What is GDPR?
What is GDPR (General Data Protection Regulation)?
To cut a long story short, GDPR (General Data Protection Regulation) is going to be introduced across the EU on 25th May 2018 to prevent people’s data being used or harvested without their permission. If your website or application uses web forms, sell’s products, or collects any kind personal information you should take note - The previous data protection laws in place have been strengthened and businesses need to provide more transparency when declaring how data will be used before it is collected. The EU’s data protection authorities intend to give people more control over how companies use their data. It has become a daily routine for the average person to sign up for services online and offer personal details out in the process. Larger corporations such as Facebook offer a free service and are trusted amongst the general public due to being a recognisable household name. However, that same large corporation has been involved with data breaches, such as when the Cambridge Analytica scandal back in 2016 hit the news - Over 50 million Facebook users data was harvested to influence the US election so the public authorities got involved.
Who does the new law apply to?
The new EU data protection law applies to both businesses operating online in the EU, and to businesses outside the EU who use EU based data. 'Controllers' and 'processors' of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing. Ref.
What kind of data are we talking about?
Any kind of data that relates to EU citizens is affected by GDPR. Name, address, telephone number, email address, IP address - Are all basic data flows which need to be GDPR compliant when stored. As long as the data source can be identified, data protection rules apply.
Be careful when managing your data security
When employing an IT specialist or outsourcing your data management requirements, be careful how it is managed. You should ensure that information is only used as intended by the data subject, and also not kept in your systems longer than required.
Can you help with our business compliance?
Yes. If we host your website or any other data, we are able to assist with GDPR compliance. Contact us here. If your website or database is hosted elsewhere and you require assistance to make your website or application GDPR compliant, we can also help. GDPR is going to have a ripple-effect across your online activity which will affect email marketing and social media also. Apart from what we can do, we suggest that you read the above article which explains how to be stringent when tackling GDPR. After all, it is possible to get a fine of €20 million or 4% of your annual revenue - Whichever is higher! For the small to medium businesses we tend to work with in Sheffield, a fine so high would be catastrophic.
"I just want to make sure we are GDPR compliant myself..." Well you should start here...
If you use advanced web forms, these may collect specific information or allow for multiple newsletter sign ups in one place. For example, you could be offering both a sign up of your weekly promotions and weekly general news - Granular checkboxes are better in certain instances so that your users can select what kind of communications they would like to receive. Also, it is beneficial for your business in terms of keeping contacts in your email lists because your users can unsubscribe from certain emails they do not want to receive, or unsubscribe from all.
Amending your e-Commerce website
Do you sell your products online? If so, then you are most likely using a payment gateway where you are collecting sensitive personal information such as card details etc. GDPR legislation recommends that you are reasonable about how long you store payment information on your system so will need to modify certain web processes to comply. You should also amend the checkout process to clearly specify if the user will be signed up to any mailing lists or similar as mentioned above.
External tracking tools
Do you use third party tracking tools? If so, what kind of information do they collect? If you are using tools that track user details such as an IP address then you might want to consult with the provider. Being the data controller, it is your responsibility to ensure that you meet the GDPR regulations. GDPR legislation is there to ensure users can browse freely, safe in the knowledge that what they are doing isn’t being recorded without their consent. Do not worry about Google Analytics - It doesn’t track personal user details, it just paints a picture of their behaviour.
Securing your website with an SSL certificate
Make sure your content is loaded on https:// - If you haven’t done this already, speak to your developer or host to ensure that your website utilises a secure connection/SSL certificate. This means that your users will be safe in the knowledge that your website is secure, and it also means that browsers such as Google Chrome will actually load your website! You might have noticed the warnings that appear when you try to load an insecure page. We can provide an SSL certificate for you and install it if needed.
More legal jargon
Does your website have terms of service? You should definitely update your terms & conditions to reflect the above legislation previously discussed in this article. Again, you could either contact us for assistance or alternatively seek assistance from your legal team.
Apart from your website...
Your business may be affected as GDPR requires compliance across the board. This includes other internal databases, networks and more.
We hope you found this article useful. If you have any questions, please contact our team who will be more than happy to point you in the right direction to make your business GDPR compliant for 25 May 2018.