As you will have noticed already by now, the GDPR (General Data Protection Regulation) will be enforced on 25 May 2018.
The GDPR replaces existing data protection regulations on how businesses collect, store and use the personal information of clients. The new regulations mean control of data is handed back to people, rather than the interests of businesses. So it’s essential for us and our clients to make the necessary changes so we all comply with the new legislation.
You need to comply if your business operates within the EU and handles and stores personal information. Simply, businesses must address the following:
what personal data do you collect
how do you collect it
what purpose do you collect data for and ensure you only use it for that purpose
how you protect the data at all stages of processing
how you delete the data securely when it is no longer needed.
As as website owner, ensure that you:
Gain explicit consent before collecting data, where consent is requested using an opt-in system, e.g. in a newsletter.
Provide a clear and accessible privacy policy, that informs users how data is collected, stored and what it will be used for
Have a mechanism in place for users to request to view their data
Put into place a ‘Right to be Forgotten’, where users can withdraw consent and request removal of personal data that has been collected.
Regarding what website owners need to do, we suggest undertaking the following activities to ensure you are compliant:
This includes data collected from your ‘Contact us’ forms such as names, email address, telephone number, company, etc.
Third party data collection from Mailchimp, Infusionsoft, AWeber, etc.
An online store you use to collect customer data to process orders.
Contact forms storing personal details on your website database. Are these storing unencrypted data?
Keep your data collection to a minimum and you’ll limit data breaches and GDPR non-compliance. Collect only information you are going to use.
Your website will need a privacy policy page that tells users how data is stored and used. It should inform customers how they can request access to their data and what they have to do to withdraw consent for their data use and storage.
These are the websites you see that have ‘https’ and send data over an encrypted connection. This isn’t a required step, but you will be making yourself more GDPR compliant if you implement an SSL certificate.
The data controller needs to have defined processes in place in the event of a data breach and report it within 72 hours.
For more information, visit the Information Commissioner’s Office website for a useful guide written in plain English. Check out the ‘12 steps to take now’ PDF:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
Copyright © 2020 Infiniti Graphics (Ely) Ltd. Company No. 12058491. VAT No 361 3938 88.