One of the biggest recent developments in data protection takes place in the next few days. On 25th May 2019, the General Data Protection Regulation or GDPR comes into effect and it will have a huge impact on how businesses collect and deal with data.
The aim of the regulation, which applies to all EU businesses and any company or organisation that operates or has customers in the EU, is to give control back to the people who actually own the data. While many companies are working hard to put in the processes that help them comply with the GDPR, many have not considered the implications when it comes to their own websites.
One thing you should note also is the fact that we are leaving the EU does not make a difference. The UK Government has already agreed to follow the GDPR once we part company.
What Should You Do?
First of all, you need to understand what kind of information you collect via your website. That can include where you have cookie software on your site and whether you collect things like IP addresses. There may be online forms that you use to build subscribers and, of course, any e-commerce transactions.
Transparency and Your Website
The key part of the GDPR is not that you are collecting all this data but that you must be open and transparent about what you do with it. It also means you need to have a privacy policy and display it on your website. Many companies will have this already as a matter of course but you should check it to see if it is still fit for purpose and fulfils your GDPR obligations.
Safeguarding Data
The next thing you also need to look at is how you are protecting customer and visitor data so that it isn’t stolen or passed onto third parties without their knowledge. Most ecommerce businesses, for example, will have a Single Socket Layer certificate or SSL which encrypts data. You’ll notice if your website has one of these by the padlock sign at the bottom of the screen.
Consent and Your Website
When it comes to website forms, there is now no such as implied consent. You have to be very clear about telling users what you are collecting their data for and how it will be leveraged.
For example, if you are going to be passing details onto a third party, you need to be specific about who that is and what they are going to do. You also need to add a separate tick box asking for permission and not a tick box to allow them to opt out. If you have something like a free whitepaper download which is designed to gather customer details and email addresses, again you need to be specific about why you want that data and what you intend to do with it.
Even if you are using a tool such as Google Analytics to process data on your site, you have to state that you do this in your privacy policy. Should you have visitors to your business blog and they are able to leave comments with their IP address or email, you also need to be clear about how the data is used.
In short, any data collected by your website and which is considered to be personal needs to have measures in place to ensure you comply with the GDPR. Getting on the wrong side of this legislation can mean sizeable fines should you are found to be at fault.
If you haven’t yet reviewed your website in light of the GDPR, it is imperative that you do so now. Even if you are a small business and only collect a small amount of data, you have obligations under the legislation that must be met.