Do you need to change the way you request, store or use data to be compliant?
GDPR (the General Data Protection Regulation) is coming into force in May, and as the deadline approaches, ensuring that your website is GDPR compliant is critical to your business, because the consequences of non-compliance after 25th May 2018 are colossal!
In terms of GDPR, Colossal amounts to a fine equivalent to: the greater of €20 million OR up to 4% of your annual turnover.
So, now we’re agreed that GDPR compliance is one of our highest priorities for the first quarter of 2018, here’s what you need to know.
If your website isn’t yet running on HTTPS, why not? In addition to the multitude of reasons your website SHOULD have an enabled SSL certificate (here’s a small selection), user security is one that cannot be ignored post GDPR deadline. Put simply, if your website doesn’t have a properly installed full SSL certificate, your users’ browsing activity is susceptible to being accessed – especially over public wifi connections – add to that login details, personal information, payment data, all of this information is being sent over an unencrypted connection making the chances of a data breach higher along with the chances of that multi-million pound fine.
You must now request explicit consent from every single person who you collect data from to store or use their data, ask yourself these questions:
When you receive a contact form submission, is it stored?
You need to make that clear before the ‘submit’ button.
Will you save the information to use later in order to follow up as a potential sales lead?
The storage and use of this data requires explicit consent.
You must provide a method for all users to access any data you’ve collected on them, and that must be clear to anybody sending information to you. As above, communication before you receive the data is key, provision and clear acceptance of this information before your ‘submit’ button will be mandatory.
- Forget about it!
Every user who sends information and provides explicit consent must also have the ability to withdraw that consent, easily and quickly. When they withdraw consent, you’re obliged to delete all of their data.
- Third parties
If you have all of your customer data handled by a third party, don’t rest assured that they’re doing it all for you, you still need to consider how you’re using the data and you need to make sure that you’ve read and understand how much responsibility they’re willing to take for you, for example MailChimp are working on it and here’s what they’ve got to say: GDPR & MailChimp.
In summary, in addition to the many changes you might be looking at making to your offline business to be GDPR compliant, you may need to make some to your online business too, namely:
- Install an SSL certificate if you haven’t already
- Conduct an audit of how you process data collected
- Ensure any data collected is preceded by a checkbox providing means to obtain consent
- A clear explanation of your data collection practices (how you store and use)
- Simple instructions for a subject to access any information you hold
- Simple instructions for a subject to request their data is ‘forgotten’
- Transparency on any third parties involved in the processing of their data