New Year, New priorities. One priority must be ensuring your business complies with the GDPR by May 2018. Why is it important? Because failure to comply with the new rules risks fines of up to €20 million or 4% of global turnover.
What is the GDPR?
GDPR stands for General Data Protection Regulation and this will replace the 1988 Data Protection Act with a new set of rules giving far greater privacy protection to individuals within the EU. It also gives individuals the rights to retrieve their data and request its removal.
The GDPR was devised by the EU in 2015 and the UK was a major contributor to the exact details of the legislation.
Impact of Brexit?
Brexit makes no difference for two reasons. Firstly the GDPR comes into effect before the UK leaves the EU, and secondly the UK has made it very clear that they will maintain the GDPR legislation.
What parts of my business does GDPR impact?
It impacts all parts of your business, wherever you store personal information.
So for a business with a website this will impact both the website and any other records or systems you use to store personal data.
These might include for example:
- Website
- CRM (eg salesforce)
- Email marketing system
- Invoicing or accounts system
- Home made spreadsheets of customer details
If your business collects personal data (which you must do in order to do business) then you will be defined as a “Data Controller” under GDPR and you are accountable and not your website / CRM / email marketing or other system provider.
Do I need to check my website?
Yes.
And the responsibility lies with the business owner and not whoever designed or built your website.
Any website that collects data (using a contact form or from sales) that was built over 3 years ago will definitely need changes made to comply with GDPR. This is because best practise over 3 years ago was different to the new requirements.
Most marketing websites designed and built quite recently will also need changes made – to follow changes that major online players (eg Google and Facebook) and made to meet the GDPR legislation.
Do I need to check my emailer and CRM?
Yes.
But with a reputable 3rd party application such as mailchimp, the system provider should ensure compliance within their system. Your responsibility is with how the data gets into the system, which might be via a website.
Do I need to check custom built systems?
Yes.
Anything that handles personal data needs to comply with the GDPR.
Top website checks for GDPR
The top four checks on your website meeting the GDPR requirements are:
SSL encryption (the padlock)
GDPR requires all personal data to be transferred encrypted and that means you need an SSL certificate on your server if you have any contact form or means of sales.
Correct Consent
GDPR requires you to obtain explicit consent from people when requesting their personal data. A pre-filled tick box is not acceptable.
Non-compliant plugins
Any old (over 2 years old) plugin is very unlikely to be compliant with GDPR. Reputable plugins should have updates available, less reputable ones will need alternatives sourced or coded.
Allowing people to access their data
GDPR requires the individuals to have easy, unrestricted access to their data, so they can either review it or delete it entirely. Or a means where they can request you provide and remove this data.
My website is only one year old, do I still need to make checks?
Yes, all websites need checking, although it is likely that fewer changes will be needed on newer websites.
Some changes (eg to the way contact forms request consent) will initially have a negative impact on marketing, and this is one reason why it was best to defer some of the required GDPR changes.
What should I do next and when?
You need to get your website reviewed in time for changes to be made before May 2018.
Larger ecommerce websites should already be in the process of validating this. Smaller ecommerce website should ensure this is planned in by a web developer in the next three months. And business websites with contact forms need to ensure any work needed is booked in before May 2018.
ExtraDigital have a rolling plan over the next two months of notifying all marketing and web hosting clients of suggested work to ensure their website meets GDPR requirements before 2018.
Frequently Asked Questions
What is GDPR and why does it matter for businesses?
GDPR, or the General Data Protection Regulation, is EU legislation designed to give individuals greater control over their personal data. It matters because non-compliance can result in fines of up to €20 million or 4% of global turnover.
Does Brexit affect GDPR compliance in the UK?
No. GDPR came into force before the UK left the EU, and the UK confirmed it would retain GDPR-based legislation. Businesses operating in or targeting the UK must still comply with GDPR requirements.
Which parts of my business does GDPR apply to?
GDPR applies to all areas where personal data is stored or processed, including websites, CRMs, email marketing platforms, invoicing systems, and internal spreadsheets. Any business collecting personal data is classed as a data controller and is fully responsible for compliance.
What GDPR checks should I carry out on my website?
Key website checks include ensuring SSL encryption is in place, collecting explicit user consent, updating or replacing non-compliant plugins, and allowing users to access or request deletion of their data. These are areas ExtraDigital regularly reviews when assessing website compliance.
What should businesses do next to prepare for GDPR?
Businesses should arrange a full review of all systems handling personal data and schedule any required updates before regulatory deadlines. This includes websites, custom systems, and data collection processes, an approach supported by ExtraDigital through structured GDPR readiness planning.
