What is GDPR?
GDPR – the big buzz word of 2018 and the elephant in the meeting room. If you’ve been avoiding the subject (or perhaps haven’t even heard of it at all!), now is the time to take notes. GDPR or the General Data Protection Regulation has been introduced by the EU and has an approaching deadline of 25th May 2018 to ensure your business is compliant.
Designed to replace the Data Protection Act 1998, the new regulation has a broad spectrum approach towards the handling of personally identifiable data and sensitive information. This applies to small businesses right through to global organisations (and everything in-between).
Unlike the more recent EU Cookie Law, GDPR is tipped to be heavily monitored and the EU has the power to bite. Businesses can expect to receive fines of up to 4% of gross annual turnover or €20 million, whichever is higher for failing to comply.
Why has it been introduced?
Essentially, it has been designed to bring data processing to the forefront of everyone’s mind. Money may make the world go round, but technology, connectivity and software are the driving force behind it. The ever increasing push towards making every area of our lives digital doesn’t come without consequence. The purpose of GDPR is to put the individual in control of the information which a company holds on them and to ensure that any information an organisation does hold is for legitimate, authorise use and details on how it is held – something which the Data Protection lacked.
What do I need to do to comply? The Three C’s
This will vary from business to business, but as a general rule for businesses, the “Three C’s” should be considered:
- Consent – ensure you have the individual’s permission to hold their information.
- Control – make sure that you’re holding the information securely, lawfully and necessarily.
- Clear – Individuals have the right to be forgotten, you must be able to remove any personally identifiable information on request.
How is my website and hosting affected?
Security
Paramount to safely controlling data, make sure that your website is encrypted with an SSL Certificate (green padlock in the address bar), passwords are considered strong and that they are held securely (ie. not in emails!) We’d recommend LastPass, it’s a free tool to manage your passwords through your browser and mobile devices.
Privacy Policy
All websites are required to inform visitors of the use of their data. Your website should have a Privacy Policy and a notification bar which allows the visitor to consent to your use of their information. This could include consent for tracking cookies from services such as Google Analytics or Facebook Pixel.
Form Submissions
If you have a contact form, request a call back etc, then this data is being processed and later controlled. Many popular form tools on platforms such as WordPress will store the submissions in a database or send an email notification. It is important that this information is only held for as long as necessary. Ask your web designer or hosting company about setting up an auto-erase facility on old form submissions after X number of days. Notifications being sent through via email? These need to be controlled too.
Transfer of Information
Do you move data collected from your website over to a spreadsheet or CRM/invoicing system? If so, this needs to be mentioned in your Privacy Policy and properly handled with a process available for you to remove this data at short notice. Make sure that this data isn’t kept for longer than necessary and that only staff who fundamentally require access are able to view it.
Opt-in to Communication
Do you collect names and email addresses to send newsletters or marketing emails? If so, then an individual submitting a contact form, even with a pre-ticked box to opt-in to your newsletter is not enough. There must be express consent and it is advised that all of your forms have a tick box to opt in which the user actively has to tick. After all, you have to be able to prove that they have consented. Already have a large list of newsletter subscribers? We’d recommend asking them to expressly opt in again if they haven’t already. You may lose a large number of subscribers, but the quality of your remaining subscribers will be really high!
Information Request
Any individual has the right to request any information which you hold on them to an extent. If you cannot provide this information in a reasonable time ie. within 1 month, then you may be at risk. You need to be able to demonstrate that your organisation is able to process these requests efficiently and reasonably. We’d advise having an information request form on your website which links through from your Privacy Policy. It could also be used to link to directly if asked by an individual. You then need to be prepared to supply the information within a reasonable timeframe.
Right to be Forgotten
So you hold various records about an individual, let’s say he or she has requested that any information you hold on them is removed. Under the new GDPR rules, you must oblige fully. This includes removing contact details, communication records, tracking information etc.
What is my web design agency’s responsibility?
As a data processor, your web design company has a responsibility to ensure that your organisation’s data is handled properly and lawfully. You should approach your web design team to ensure that your website is compliant and that they are taking necessary steps to ensure that both your data and your customer data is kept securely, to a minimum wherever possible and it is secure. It’s a big red flag if your web design agency is not aware of GDPR as they should be working with you to ensure you are compliant.
At Create Designs, we are taking an active approach to assisting our clients with GDPR. We can offer an audit of your current practises and advise on the best way to approach the handling of data within your business.
If you have any questions or you’re unsure if your business is compliant, please get in touch on 01252 759340 and speak to a member of our team about how we can help.
