Every day we use the internet for a variety of tasks like sending emails, shopping, and paying bills. All of these processes involve sharing personal information about ourselves that ideally we would like to keep secure and private, and as a website owner you obviously try to keep any data you hold about your own customers safe and secure.
As a protective measure to ensure all companies do likewise, the EU is bringing in a new regulation on May 25th, 2018, called GDPR (General Data Protection Regulation) that will affect all European companies and any worldwide businesses that have dealings with, and keep information on, European citizens. In practice, this means that any entity that collects data such as email addresses, banking information, IP addresses, and NI numbers, will need to conform to GDPR to avoid hefty fines. And we aren’t exempt in the UK because of Brexit either, as we will take on all EU legislation until such time as the UK Government alters or repeals each specific law. Therefore, GDPR will still apply at least for the foreseeable future, even if all your data only relates to UK citizens within the UK.
What is GDPR?
The idea behind this regulation is to protect EU citizens as much as possible from unsecured and lax use of any sensitive information relating to them, and it will allow them to have more control over their own personal data. For example, individuals will be given the following rights;
- to be informed that their data is being used
- to be able to request access to it
- to rectify it if it is incorrect or out of date
- to be able to request its deletion
- to restrict its use in any processing
- to transfer all information to an alternative service provider
- to not be subject to automated decision-making, for example profiling
Finally, if the worst should happen and there is a data breach, then all efforts should be made to notify the authorities and affected users within 72 hours.
As you can see, it is very important for website and business owners to be transparent about what data they are using and storing, and have procedures in place for anyone that wants access to their personal information. Each company should be fully aware of exactly what data is being held and why, where it is being stored, if it is completely secure, and have procedures in place to accommodate requests if any of the above rights are to be exercised.
Data and Responsibilities
As a website owner, it will help to know which data is included to know how your internet business will be affected by this regulation. Personal data will be anything that can identify an individual, including the following;
- Date of birth
- Email, IP, or real address
- Bank information
- Social networking data,
- Location details
- Medical data
- Personal preferences regarding political leanings or sexual orientation
This list is not conclusive but indicative of the wide range of information that will be governed by GDPR, and the responsibility falls upon businesses and owners of websites to make sure they are complying fully. If any are found to be non-compliant, they will be at risk of penalties and fines of up to 4% of annual global revenue or 20 million euros, whichever is greater, meaning those affected should already be planning for any changes they may need to make.
However, there is no need to panic. Unless you are a huge multi-national company, the regulatory bodies are fully prepared for companies to take a while to get to grips with the new laws. Naturally you cannot hide your head in the sand as GDPR is inevitable, but as long as you can show you are working towards compliance, you should experience a small grace period if it takes longer than expected.
How to Prepare for GDPR
The main focus of compliance will be knowing what data you have, having a good reason for holding it, and being able to keep it secure. If you are asked by anyone about data you hold on them, you need to be able to access it quickly and easily, particularly if they then request its deletion. It will be vitally important that you can pinpoint every instance of personal data belonging to that one individual. This means that when you initially begin to prepare your company and website for compliance with GDPR, you should know exactly what data you have, whether you acquired it legally (as far as GDPR is concerned) and if you still need to keep it.
If you do not have a valid reason to keep data, then it is easier at this stage to remove it from your systems than it would be to go through all the processes that will be required to make sure it is secure, for example, encryption, making it anonymous, or controlling access to it.
In order to get started on the path to full compliance, here are some ideas of how to begin:
Audit the data your company uses
To find out exactly what data you have will involve a thorough investigation of all your systems, including everywhere you store old as well as current data. This will encompass local servers, the cloud (don’t forget applications such as Dropbox and GoogleDrive), local storage solutions like USB sticks, DVDs, portable hard drives, and even paper records. You need to know who you hold that data on and if any of it is of a sensitive nature, as well as noting file types which will have a bearing on security measures and ease of use if you need access for individuals who request their data. You will also need to ascertain if any data originating in the EU is transferred elsewhere at any time. The worry is that security could be an issue unless the data is sufficiently protected or encrypted. (If any data is transferred to the US, the Privacy Shield framework should be utilized for maximum safety and GDPR compliance.) This audit should also encompass a check on how secure the data you hold is and who you share it with, particularly any third-party applications that you use via your website. These will encompass any plugins used with Wordpress including those that store comments or user information, as well as ecommerce solutions, Google Adsense, Google Analytics, or marketing automation providers like Mailchimp. Emails and address books in any social media application should also be under scrutiny, as should any apps used to help productivity or business processes like Trello or Calendly.
Make sure that all the data you hold and its specific uses have been explicitly agreed to by your customers. Implied consent and pre-checked tick boxes will not pass muster under the new rules, so if necessary, permission must be requested again. However, make sure you are only asking permission from people who have already opted in, as both Flybe and Honda have been fined by ICO for not following the rules. (They were trying to get permission from customers in order to comply with GDPR, but were emailing people who had already asked to be removed from their lists.) All privacy policies should list data that is collected by you and what it is used for, and it would also be helpful to include a line about GDPR compliance. The next stage would be to list all entities who have access to this data, whether it is your personal employees or a larger company such as Google, and how long you intend to keep it for. You should also update any contact forms so that you are only collecting data that you absolutely need; there must be a valid reason for every field on the form and the user must know exactly why you need it. Also, any tick boxes must not be automatically filled in. If you want people to agree to be contacted by email, they must manually tick the boxes themselves.
Establish security procedures
Plans need to be in place to prevent data breaches as far as possible, firstly with an assessment of how all the different types of data you hold should be protected. Ideally, you should delete any data now if you are not sure why you are keeping it. As this part of the planning is labour-intensive, and the less data you have to worry about, the less time it will take and the cheaper it will be to secure it. A risk assessment is essential so that you can find ways of securing all the data you hold while making sure that you know what procedures to follow if any breaches are uncovered. Implementing safeguards helps considerably with preventing data breaches, but plans should also be in place to specify how individuals and the authorities can be notified as soon as possible if the worst happens.
Establish procedures for individuals requesting their information
As a large part of GDPR is dedicated to allowing individuals to access the data that you hold about them, you need to be prepared so that finding all related information is not an onerous task. If you have carried out part one of these tips successfully, you will know where the data can be found. The next step will be to select every single piece of information related to the individual in question and be able to provide it in readable form. This is particularly important if the request is for deletion rather than just access, as you need to be completely confident that you can find and remove every item that is related to the person requesting the deletion. This is not such a problem if you have a database with all related information under one top-level key. But as an example, if you are storing bank details in one database, with comments on a forum in a separate file, and prior purchases on Dropbox, with other personal information in a DM on Twitter, the problem becomes a little more complicated. And a refusal to supply the information because you can’t find it will not be acceptable!
Remember forbidden practices
Because there needs to be more careful about how personal data is used, you will no longer be able to send unsolicited emails to anyone if they have not expressly asked for it. This includes automatic emails sent when people abandon their shopping carts. It used to be a good way of offering discounts in order to persuade the shopper to continue their purchase, but unfortunately, this will no longer be allowed unless they have already opted in for contact by email. (This also includes unsolicited text messages in the event that you hold their mobile phone number.)
ICO and EUGDPR are useful sources of additional help should you need it, as making your website and company completely compliant may seem like a daunting task. However, GDPR is unavoidable, so breaking it down into manageable chunks as outlined above should at least help you begin the process. The key to being compliant is to make sure that you are completely aware of what data you hold, can hold it securely, access it if necessary, and have policies and procedures to ensure complete transparency. As long as you can show that these steps are either completed or in the process, and keep security in mind as part of every new addition to your business, then compliance with GDPR will become second nature.
As an added benefit, this compliance will mean that confidence in your company will increase as both clients and employees will trust in your ability to protect their personal information. And when all the data you hold is accurate while also being completely secure, you will find that your business can save time and money in terms of processing power required, data storage, and protection against data breaches which can cause untold damage to both a firm’s reputation and bottom line.
While we have endeavoured to ensure that the information provided here is as accurate as possible, we are not lawyers and cannot accept responsibility for any actions you take based on solely on the information in this article.