The General Data Protection Regulation – GDPR – the skeleton that has been not so much lurking in the cupboard as positively screeching to be let out is upon us. In less than a month, the way businesses, public bodies and third sector organisations handle personal data will change. If you’ve already taken a responsible attitude to your data protection responsibilities, the new regime shouldn’t be too much to take on board.
Making sure your website meets your data protection responsibilities!
It’s about making sure that personal information that you hold about individuals is protected, whether you are a data ‘controller’ or a data ‘processor’. But even if you’re on top of your game under the existing data protection regime, it’s worth taking time to check that your website is ready for the change on 25th May 2018.
There’s loads of material out there on the web with general information about GDPR. The Office of the Information Commissioner is a good place to start (they’re in charge of it all after all) and the Federation of Small Businesses has a lot of great resources to get your started if you’re playing catch up.
As part of the service we’re offering out clients, we’ve made it our business to understand the full extent of the GDPR and how the new data protection responsibilities extend to websites and website owners, and we’ve come up with a list of 10 key points for websites.
Audit your existing processes, procedures and structures
Sounds like a lot to do… essentially you need to understand how personal information is being collected, used, stored and protected online.
Check what you’re already doing against the new data protection responsibilities
You may be pleasantly surprised at how much you’re already doing. On the other hand, you may find that you’re falling short of the mark. Whichever category you fall into (or somewhere between the two), now is not the time to stick your fingers in your ears and play the ‘I’m not listening’ game. GDPR is happening, and you need to be ready.
Make sure your approach to consent reflects your new data protection responsibilities
GDPR has changed how business needs to approach ‘consent’ when it comes to collection, use and storage of personal information. Whenever you collect information – for example mailing list sign up, consent has to be clear.
Demonstrate an ‘active approach’ to consent
No pre-ticked boxes, no ‘this is the default’ approach – you’ve got to be able to show that people are explicitly consenting to the data your keeping about them. This could mean separating your ‘consent’ clauses away from any other Ts&Cs you get people to sign up to; it could mean separating out different activities so that the individual knows exactly what they are consenting to.
Remember that ‘consent’ isn’t always necessary
It’s important to remember that in lots of cases, consent won’t be necessary – for example if you’ve been sent their information via your website prepare a quote, or you need to store and process personal information to fulfil a contractual obligation with them. But GDPR does mean that if you want to use the personal information for anything else – adding them to the mailing list, for example, you will need consent.
You still need to look after the information you have received in a way that complies with GDPR, which brings us onto…
Take a good look at your information storage and security
This is a big one. Hardly a month goes by without hearing of another organisation that has been targeted with the theft of millions of pieces of personal information. The implications are significant – for the individuals involved and for the business. Don’t put your business & your customers at the same risk.
Data protection responsibilities involve a complex interweaving of software and hardware solutions to security
From your firewall and internet gateway, malware and patch management and software updates are all pieces in this jigsaw of protecting personal information. It’s not something to gloss over and just hope it will be all be OK. Get policies in place to make sure you’re up to date. Have contingency plans and disaster recovery plans. Back up regularly. Consider the physical security of your hardware too – where are your servers kept? Is information ever stored on data sticks? Do you keep track of devices such as employee smart phones, tablets and laptops that may be taken out of the office? Does network access pose a risk?
Don’t forget that your staff and subcontractors have a role to play too
A common-sense approach to password management and to business property, such as those laptops we mentioned, by all staff is essential. The last thing you want is someone leaving a device on the train or scribbling their password on a post-it note that goes out in a bin and gets picked up.
Timetable regular reviews of the information you hold
Over time, the way you want to use customer information may change. Under GDPR, you will need to check that your consents allow you to do this – if necessary you may need to ask for new consent.
Individuals have clearer rights to have data amended and to be erased
You have a month to respond to a request to have inaccurate information amended, or for information to be deleted. Making sure your systems are easy to access and update is vital – and check that the amending or erasing is complete – if your database doesn’t update all your records, you may find that you are still storing inaccurate data – or data that the individual wanted you to get rid of.
Make sure you’re working with sub-contractors who understand your data protection responsibilities
Many organisations are working with third party experts in data protection and the steps that are needed to make sure they comply with GDPR. It makes sense to work with someone who knows what they’re doing. A specialist who understands the issues can take an objective look at what your business is doing well, and where it needs to update processes and procedures. Ultimately though, it remains your responsibility to comply with GDPR so make sure you’re working with an organisation that knows what it’s doing.
It may seem like you’ve got a lot to think about, but don’t panic! We’re routinely contacting all our website clients to offer website support. If you’d like us to help your organisation out, and make sure your website is GDPR complaint, whether you’re an existing client or not, we’ll be happy to help. Get in touch by phone on 01437 720033 or email firstname.lastname@example.org.