Getting ready for GDPR
While it's not the most pleasant exercise
preparing for the upcoming GDPR data law is not a task to ignore.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation that will bring big changes to the way businesses are allowed to use people's personal information. The regulation comes into force on 25 May 2018 and means you'll have to review all the ways in which you get, record and manage any personal data.
The way the GDPR will affect your business depends on how it works with information. This can be a complex picture and you’ll need to conduct a data audit to get to grips with your obligations. You might even want to get legal guidance to ensure your business complies with the new rules.
For detailed official information about getting your business ready for the GDPR, visit the Information Commissioner’s Office (ICO) website. This is also the place to register your organisation as a Data Controller, if this isn’t already done.
What GDPR could mean for your business
It's legally binding
There’s a risk of being fined (you might want to sit down for this…) up to 20 million Euros or 4% of annual turnover (whichever is higher) for not complying. These sobering figures are in place to deter big business from abusing private data. But all the same, every business should be giving the GDPR some serious thought.
It covers the whole life cycle of personal data
The GDPR affects every stage of processing personal information: how it is obtained, stored, edited, protected, shared and deleted. It will mean stricter controls on how organisations throughout the EU do these things (although it will continue to apply in the UK even after we leave the EU).
The GDPR needs a business-wide approach
Conforming to the regulation can’t be achieved with a simple technical fix. It encompasses technology, processes and communication. You’ll need to review the way your business handles private information as a whole entity. Plus, all staff will need to be aware of their responsibilities relating to private data.
It's all about open, honest usage of personal data
And that’s a good thing for all ethically-minded businesses (even if achieving it is a bit of a headache). The GDPR requires that you only request and hold private information for a specifically stated purpose, and with the explicit consent of its owners. Plus, anyone has the right to know what information you hold about them at any time and to have their data updated or deleted if they request it.
Good security is essential
GDPR places a greater responsibility on your business to protect the personal information you hold. If there is a data breach, your business could be held responsible for any resulting damage. Plus, you’re required to report data breaches within 72 hours. So getting the right security and monitoring in place for data in both digital and physical forms is more vital than ever before.
You'll need to get on top of your information systems
You’re advised to carry out a thorough audit of your current data systems, management and protection measures. This includes making sure all personal data you currently hold meets GDPR rules. And it means ensuring that procedures to gather new personal data are compliant too. Plus, you need to maintain documentation to prove it if investigated. The ICO provides a useful data protection self-assessment resource here.
A website and digital marketing GDPR checklist
1. Does your website use contact forms?
If so, you’ll need to be clear about why you’re collecting people’s personal data. An opt-in tick box is advisable to get visitors’ permission before they submit their details. Once you hold personal data, you need to protect it. That means knowing where information is stored and having a system in place to allow users to view or update it on request. People also have the right to be ‘forgotten’ – deleted completely from your records.
2. Do your website users register or sign up for services?
Again, anyone submitting personal information to your website will need to know exactly how their data will be used. Plus you’ll need to keep their information safe and have a procedure to allow users to access, update or erase their records.
3. Do you use a live web chat facility?
If you use a live chat system on your website, this needs to be GDPR compliant too. Make sure any third-party service you use for this follows the new rules. If you use Facebook Messenger or any other social media for exchanging private data, it’s best to ensure all conversations are deleted once you’ve stored the information you need in the right place.
4. Is your website secure enough?
The GDPR regulations put a responsibility on organisations to protect any personal data they hold. This makes maintaining a secure online presence more important than ever before. You’re advised to check that your web hosting offers good security, keep WordPress websites updated to the latest version, and use strong passwords. If you suffer a data breach, you need to notify affected users within 72 hours.
5. Does your website use SSL encryption?
An SSL certificate is indicated by your web address starting with ‘https://’ instead of ‘http://’. It provides a secure connection between your website and the server. SSL has commonly been recommended for online businesses that handle online transactions. But it’s becoming the standard for all websites and helps you meet your commitment to GDPR standards (although it’s still not essential). Plus, SSL is increasingly likely to bring search engine ranking benefits – so it’s well worth considering upgrading to SSL.
7. Do you use email marketing?
The practice of sending marketing messages by email is already regulated – but the GDPR brings stronger measures to protect individuals’ data. You’ll now need to get explicit permission to send marketing messages. People should know exactly what you intend to use their details for. Using pre-checked boxes that only assume permission are a no-no. And you must offer a clear way for email subscribers to view and update their information freely, and to opt out and have their details erased if requested. If you use a reputable third-party email service such as MailChimp, there will be robust measures in place to store individuals’ data securely, keeping a record of when consent was granted, and providing an opt-out option in every mailing. But your business is responsible for ensuring the contacts you add to the mailing list yourself grant permission. Plus, it’s advisable to review your current mailing list to ensure GDPR compliance (you might even want to ask existing subscribers to actively opt-in – particularly if consent wasn’t given in the past).
8. Are your regular emails GDPR compliant?
Your day-to-day emails are another area affected by GDPR. It’s important to have the right security measures in place – effective anti-virus software and encryption. But you’re also advised to create a good data protection system. This might include extracting personal data to store in your regular secure place for this kind of information, then deleting the email. It’s also good practice to archive or delete all emails on the go to avoid stockpiling and losing control of personal data.
9. Do you have a procedure in place for personal data requests?
Under the GDPR, anyone has the right to request to know what personal information your business holds about them. You’ll need a well-managed system for organising this data and a way to deal with enquiries. You might wish to make a Data Subject Access Request form available through your website.
If you'd like Matrix to help with any of these areas of GDPR compliance, get in touch with us. We'll be happy to quote for the changes we can make – and to point you in the right direction for anything else you need.
Disclaimer: This article offers general advice about GDPR and guidance on where to find further information about making your organisation compliant. It should not be taken as legal advice.