What is GDPR?
At the moment there is a lot of confusion around about what GDPR actually involves, most people know about the enormous fines that could be applied if you don't comply but they're not sure what to do to become compliant. Many business owners seem to think it's simply about getting opt-in for mailing lists but in truth it is much more all-encompassing than that.
GDPR in One Sentence
To help clarify things we've tried to summarise GDPR in one sentence:
GDPR is about knowing what personal data you have, understanding what you are doing with it, that you have permission to use it, where it is stored, who has access to it, and how you are keeping the data safe.
You can see from this that it's all really about your internal processes and how you manage the personal data you control. To be compliant you have to look closely at your own business to make sure your processes are safe, secure and within the allowed regulations.
That notwithstanding there are some changes you should probably be making to your website to make sure you have a good platform that makes your processes easier to manage.
This blog will provide you with some practical advice on the functionality your website or online application should have to help you implement compliant processes.
Five things to ensure
Ensure you can control who has access to personal data on your site
Does your content management system contain personal information? Who can access the admin system? What can they see? Is it possible to give restricted access? What happens to enquiries? Are enquiries stored in the system or forwarded on? Can you control where the data from enquiries ends up? Do you have a process for deleting enquiries when you’ve dealt with them? Are files that might contain personal data all kept in a secure location?
All these are good questions to ask as you look to understand your personal data and gain better control over it. However, there are a couple of fundamental things you should ensure:Ask your web developer to:
- Provide you with the ability to set different levels of permission for users of your website admin system. So that you can control who has access to any personal data it contains.
- Ensure you can delete any personal data on the admin system once you've processed it. (You should perhaps consider moving it to a client relationship management system.)
- Confirm that files that might contain personal data which are uploaded to your site are kept in a secure area with controlled access. (For example you might invite people to upload a CV with a job application)
Ensure Data submitted through your website is encrypted
All data being transmitted between a user and your site should be encrypted to stop someone hijacking the information in transit.
Ask your web developer to:
- Confirm that you have and SSL certificate and that the site is encrypted.
You can check this quickly yourself by looking for the padlock and "secure" message in the address bar of your browser.
Ensure the Organisations you Use for Data Processing comply with GDPR
The GDPR puts an obligation on a business to ensure that all the data it controls is processed properly even if the processing work is subcontracted out.
Ask your web developer or supplier of processing services (e.g. email marketing) to:
- Confirm they are complying with the GDPR and that their process are designed to keep your personal data safe.
- Confirm where geographically your data is stored and processed. If it is outside the EU you need to be very sensitive to the privacy risk.
Ensure you Obtain the Right Consent to Use Peoples' Personal Data
If you collect personal data from your website visitors you need to get their permission to use the data. Also, if you want to do a number of things with the data you need to get permission for each activity. For example you may use the data to provide a quote and you may also want to send occasional marketing emails, you need to gain permission for each activity. Forms on your website need to be able to capture that consent to use has been given.
Ask your web developer/marketing agency to:
- Provide you with form templates that include check-boxes for the collection of consent.
- Talk to you about systems you can use to carry out a double opt-in process when adding user data to your mailing list.
- Talk to you about an opt-in campaign to your existing database to ensure you have the correct permissions to continue direct marketing after the introduction of GDPR.
Ensure you Provide Users with Sufficient Privacy Information
Most of you will have privacy notices and terms and conditions of use pages.
These need to be simple to understand and sign-posted appropriately
Many of you will also have cookie notices, informing users of cookie deployment. These need to be strengthened to make sure people acknowledge their use.
Ask your web developer to:
- Provide a system by which visitors are forced to recognise that you deploy cookies, have easy access to information on what the cookies do and details on how to remove and block them.
A quick Reminder
It's worth finishing this blog with a quick reminder that even if you do all these things you won't be GDPR compliant unless you put in place the processes to utilise them properly.
GDPR is not simply a tick box exercise, if you want to be properly compliant you need to put the security of data at the heart of your business processes and it's very likely that how you look after your data currently will need to change.
We recently held a GDPR seminar with JMW Solicitors and King of Servers which covered the legal issues in more depth. If you'd like a copy of the slide we presented simply complete the form at the top of this page and we'll arrange for you to receive them.