Time is ticking away…before you know it GDPR will burst into life and begin to be enforced. It’s vital that every aspect of your organisation is compliant by May 25th 2018, or you’ll be at risk of receiving heavy fines.
We understand how overwhelming GDPR can make you feel, so allow us to help. Over the next couple of months we’re going to break down several parts of the brand new directive and make it crystal clear. So grab a cuppa, get comfortable and get reading.
In this post we’re going to focus on what your website needs to have, in order to be GDPR compliant. To make it even easier, we’ve broken it down into 5 bitesize chunks.
1. Consent to obtain data.
This is a nice and simple one to start with, and it has an even simpler fix. If you plan on collecting personal data for storage or transmission, you must get clear and explicit consent. And no, that doesn’t mean you can be sneaky and use an opt-out checkbox, you sly fox. The user must opt-in, of their own accord. In the 2 examples below you can see great ways to comply with the GDPR, as well as how not to comply. Fingers crossed Boohoo get their forms organised before May!
There are varying degrees of data, ranging from personal to sensitive. Personal data can include things such as name or location. Whereas sensitive data would be along the lines of racial or ethnic data.
Our suggestion would be to only collect the data you need. Do not ask for a user’s religious beliefs if you’re not going to use it. You’ll only be making your own life harder.
2. Access and rectification of data.
Under GDPR, every person has the right to request any data that you hold on them. Furthermore, they also have the right to request updates to that data if it is incorrect or out of date. Which, when you think about it, isn’t a terrible thing to have to comply with. Who wouldn’t want to have up-to-date and correct data on all of their customers?
Don’t start thinking you can charge an admin fee to correct this data either, under the new GDPR this will no longer be allowed. This makes it vital to store any personal data somewhere that’s is easily accessible, can be exported in a readable format and can be edited.
3. Portability of data
Under GDPR, individuals have the right to data portability. This means they are able to request any data that you hold on them. You must then provide the data in a structured, commonly used and ‘machine readable’ format. In layman’s terms, that just means as a .CSV file. Much like the rectification of data, you cannot charge for this and you must respond without undue delay, and within one month.
4. Removal/erasure of data
This one is exactly as it sounds, which makes it super simple. It’s ultimately the right to be forgotten. Any user can request that any, or all of, the personal data you hold on them is removed. There are some exceptions when it comes to the right to be forgotten, so maybe take a peak at the official ICO guide to GDPR.
Last but not least we have the most important aspect of all, security. GDPR requires any and all personal data to be managed in a manner that ensures it is secure. This covers everything from potential hacks, all the way through to destruction or damage. We’ve spoken in the past about the importance of having a secure password, so it’s time to put that into practice.
First and foremost you need to be making sure your website has an SSL certificate. Without an SSL not only are you breaching GDPR, but you’re also showing potential website users you’re not protecting their data. Websites without an SSL certificate can see reductions in traffic of up to 23%.
What is an SSL connection?
You can find out whether you have an SSL connection by typing your website into the address bar of any internet browser. If it goes to a page starting https:// you’re fine, if not you’ll need to get one purchased. We’re able to provide SSL certificates for only £60+VAT a year. Which is a tiny amount compared to the potential fines that come with the GDPR.
I hope you have found this useful, and it helps you start to understand what’s required in order for your business to comply with GDPR. If you want us to explain anything in more detail email us on [email]firstname.lastname@example.org[/email], or give us a call on 01472 878496.