The GDPR (General DATA Protection Regulation) comes into force on 25th May 2018. If your organisation collects or stores any type of personal data from people in the EU – you will need to comply with GDPR regardless of the Brexit status at the time. If you don’t comply – there can be financial penalties. The information you collect could include email addresses, names, contact details, addresses etc. The new regulations are designed to give control of personal information back to ordinary people, prioritising them over the interests of businesses.
Therefore, it’s important for us as a web design company, and you as our client to be aware of this new legislation and adhere to it accordingly. There are some positives – being compliant shows your audience that you are a trustworthy organisation that respects their privacy and personal information.
What does this mean for me and what should I do?
We have outlined what this means for your website:
- Conduct a personal data audit. List what data you collect about your clients either through your website or through 3rd parties. Do you have a contact form collecting clients name, email, telephone etc? Your website will include a contact form and in most cases, the form data is simply delivered directly to you without being stored so you don’t have to worry. How about 3rd party services like newsletters from Mailchimp – do you have a newsletter feature in your site? Do you operate an online store and collect customer data in order to process orders? Where is that data stored? Does it go directly to your email or stored in a database in your website? Think about whether all the data you collect is necessary. If you feel that some of the information you currently collect and store on your website isn’t strictly necessary, you can take steps to stop collecting it and purge it from your databases.
- Your website must be SSL compliant – if it starts with https:// and has a padlock next to the website address in your browser then you’re fine… if not, contact us to upgrade.
- Understand what must be done in the event of a breach. GDPR requires the data controller to have defined processes in place in the event of a data breach. The data controller has a legal obligation to report a data breach within 72 hours. For more information about this, take a look at this article on the reporting of data breaches.
- Children. GDPR, for the first time, brings in special protections for children’s personal data – particularly in regards to commercial internet services such as social media. If your organisation offers online services to children and relies on consent to collect information about them, you will need to gain the parent or guardian’s consent in order to process the child’s data lawfully. GDPR sets the age at which a child can give their own consent to this processing at 16. This means that your privacy information page must be written plainly enough for a child to understand.
As the deadline gets nearer, there will inevitably be more talk and clarity about GDPR so it is important to keep informed. A great resource to learn more about the GDPR and actionable steps can be found at Thrive (opens new tab).