Helping to make your website work with GDPR

By November 12, 2017Blog, gdpr
bigstock-Manager-Touching-A-Super-Secur-93661655-1170x618

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new European regulation that has been designed to strengthen the existing data protection for all EU citizens and residents.  If a business wants to provide products and services to EU citizens, then businesses need to show that they can protect their data.

Essentially, anyone who collects and processes personal data of living individual (who is defined by the GDPR as a Data Controller) is required to comply with the new regulation, or face strict new fines.  These processes can include internal databases, mailing lists, websites, email and more.

The GDPR document can be found at: https://gdpr-info.eu/ and will come into effect on the 25th May 2018.

Consent

With GDPR, consent is a big part of the GDPR, now, as a business, you must show that you are doing everything you can to protect the personal information you are collecting.  Explicit permission must be obtained before you collect the data, any deviation from this could lead to trouble later.

In addition to receiving the consent to add the customer to your database, you must also only use that information for the specific purposes that you have stated.  For instance, if you have stated that the information will be used for notifying the user of new products.  Then you can only contact the person about new products, and not try and sell information about existing products.

Keeping the above in mind, you need to think about:

  • What the data is going to be used for?
  • Where is the data going to be stored?
  • How long do you need the data?

When on a website you should state at the time of information collection, what you are information you are collecting and for what reasons.  This could be a few lines on the same page as your signup sheet, or it may be a link to your privacy policy.  However, you need to ensure that people can easily find out what they are signing up to, and for what reasons.

Additionally, if you sign people up or collect information, there must also be a way for the user to remove their information from your databases.  Within your website you should have a page or a link to information which is easily found explaining how to remove the user’s data.

Privacy Policies

Privacy policies now play an important part of the website, if you don’t have one, you should look at creating one and have it easily found within your website.

The privacy policy should state how the privacy of your information and the users will be used.  There should be explicit statements within this policy and there should be no reason for vague or weak suggestions.

For example a compliant privacy policy should say: “You data will be used for xxx” and not state “Your data may be used for sales and marketing..”

The policy should state how the information will be collected, for how long and for what reasons.  If your website links to third-party sites you should also state if their information will be passed to these sites.

A big part of GDPR is allowing the user to control their own data, within your privacy policy you should state how to access their personal data, how the data is kept secure and how they can remove their information, if needed.

For an example, check out our privacy policy which states the above.

Cookies Policies

Just about every website on the Internet utilises cookies in one way or another, these cookies have the ability to store and interact with users accessing the website, and therefore comes under GDPR.  You should a cookie policy for your website which is easily found.

This policy should state which cookies you have on your website and what information will be obtained, this could be:

  • IP addresses
  • Computer information
  • Name, email etc..

Additionally, you should also state how long this information is kept for.

Location of data

The GDPR is the protection of data for EU citizens, and with this comes the location and storage of information.  Under GDPR you are only allowed to store personal data within the specified EU locations, or within countries that have data protection laws that are up the agreed levels.

For ICO has more information about the storage and sending of personal data, which can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-8-international/

 

We hope this post if informative for you and that you check to make sure you’re doing everything you can to ensure your website is up to date wit in the impending GDPR.

TeraByte have several blog articles and services available to help you understand the new changes, which can be found at https://terabyteit.co.uk