Displaying items by tag: Data Protection

As you will have noticed already by now, the GDPR (General Data Protection Regulation) will be enforced on 25 May 2018.

The GDPR replaces existing data protection regulations on how businesses collect, store and use the personal information of clients. The new regulations mean control of data is handed back to people, rather than the interests of businesses. So it’s essential for us and our clients to make the necessary changes so we all comply with the new legislation.

You need to comply if your business operates within the EU and handles and stores personal information. Simply, businesses must address the following:

• what personal data do you collect

• how do you collect it

• what purpose do you collect data for and ensure you only use it for that purpose

• how you protect the data at all stages of processing

• how you delete the data securely when it is no longer needed.

As as website owner, ensure that you:

• Gain explicit consent before collecting data, where consent is requested using an opt-in system, e.g. in a newsletter.

• Provide a clear and accessible privacy policy, that informs users how data is collected, stored and what it will be used for

• Have a mechanism in place for users to request to view their data

• Put into place a ‘Right to be Forgotten’, where users can withdraw consent and request removal of personal data that has been collected.

Regarding what website owners need to do, we suggest undertaking the following activities to ensure you are compliant:

1. Conduct a data audit of what data you are collecting

• This includes data collected from your ‘Contact us’ forms such as names, email address, telephone number, company, etc.

• Third party data collection from Mailchimp, Infusionsoft, AWeber, etc.

• An online store you use to collect customer data to process orders.

2. Record where data is stored

• Contact forms storing personal details on your website database. Are these storing unencrypted data?

3. Is the data you have stored necessary?

• Keep your data collection to a minimum and you’ll limit data breaches and GDPR non-compliance. Collect only information you are going to use.

4. Write a privacy policy

Your website will need a privacy policy page that tells users how data is stored and used. It should inform customers how they can request access to their data and what they have to do to withdraw consent for their data use and storage.

5. Add an SSL certification to your site

These are the websites you see that have ‘https’ and send data over an encrypted connection. This isn’t a required step, but you will be making yourself more GDPR compliant if you implement an SSL certificate.

6. Understand what you do in the event of a breach

The data controller needs to have defined processes in place in the event of a data breach and report it within 72 hours.

For more information, visit the Information Commissioner’s Office website for a useful guide written in plain English. Check out the ‘12 steps to take now’ PDF:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr