How Do I Make My Site GDPR Compliant?
What is GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation aimed at strengthening data protection for EU citizens. The GDPR extends the powers of the Data Protection Act of 1998 to provide better ownership and control over personal data. It also brings much heavier fines for non-compliance.
The GDPR marks the beginning of the European Union’s General Data Protection Regulation focussing on: businesses accountability and obligations, stronger EU citizen rights and regulatory restrictions relating to all businesses (in or out of the EU) handling EU citizens data, introducing data breach notification within European law, with legal requirement for the provision of evidence showing compliance for the collection, management and protection of personal data.
When will The GDPR come into effect?
The GDPR will come into effect on May 25th 2018 and will remain with us despite Brexit!
Why do I have to follow GDPR?
Apart from the legal requirement for businesses to follow The GDPR, you could face a massive 20,000,000 Euro fine or 4% of your annual turnover (whichever figure is higher), for non-compliance, so it’s definitely in your best interest to comply.
How do I make my site GDPR compliant?
The GDPR requires websites to be upfront and clear about what data they are collecting, from visitors to their sites to how that data is going to be used, how long the data is going to be kept, and who it is being shared with.
An example of transparency, could be if your site is using cookies for measuring activities, such as Google Analytics tracking. You need to ensure you are up-front and explicit about the information that you are collecting and its use.
An example of an informative cookie banner asking for consent could be as follows:
Provable consent has to be explicitly given by a user to the data processor or controller before the data can be processed about the user, this means that there can be no automatic opt-ins on the submission of forms and alike, additionally only data that has consent can be collected and processed.
Moreover, if you own any data about users that originated before The GDPR was brought into effect, like email addresses as an example used for Email Marketing campaigns in the past, the user has to be re-contacted and consent has to be re-submitted by the user for the continued use of the data.
With these changes the development of forms has been heavily impacted and old forms will most likely need to change to be GDPR compliant.
3. Data Breaches
The GDPR makes it mandatory for any data breaches to be reported by the data controller to the relevant supervisory authority such as the ICO (Information Commissioner's Office) within 72 hours of the breach. Additionally, if the breach is serious enough then the individuals affected by the data breach also need to be informed within the same time limit.
4. User Rights
Under The GDPR users have the right to withdraw consent for the collection and processing of their data at any time, and it has to be just as easy for the user to opt-out of consent as it was to opt-in!
Furthermore, users also have the right to request total removal of all of their data. This means that all data from your systems have to completely remove from any data about the user, including any references and backups.
5. Data Protection Officer (DPO)
Appointing a Data Protection Officer or DPO within your organisation could help to solve your GDPR woes. This is mandatory requirement for organisations responsible for managing large quantities of personal data, such Public or Health authorities.
A DPO is designated by the data controller to be responsible for monitoring the internal compliance of legislation within an organisation. For smaller organisations the DPO could be a suitably trained in-house employee. Despite the cost, this significantly reduces the risk of non-compliance, and the possibility of potentially disastrous non-compliance GDPR impacts.
6. Do I Need an SSL Certificate to Be GDPR Compliant?
The short answer is yes, most websites need an SSL certificate to be GDPR compliant, but it depends on what information your website collects.
The GDPR may seem overwhelming at first; threatening huge fines for non-compliance and specifying volumes of rules to be followed. But, with the right approach you can take action to ensure that your site gets recorded permission from users to collect and process data, avoiding costly mistakes, such as nasty automatic opt-ins.
Ensure consent, compliance and evidence. Review internal data security policies, train staff and develop guidance and practice to ensure that people, processes and technologies are ready to meet the new legal challenges presented by The GDPR.