We’ve all heard about it, and we’ve all gotten the emails. The General Data Protection Regulation (GDPR) is a new EU regulation which aims to strengthen data protection for EU citizens. Essentially its a series of regulation and guidelines that says:
“If you want to offer your services or products to customers who are EU citizens, you better make sure you look after their personal data or else!”
And a lot of businesses are up in the air trying to figure out how this applies to them. There is conflicting information all over the place about what needs to be done. Believe it or not, one of the quicker ways you can be seen to be making an effort with GDPR is through your website. Here at Upfront Digital, we have run several of our own clients through the process and made their sites compliant, and for the majority of SMEs, it’s a straightforward process provided that you understand it.
GDPR came into effect on 25th May 2018. The deadline for compliance has passed us by, but many websites are still not compliant. We’re here to outline the main steps your companies website needs to take in order to be compliant. If you have someone on hand who can handle it, that’s great, and if not, just get in touch with us to avail of our summer 2018 compliance offer!
WHAT ARE THE CONSEQUENCES OF NOT COMPLYING WITH GDPR?
The maximum sanction for non-compliance with the GDPR is 20,000,000 Euros or up to 4% of your annual worldwide turnover, whichever is greater. Now there are a couple of warnings before this happens, so you aren’t going to lose your business in a day. But being seen to be making the effort is a big deal with GDPR, and having your website compliant is a big step towards doing so.
WHAT RIGHTS DO INDIVIDUALS HAVE UNDER GDPR?
Under the GDPR, individuals have:
- The right to access – This means individuals have the right to request access to any personal data you have on them, and to ask how their data is used by your company after it has been gathered. You must then provide a copy of the personal data within a reasonable timeframe.
- The right to be forgotten – If individuals are no longer customers, they have the right to request all of their data be deleted.
- The right to data portability – Individuals have the right to request their data in a commonly used format for the transfer to another service.
- The right to be informed – Consumers have the right to be told how their data is collected and processed, and must actively consent to these processes.
- The right to have information corrected – This means that users can request the correction of outdated or incorrect data.
- The right to restrict processing – Users can request that their data is not used for processing. So their data is retained, but not acted on.
- The right to object – this includes the right of individuals to request the halting of the processing of their data for direct marketing.
- The right to be notified – If there has been a data breach that compromises an individuals personal data, this individual has a right to be informed within 72 hours of the compnay becoming aware of the breach.
And finally…
HOW DO I MAKE MY WEBSITE COMPLIANT?
1. Have a privacy policy
This is the first place people will look to check for GDPR compliance. This is where you inform your customers and site visitors of how you process their data.
Some usual ways in which a standard website might collect user data:
- user registrations,
- comments,
- contact form entries,
- analytics and traffic log solutions,
- any other logging tools and plugins,
- security tools and plugins.
Your privacy policy should account for all of these.
2. Opt-in Forms
Whenever a user is submitting information to you or your site, you should gather active consent, this essentially means getting the user to accept a checkbox linking to the companies privacy policy.
3. Security Certificates
An SSL certificate serves as an electronic “passport” that establishes an online entity’s credentials when doing business on the Web. When an Internet user attempts to send confidential information to a Web server, the user’s browser accesses the server’s digital certificate and establishes a secure connection.
4. Up to date frameworks and plugins
Out of date plugins and website engines like WordPress are more than likely not GDPR compliant. Many recent updates in these plugins provide a whole suite of tools to aid in your sites compliance.
5. Data Request Forms
You should have a section on the site where users can request a copy of their data, or the deletion of it.
The GDPR might seem intimidating, and the fine is heavy enough to give many business owners a sleepless night or two, but it comes from a good place. The GDPR is about protecting people like you and I from the many security threats and malicious actors across the internet.
If you’ve been wondering about your websites compliance, feel free to get in touch with us here at Upfront Digital for a free compliance evaluation!