – the right to be forgotten, request data held and delete data
Once you store an individuals data they have rights and controls on that data, including;
- The right to request what data is stored, (response to this needs to be free of charge and within 30 days).
- The right to have data deleted and;
- The right to be forgotten (RTBF)
Your company will need processes to handle all of these scenarios around data rights.
Fines if you don’t comply
If you company does not comply with the regulations (which are law) it can potentially face large fines amounting to 2-4% of global turnover. However, there is likely to be some period of querying and testing the law with companies receiving strongly worded letters before large fines are issued. This said, some large fines for breaches to the law have already been made.
Report a breach of your data within 72 hours
If your company looses personal data or your systems are compromised by hackers you will need to report the extent of the data breach to the Data Commissioner within 72 hours. Your company will also need to notify the people whose data is involved in the breach.
This is another area where a process is needed in the event of a breach. Who needs to do what and when to report and remedy the breach.
Permission is needed for automated profiling of personal data
You are not allowed to perform automated profiling of data under GDPR, unless express permission has been given by the person being profiled. This will impact on companies that rely on profiling to target specific groups of customers as part of their marketing.
This part of the regulations has a big impact for direct marketing campaigns, customer data bases, inbound marketing and social media. All of these marketing processes will need to ensure that permission is gained to process the data.
GDPR Checklist for your website
- Who is your nominated Data Protection Officer – DPO?
- What personal data do you hold / process in your company?
- How is it collected and who has opted in for what?
- What do you need the data for?
- Do you need all of the data?
- Is your data secure?
- Do you have the processes to provide data rights?
- What forms do you have on your website? Do they comply?
- What data do you store in your CRM? Is it up to date and also relevant?
- How do you do direct marketing? What data is used?
Websites are great for your business – is yours within the law?
There are many intricacies to the GDPR law and numerous implementations of the law to ensure companies comply.
If you feel that you want to enhance your website, collect and process more personal data and stay within the law please give us a call we are happy to advise and provide compliant websites.