General Data Protection Regulation – or GDPR – will be one of the biggest things to hit businesses in 2018, with legislation to be enforced on 25th May that poses potentially crippling fines for organisations that fail to comply.
The maximum penalty for flouting the rules is €20 million or 4% of global turnover, which would certainly be enough to close down many businesses. To avoid these steep ramifications, preparation is key, starting with your website.
Website Encryption
Any data that is submitted to your website must be encrypted in order to comply with GDPR. This will stop people from hijacking the data. An SSL certificate should be fitted to your site to encrypt the data.
You can check whether you have one of these already by looking for the padlock symbol in the address bar of your browser when you visit your site’s homepage. If this appears to be missing then it is important to speak to your web developer to rectify this.
Getting consent
Consent is a key part of GDPR legislation and it is important for any website that collects personal data – for whatever reason – to obtain specific permission to use it in the course of their business. Visitors to your website must understand exactly how you are planning on using their data and must agree to each specific purpose. That means if you have someone’s email address because they have placed an order with you, you are only allowed to market to them if they have agreed to this.
Take the example of a recruitment firm; if a candidate has provided their details when applying for a role, you are not allowed to use this information to approach them with other opportunities unless you have obtained their explicit permission to do so. It’s likely that your website will need updating to reflect these changes, starting with forms and cookies.
Similarly, privacy notices may require rewriting in line with GDPR rules. They must be simple to understand and free of jargon. It is worth asking your web developer to carry out an audit of cookies and ensure that all notices comply with GDPR best practice.
Access to data
A key part of GDPR is being aware of who has access to personal data that is logged and stored on your website in the content management system. The first step to compliance is to understand exactly who these people are and compile a list. You should then examine the list and ask whether all those people genuinely require access to this data. If the answer is no, their permission should be revoked and measures must be implemented to control future access.
There must also be a robust process in place for deleting data that is no longer relevant or required, as companies are not allowed to hold on to this for any longer than is absolutely necessary.
Business owners should also audit any external agencies they use that might have access to their data to check their procedures are compliant. As the data owner (controller), you are ultimately responsible for this, even if you have outsourced elements of the process, so keep a register of measures you have taken to ensure everybody is acting in line with GDPR regulations. Agencies should be able to explain clearly what measures they have taken to maintain the maximum security of the data you provide them with.
If you are using Gmail, then you can assume that your data is being held in, or passing through, or accessible from the USA. GDPR does not oblige users to store data on servers inside the EU. However, there are extra requirements if servers are outside the EU. First, you need to have a legitimate reason for transferring personal data outside the EU. Second, you must have the consent of the person whose data is being exported. Third, you must give that person the option to opt out.
Another issue concerning using a personal email address for business purposes is that you can be held personally liable in the event you accidentally email to the wrong person, which is likely if you use a personal address book. Avoid as many human errors as possible and also with business emails place a disclaimer at the bottom. Keep business and personal emails separate.
The above is by no means an exhaustive list, but completing these actions will set you off on the right foot for becoming GDPR compliant in 2018.