Are you, and your business, GDPR Ready?
If not fully aware of what it is, I’m sure that you will have heard of the imminent GDPR legislation and you may well be wondering what you need to do to ensure full compliance.
If you are wondering what on earth we are talking about, or are worried about what you need to do, don’t worry as it is not as daunting as it initially may seem. We will try to provide a brief overview of what is going on, and what steps you may wish to consider taking.
So what is GDPR?
GDPR stands for The GENERAL DATA PROTECTION REGULATION, and is an EU directive to ensure consistent data protection laws across EU states which comes into force on the 25th MAY 2018. This new framework is set out to ensure consistency in law and consequently aid individuals and businesses, alike, by having one set of rules across Europe, thus making for a simpler legal process.
Compliance with the new legislation is being driven with the threat of severe financial penalties, for non-conformity, of upto 4% of a company’s annual global turnover, along with the potentially irreparable damage to reputation.
Scaremongering? Potentially. A drive to ensure universal compliance? Undoubtedly.
We feel that a period of education will surely be assured ahead of financial penalties being handed out, particularly as so many small businesses are reportedly unprepared for the end of May deadline.
Why is it needed?
Cybersecurity and data privacy is a very hot topic at present, with individuals worried about what data companies hold on them. GDPR is designed to improve this visibility along with a better consent process.
Inconsistencies in state laws, mean that GDPR is required to provide a uniform platform across Europe and clarity for companies trading within these states.
Personal data, i.e. names, addresses, IP addresses or multiple other forms, is being collected at an ever increasing rate. GDPR is aimed to ensure that this data is only held for it’s initial intended use.
But what about Brexit?
You may well be asking why we are so bothered about this, as we are due to be leaving the EU after all! However, as previously stated, this legislation will affect all companies whose business includes interaction with any individuals within EU states, which is something that Brexit will supposedly be aiming to maintain.
The currently governs via the Data Protection Act of 1998, which has fallen behind technological advancements and is undoubtedly outdated. The understanding that we have is that the UK government will be drawing up a new act which encompasses GDPR within, meaning that we absolutely should be abiding by the forthcoming regulations.
So how does this affect my business and what should I be doing?
If your company collects personal data in any form, you will firstly need to carry out a review of your current processes, to ensure that you meet GDPR requirments.
You will find a more detailed guide to this at The UK Information Commissioner’s Office website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
And by referring to this detailed PDF file form the aforementioned site;
Larger companies may need to consider appointing a Data Protection Officer (DPO), who will assume responsibility for all processes and conformity to regulations. The DPO will also, more than likely, oversee many of the steps required as detailed below;
Customers will actively need to consent to data collection by your company. It will no longer be acceptable for this to be done via a pre-selected tick box, for example, but the user will have to actively agree to data being collated.
Consent statements will need to be written in an easy to understand manner, as well as providing an easy option for the user to withdraw their consent in the future.
You will need to keep detailed and up-to-date records of user consent. This should be treated as potential “evidence” in the event of any dispute.
You will probably need to review which employees have access to customer data, whether they need access to these records, and to educate these employees on new regulations along with systems for reporting data breaches.
Your company should have processes in place to be able to report any data breaches promptly and honestly. This may well involve disclosing details such as the number of personal records potentially compromised and the nature of the breach. This again, would be a likely scenario of responsibility for a company DPO.
GDPR states that data should be held “no longer than is necessary” though there is no explicit timeframe mentioned, therefore your company will be well advised to determine a period of time which can be stated within any relevant security/privacy statements.
e.g. “Your data will be held on file for a period of 90 days….”
So what are the implications for my website?
Although by no means an exhaustive list, some of the main areas that you may need to review when considering your website are as follows;
- Privacy / Cookie Policies
- Contact Forms setup
- SSL certification
- Analytics data collection
Any policies that you currently have on your website may need to be review in order to ascertain that they are free of jargon, and are clearly understandable for the user.
You may well need to speak to your web developer about potential amendments to contact forms, which are one of the common data collection tools on most websites, as you will probably need to incorporate “opt in” tick boxes for agreement to personal data collection. You may well also want to include further “opt in” tick boxes to allow further marketing contact using the customer data given.
Once user’s data has been collected, it is obviously essential that it is kept as securely as possible. SSL certification (HTTPS) provides a secure connection between your website and the customer, as well as building trust and being a Google ranking factor (as we have mentioned several times previously).
Cookies and Data Analytics collection is an area which will very much fall under the spotlight and is certainly something that we advise you keep abreast of through regular reviews of your processes.
Google Analytics is obviously one of the, if not the, major player when it comes to collecting website visit data etc. and is used by a high percentage of businesses.
There are differing thoughts around the net as to whether you will need specific user consent for the use of Google Analytics, though much of this will depend on how you combine and use the data mined.
In it’s barest form Google analytics does not store data that is individually identifiable, using IP addresses to gain data but not storing them, thus current cookie policies may be sufficient. However, if the data is manipulated in any way that can enable individual data to be identified, then you may need to revisit your whole policy and acceptance procedures.
Overall GDPR may still feel very daunting, but if you already have good policies in place, then it should only be seen as a step change and should be manageable.
We would recommend keeping abreast of regulations at https://www.eugdpr.org/
If you wish to discuss in further detail, please feel free to contact us or call on 01690 760328.