New Year, New priorities. One priority must be ensuring your business complies with the GDPR by May 2018. Why is it important? Because failure to comply with the new rules risks fines of up to €20 million or 4% of global turnover.
What is the GDPR?
GDPR stands for General Data Protection Regulation and this will replace the 1988 Data Protection Act with a new set of rules giving far greater privacy protection to individuals within the EU. It also gives individuals the rights to retrieve their data and request its removal.
The GDPR was devised by the EU in 2015 and the UK was a major contributor to the exact details of the legislation.
Impact of Brexit?
Brexit makes no difference for two reasons. Firstly the GDPR comes into effect before the UK leaves the EU, and secondly the UK has made it very clear that they will maintain the GDPR legislation.
What parts of my business does GDPR impact?
It impacts all parts of your business, wherever you store personal information.
So for a business with a website this will impact both the website and any other records or systems you use to store personal data.
These might include for example:
- CRM (eg salesforce)
- Email marketing system
- Invoicing or accounts system
- Home made spreadsheets of customer details
If your business collects personal data (which you must do in order to do business) then you will be defined as a “Data Controller” under GDPR and you are accountable and not your website / CRM / email marketing or other system provider.
Do I need to check my website?
And the responsibility lies with the business owner and not whoever designed or built your website.
Any website that collects data (using a contact form or from sales) that was built over 3 years ago will definitely need changes made to comply with GDPR. This is because best practise over 3 years ago was different to the new requirements.
Most marketing websites designed and built quite recently will also need changes made - to follow changes that major online players (eg Google and Facebook) and made to meet the GDPR legislation.
Do I need to check my emailer and CRM?
But with a reputable 3rd party application such as mailchimp, the system provider should ensure compliance within their system. Your responsibility is with how the data gets into the system, which might be via a website.
Do I need to check custom built systems?
Anything that handles personal data needs to comply with the GDPR.
Top website checks for GDPR
The top four checks on your website meeting the GDPR requirements are:
SSL encryption (the padlock)
GDPR requires all personal data to be transferred encrypted and that means you need an SSL certificate on your server if you have any contact form or means of sales.
GDPR requires you to obtain explicit consent from people when requesting their personal data. A pre-filled tick box is not acceptable.
Any old (over 2 years old) plugin is very unlikely to be compliant with GDPR. Reputable plugins should have updates available, less reputable ones will need alternatives sourced or coded.
Allowing people to access their data
GDPR requires the individuals to have easy, unrestricted access to their data, so they can either review it or delete it entirely. Or a means where they can request you provide and remove this data.
My website is only one year old, do I still need to make checks?
Yes, all websites need checking, although it is likely that fewer changes will be needed on newer websites.
Some changes (eg to the way contact forms request consent) will initially have a negative impact on marketing, and this is one reason why it was best to defer some of the required GDPR changes.
What should I do next and when?
You need to get your website reviewed in time for changes to be made before May 2018.
Larger ecommerce websites should already be in the process of validating this. Smaller ecommerce website should ensure this is planned in by a web developer in the next three months. And business websites with contact forms need to ensure any work needed is booked in before May 2018.
ExtraDigital have a rolling plan over the next two months of notifying all marketing and web hosting clients of suggested work to ensure their website meets GDPR requirements before 2018.