General Data Protection Regulation

General Data Protection Regulation (GDPR) Website Compliance

Tuesday, 13 March 2018

On April 14, 2018 the EU finally approved the General Data Protection Regulation (GDPR), with the aim of strengthening and amalgamating data protection for all EU citizens.  The new regulation replaces the data protection directive from 1995.  The enforcement date has been set for the 25th May 2018.

What is ‘Personal Data’

The European Union state the following, any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.  This can be anything from a photo of the subject, phone number, an IP address they have been using or even their genetic makeup.

GDPR requirements in a nutshell

The GDPR has created new rules that aim to protect personal data for EU citizens, by ensuring that data is protected and regulates the exportation of this data to countries outside of the EU.  All companies within the EU will be affected by the GDPR, unless you have absolutely no records of customers, debtors and suppliers which basically covers every business.

In laymen terms, all businesses that keep records of personal data, need to show that they were given consent to keep it, be able to demonstrate that this information is properly protected, what it is intended to be used for and where it will end up.  If your website attains this information, then you may need to act.

Companies need to be able to show compliance by May 25th 2018.  Companies that breach the GDPR can be fined 4% of their annual turnover or twenty million Euros (whichever is greater).

Key Subject Rights

  • Breach notifications within 72 hours of becoming aware
  • Right to access all information that is being held and what it is being used for
  • Right to be forgotten, subject can have all their personal information erased
  • Data portability, the right to have all data provided concerning them
  • Privacy by design, implement appropriate measures to protect data
  • Data Protection Officer (DPO), some businesses may need to appoint one

For more information regarding GDPR subject rights and a summary of the changes, visit the EU website using the following URL https://www.eugdpr.org/key-changes.html

Is your website compliant with GDPR requirements?

All companies that collect data on citizens within the European Union need to comply with the GDPR.  But how will this affect your website?  Below is a list of just a few of the changes you will need to make.

  • Users to your website need to fully understand how you will be using their data and provide their consent for what you are planning to do with it.  Using ID Studio Web Agency as an example, if you complete a contact form requesting information about Social Media, we cannot contact you about building a website or other non-related subjects.  In addition, if you request contact by email only, we must adhere to this request.
  • You also need to seek specific permission for each requirement, such as passing onto third parties, contacting by phone etc.
  • If you are selling products online through a third party, but still keeping personal information.  The GDPR stipulates you need to delete this information after a reasonable amount of time.  No exact time limit is provided, however, you will need to justify what is reasonable.
  • If you are sharing data online through your website then you may need to get consent from the other party.
  • Data that is submitted to your website must be encrypted and secure from potential hacking or leaks.
  • An SSL certificate should be added to your website, this will also have additional SEO benefits.
  • Tracking software, have user given their consent?  This will be an interesting area of debate when more is known we will create a new blog.
  • Access to your CMS should be restricted to only the staff members that need access.

What does Brexit mean for the UK and GDPR?

This really depends on how your business operates and what the UK government intend to do post-Brexit.  If your business only operates in the UK, then I guess the new regulations will have little relevance upon your business (unless the UK adopts the regulations which they have indicated they intend to do, replacing the Data Protection Act 1998).  If your business deals with the EU, then regardless of what happens post-Brexit, you will need to comply with the GDPR and this includes your website.

Still unsure?

If you are still unsure how this will affect your business, there is a FAQs section on the European Union website that might answer your question, https://www.eugdpr.org/gdpr-faqs.html

If you would like more information on how this will directly affect your website, please contact Michael on 020 8948 5808 for an informal chat.

Like what you see?

Get in touch