It’s not too late to make sure you’re GDPR (General Data Protection Regulation) compliant. The deadline is the 25th May 2018 and applies to anyone who runs a website, app or process that takes or holds personal information on any EU citizen.
But what is GDPR we hear you ask?
Already in effect, GDPR is built on the 1995 EU Data Protection Directive and aims to fill the gaps where digital services have grown. It was adopted on 27th April 2016 and becomes enforceable on 25th May 2018.
It doesn’t matter if you’re based in the US or the UK for that matter (if you’re thinking Brexit). If you receive and hold this kind of data, GDPR applies to you. That is unless you plan on denying access to any EU citizen or resident from accessing your services or products?
The full document is a slog to read through – complete document here – and there are some areas that may not apply to you and your business – yet. But because we’re nice folk we’re going to outline the more easy to understand areas in plain English.
If you’re one of our customers, then the majority of you will only be processing the ‘less’ sensitive information such as names, emails, and numbers. And if you’re a shop you’ll be taking addresses. All of this constitutes as personal data so in this article we’ll be discussing the changes you need to make on your site based on:
- How you collect customer data
- How you use or process their data
- Who within your company has access to these records
- How and when you should delete these files
- How secure is their data
Collecting customer data
The digital age of consent
With GDPR you need to be 100 percent clear about what information you’re taking, and how that data is going to be processed.
For example, on a contact form you might take a name, email address, and phone number with the intention of following that up with an email. You need to make it clear that this is what you’re going to do, and you’re not using the data for any other purpose. It doesn’t give you a license to add them to your mailing list as well.
Verifiable consent must be given so make sure you add a tick box to your contact form if that’s what you also want to do with their data.
Consent must also be able to be withdrawn by the customer at any time.
Are you in or are you out?
You can no longer assume a customer has implied consent to your terms or has signed up for a monthly newsletter. If you are asking them too, you must ensure that any checkbox is off, and not on. The user will have to choose to tick them on. If they do that, it will give you their permission to store or process that data.
If you use MailChimp for your email newsletters, you can go a step further and set up your list with a double opt-in.
Don’t get greedy
If you’re asking for customers to send you general questions about your services through a contact form, that doesn’t give you the right to ask them if they identify as male or female, find out what their marital status is or ask for their mother’s maiden name.
GDPR prohibits you from doing this and requires that you only take the necessary data for that particular activity.
How you should process customer data
If a visitor signs up for a particular mailing list; for example, a course on HTML, you can’t then add them to a sister course in Photoshop. You must ask for their consent before adding them to that list.
If the data is breached, and depending on the severity of that breach, you have a legal obligation to report it (of identifiable data) within 72 hours. For more information on reporting a data take a trip over to the Information Commissioner’s Office website.
When you should delete these records
If a user has submitted their data, under the GDPR, they have a right to the erasure of their data. This means that if they request you to remove their data you must comply and this must include all references across all platforms and any backups.
Securing their data
When storing the data of an EU citizen, you must keep it private and limit any access to only those users within your organisation that require it.
You must also ensure that the database where this data is kept is secure. As the majority of you will be storing this information on a third party server, you should ensure they are applying layers of protection to prevent any breaches. You must also ensure your passwords to any CMS are strong and do not get shared.
An additional layer of protection can come from using HTTPS which sends data over an encrypted connection. So you could say that if your website has an SSL certificate you’re already on your way to GDPR compliance.
What if I can’t be bothered to comply?
Well, we can’t ‘force’ you to embrace GDPR but, we must inform you. If you don’t make sure you’re ready in time, you could be liable for some pretty hefty fines. We’re talking a maximum sanction for non-compliance with GDPR of €20,000,000 or up to 4% of your annual worldwide turnover, whichever is the greater. That’s some serious food for thought. So we’re not quite sure why you wouldn’t want to be?
What are we doing about it?
We’ve already spent some time analysing what our own business requires. If you want to see what we’re doing about it, then you can read our Privacy and Data Protection Document. This will give you an idea of what you need to be covering and writing.
What do you need to do about it?
Read the above and get your house in order before May 25th. We can only offer advice and can’t offer a service for you to write that statement for you.
In summary, GDPR states that if you are collecting, storing or use any data related to an EU citizen via your website, app or third party processor (such as a CRM system), then you must comply with the following:
- Tell the user: who you are, why you’re data, for how long, and who receives it
- Get a clear consent, before collecting any of their data
- Let users access their data, and take it with them
- Let users delete their data
- Let users know if data breaches occur
The European Commission has this infographic if you want to see it in action to get you underway.
Other tips to help make sure your site is GDPR compliant include:
- If you want a user to sign up for your newsletter make sure you use a double opt-in.
- If you want a user to sign up for your newsletter via a form use an opt-in checkbox
- Only send marketing emails to those who have given their permission, never assume
- Make sure when they have signed up you are storing a record of when and how. MailChimp does this as well as points 2 and 3, so it might be worth switching to them?
- Limit the number of people who can access users’ data and never share these logins with anyone outside this limit
- Hide the data behind passwords and encryption
On a personal level, GDPR seems way over the top – especially for smaller businesses – not to mention incredibly intimidating. Particularly with the huge fines that would put any small company out of business in an instant.
Underneath it, the GDPR is there to protect us and our data from getting into the wrong hands or abused. As a mostly unregulated space, the internet is at a tipping point where it does require some level of regulation. GDPR is in place to help with that. Let’s just hope governments don’t get (more) power crazy and introduce increasing limitations for us.
Take what you will from it all. GDPR is happening, so get on board.
In no way should this article be deemed as professional legal advice. This article only acts an overview of the basics of GDPR, and it will help you to start understanding how you can become GDPR compliant. And thanks to our friends at Applecado for some of this advice.