Is your website GDPR Compliant?
You might, or might not be aware of the new General Data Protection Regulation (GDPR) rules set to come into effect next year, but it is likely to effect your business in some way. The GDPR has been introduced by the EU, and will take place before the formal process of Brexit is completed and will effect all UK businesses.
As recently reported by the BBC, a major shakeup in UK Data Protection laws is on the horizon which will have repercussions for many businesses in the UK, including all with a website. As a digital marketing agency carrying out many web design and bespoke software development projects, we must take any new legislation (particularly changes as substantial as this) extremely seriously and to avoid potentially expensive problems, your company should too.
Following the announcement of Brexit, there has been some debate around exactly how the planned General Data Protection Regulation (GDPR) EU legislation might be translated into UK law, but following consultation, it appears we now have a solid stance from the UK’s Digital Minister, Matt Hancock; The legislation will be fully translated into UK law, perhaps as soon as early 2018 – And it may be even stricter!
What is GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
In essence, these stricter regulations will replace the already stringent existing ones with regards to how companies are allowed to collect, store and use personal information. At its centre, the GDPR aims to give control back to the public, when it comes to how businesses can use their personal data. The EU do this by creating a co-ordinated framework for data protection across all the EU member states. In order to achieve this ambitious objective, tighter controls must be introduced over those who host and process such data. Many websites also collect a wide assortment of personal data so GDPR will affect all of our clients with website databases and webforms.
It is not difficult to see why such regulations are necessary in the UK, since there are almost daily news stories and scandals reported regarding data breaches, hacks and other online data crimes.
What is going to change?
In short, the changes can be summed up into the following three key areas;
- The GDPR will make clear the legal right of people to access, correct, delete or transfer personal information held about them on any company system.
- The regulations will include a requirement for citizens to provide explicit consent for their personal data to be held, after which companies must record and save this consent.
- The GDPR will also enforce the legal obligation for organisations to inform the relevant data authorities and consumers, within 72 hours of any breaches to data security.
Do these changes effect my business?
Yes, if you are a company which operates within the EU and handles and stores any kind of personal information, then you will have to comply with these new rules. These regulations are going to apply across the board, irrespective of company size or business sector – of course us web designers will also have to conform!
They say that prevention is better than cure and this is certainly the case when it comes to GDPR, particularly since the penalties for non-compliance can be very severe. The GDPR stipulate that fines may be levied of up to 4% of a company’s annual turnover or up to £17 Million (at today exchange rate) – whichever is highest. It is unclear what constitutes a ‘serious’ violation, but it is important to note that for a small business, such a fine could be cataclysmic.
One of the most noteworthy changes which will be brought in by GDPR is that it places direct responsibilities on data processors for the first time. Data processors are essentially those businesses or people who process personal data on behalf of data controllers (those who determine how and why personal data is processed).
Regarding GDPR and web design, in simple terms, the new regulations now make the people in charge of website planning or data input responsible too, rather than just the website owner or web hosting company, thus covering a much larger array of people.
It is therefore a good idea to work with professional, forward-thinking web design and SEO agencies who are always at the forefront of new technology and can actively implement any new directives such as GDPR for clients. Perhaps it’s time to consider Square Media if you have concerns.
Do I need to update my website?
Possibly. If you get in touch with us, we can conduct a full audit of your website and provide you with a report which explains areas of your website which might need further investigation or changes. As a rule of thumb, you have responsibilities (which may include updating your website) if you;
- Collect personal information, whether that be through contact forms or other methods.
- Hold personal information on your website; for example past customer data on an eCommerce website.
- Collect personal information in any other way; for example through subscription sign up forms
Changes required will vary dependent on the information you collect, how securely you collect it, who has access to the data and how you intend to use or handle the long term storage of that data.
What practical steps do I need to take to comply?
In order to fully comply with GDPR, companies which handle any personal data must now fully understand exactly what kind of information they hold, where they hold it, how secure that data is and who has access to that data. To establish this, a company-wide data audit is recommended and ideally, this will be carried out as soon as possible – There are after all, already stringent existing laws in place which govern data protection which you might already be infringing – So best to start now.
It is important that all employees who have previously (or will in the future) handle personal data, are made aware of these new regulations. Such employees should fully understand the regulations and what they will mean for the organisation. This includes ALL workers, not just those in senior positions and as such, GDPR training sessions are a good idea to help uninformed personnel comprehend and understand these new rules.
Moving forward, companies should update their existing data protection policies and practices and seek to put in place rigorous schemes to govern them. There should also be a system to quickly notice and respond to any data breaches.
Furthermore, companies will need to appoint a dedicated Data Protection Officer; an individual who is responsible for all company-wide personal data. It is obviously a no-brainer that you should look to appoint someone who has expertise in data protection and GDPR in particular.
GDPR compliance may seem like an overwhelming task for many businesses, but the reality is that it is coming and all businesses must start taking action to protect themselves and their customers sooner rather than later.
While Square Media cannot give actual legal advice on GDPR – we can help clients audit their website, make suggestions regarding improvements and implement changes which would otherwise result in a breach of the new regulations.
Please note: This article does not constitute a recommendation for your company nor professional advice. These are only the parts of the GDPR that may require changes to your website or it’s design. There are many other components to the GDPR not listed here that may be applicable to you, these can be found on the Information Commissioner’s Office website. We take no responsibility for actions taken as a result of this article or of the links contained within it.