General Data Protection Act 2018 Compliance Guide
Is your website GDPR Compliant?
I’ve had quite a few questions about GDPR and how it relates to websites and marketing and how they can ensure that they’re compliant of late, and as a result have researched into how it’s being rolled out and what businesses will need to do to ensure that they’re compliant.
What is it?
The General Data Protection Regulation (GDPR) is the new data protection law in the EU, the most important change in data privacy regulation in 20 years, which was approved by the EU Parliament on 14 April 2016.
What’s at stake?
The cost of non-compliance could be high, with fines of up to €20 million, or 4 percent of a company’s global revenue.
When do I have to be compliant:
25 May 2018.
There are 5 main areas in which the GDPR aims to provide EU residents with stronger protections and transparency in how their data is stored and used:
1. Right to rectification – Individuals can ask that their information be updated or corrected.
2.Right to be forgotten – Individuals can ask that their information be permanently deleted.
3. Right of portability – Individuals can ask to have their information transferred to another organization.
4. Right to object – Individuals may seek to prohibit certain uses of their personal data.
5. Right of access – Individuals have the right to know what personal data that’s been collected about them and how it’s being used.
How does GDPR relate to information collected on my site?
❓even an IP address, and so on.
How might a standard site generally collect user data?
✅contact form entries,
✅analytics and traffic log solutions,
✅any other logging tools and plugins,
✅security tools and plugins.
How to make a website compliant to GDPR?
1. Request explicit consent.
The Right to Access states that before data collection takes place – before the user submits the form – they must be aware that that form is collecting personal data with the intent to store it and give an explicit consent to this.
2. Inform the user.
3. Privacy by design
encourages controllers to enforce data policies which enable the processing and storage of only that data which is absolutely necessary. This encourages site owners and controllers to adopt potentially safer policies for data, by limiting the access to a number of data points.
4. Keep user data organised and accessible.
The Right to Be Forgotten gives users an option to erase personal data, and stop further collection and processing of the data. The Data Portability clause of the GDPR provides users with a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller. You must be able to provide a user with a copy of all personal data you have on them on request, free of cost within 40 days and to delete them on request. If you always collect an email address when you collect personal data of any type, submissions could easily be searched by it and the user contacted through that mean.
5. Have an open channel for user requests.
6. Breach notification.
Under the GDPR compliance, if your website will ever experience a data breach of any kind, that breach will have to be communicated to your all of users in a timely manner (within 72 hours of first becoming aware of a breach) because that data breach could result in a risk for the rights and freedoms of individuals. The ideal way is to monitor web traffic and web server logs, but a practical option is to use the Wordfence plugin with notifications turned on. In general, this clause encourages one to use the best security practices available to ensure data breaches do not occur.
You’ll also need to ensure that any plugins, tools (e.g. CRM that is handling user data is also doing so in a way that is GDPR compliant)
✅Make sure people know and consent to you storing their information. e.g a checkbox on any forms that store their data on a crm or database with link to your policies.
✅ Make sure that if you are storing data it’s organised in a way that will allow you to delete their information should they request it.
✅Give people they ability to delete their own data or request that you provide them with or delete it for them via a form and ensure this is done promptly (within 40 days)
✅Notify users of any data breaches within 72 hours.
I’m providing this information to help you prepare, but the GDPR guidelines are expansive and probably impact other aspects of your business. I recommend that you seek legal counsel from a qualified professional to understand the total impact of GDPR on your business.