This helpful article concerns the European Union General Data Protection Regulation (GDPR) data compliance law that will be enforced as of the 25th May 2018.
As the supplier of website(s) and/or hosting we are legally classified as a processor of data and it’s in our interest that our clients fully understand and implement the law properly, making it our responsibility to ensure we handle the data that passes through the products we provide correctly. This includes your website/email and their respective hosting servers.
After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. Enforcement date: 25 May 2018 – at which time those organisations in non-compliance may face heavy fines of up to 4% of annual global turnover or €20 Million for breaching the new legislation.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
The GDPR not only applies to organisations/companies/sole traders/businesses etc located within the EU but it also applies to organisations located outside of the EU if they offer goods or services to, collect, store, use or monitor the personal information of, EU data subjects. It applies to everyone processing and holding the personal data of data subjects residing in the European Union, regardless of its location.
You will need to prepare and potentially audit your business/brand/website etc for GDPR to understand what data, systems and policies you have in place that make you GDPR compliant and what gaps in compliance you have. We have had to do this ourselves so this applies to everyone who has a business or an online presence. You will have to become compliant both online and offline in terms of how you handle data.
We have identified the following minimum action points that we recommend all website owners will need to take to ensure your website is compliant. This is not necessarily an exhaustive list and will not take into account software or products outside of those hosted or created by us:
- Privacy policy: There needs to be a privacy policy added to the site explaining what happens with the data and how to get in touch to update/remove information submitted. The data is ok to retain, as it is covered under the ‘contract’ legal basis for storing data. Privacy policy will need to be linked to any contact forms with clear consent given.
- HTTPS or SSL certificate: For best practice and secure communication over a computer network your website should have an SSL certificate installed.
- In addition to this there will be changes required to your contact form(s) depending on the current and future use of the personal data collected via that contact form (for example if you use that information and add it to an external mailing list, phone, laptop, PC, CRM etc). A cookie policy will also be required if not already integrated, in some cases with websites who use cookies.
- Review, validate and secure as best you can any access/login/entry points to your website, database, email applications and overall server based data storage. Introduce additional or new baseline security standards where required.
- Installation of Sitelock, firewall software within your website to ensure additional security and daily scans for protection against malware, hackers, breaches etc.
- Reach out to your existing database or subscription list if you have one. It is good practice to ask them to opt back in and give consent for you to stay in touch with them or hold onto their data for an extended period of time.
As this is a matter of urgent priority, it is recommended that you do not dismiss or delay in addressing GDPR for your business as there can and will be fines applied to non compliant websites and businesses. There will unfortunately be un-avoidable costs to implement the necessary changes. We aim to keep the costs to a minimum however and integrate the proper long term measures so that this doesn’t need to be addressed again in the future. Trust us, we would much rather that we didn’t have to undertake this as it takes us away from the creative side of our work… but it is regrettably not a case of choice at this stage.
In light of the recent widely reported Cambridge Analytica scandal and subsequent Mark Zukerberg (Facebook CEO) testimony to U.S congress, the collecting, processing, storage and ongoing use of any individuals sensitive data or private information is a very serious subject. It is our aim to simplify the process as it applies to your website (in full) making you fully compliant and to assist where we can with how it relates to or impacts your current business activities as a whole.
Immediate actions:
- Read all the well documented info on GDPR from the ICO website.
- Conduct a data inventory and data flow audit (if required).
- Appoint a data protection officer within your business if required.
- Conduct an internal PIA (privacy impact assessment).
- Re-visit your existing privacy and cookie policies or start preparing info to include on any new ones.
- Review, validate and secure as best you can any access/login/entry points to your website, database, email applications and overall server based data storage.
We acknowledge that GDPR can seem daunting, however we are here to help you deal with the implications of this and realistically for most it can be handled easily with a few hours of work. Give Code54 a call on 0800 788 0800 today if you’d like to talk more about these law changes or discuss any plans to help get you compliant.
