Don’t be mistaken in thinking that just because only have a small website that GDPR doesn’t affect you.
If you collect personal data then GDPR does affect you.
What is personal data?
Well there is no one definitive list. A person’s name on its own is not considered personal data but combine the name with a telephone number or an email address then that may be sufficient information to clearly identify an individual. [Boxcryptor provide some examples – https://www.boxcryptor.com/en/blog/post/what-is-personal-data-simple-examples/]
What is GDPR?
GDPR is a regulation in EU Law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. It comes into effect from 25th May 2018. Any changes you make may have to be updated accordingly after the completion of the UK’s exit from the European Union.
Under the new GDPR rules businesses need to be more transparent to ensure that where consent is given to collect personal data that the consent is given freely for a specific purpose and that users are fully informed about its potential uses.
What difference does it make to the users?
On one hand more tick boxes and links to policies that users never read? On the other hand users will have the re-assurance that you are handling their data with care.
Users also have the right to access their personal data and supplementary information and you have to provide it free of charge, though you can charge a ‘reasonable’ admin fee.
How does it affect your website?
Most websites have at least 2 basic components:
- Google Analytics to help you analyse website traffic
- A contact form to allow visitors to easily contact you
If you have either of these then you need to ensure you website is GDPR compliant.
Other common website components that have to be considered under GDPR?
- The ability to comment on blog posts
- Newsletter subscriptions
- eCommerce – online store
Two key areas to act on
You will also need to update your terms and conditions on your website to reference GDPR terminology. In particular, you will need to make transparent what you will do with the information once you’ve received it. You will also need to update your data retention policy to detail how long you will retain this information both on your website and also by your office systems.
Any forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank.
So, you can’t have a form that’s starts by ticking all the boxes to say that you want to be contacted by email, phone and post. The tick boxes have to be blank and the users selects which methods they want to be contacted by.
What about Google Analytics?
Take a look at what Google is doing to comply with the data protection laws – https://privacy.google.com/businesses/compliance/#?modal_active=none
The changes being brought in by GDPR affect not just your website but all aspects of your business.
If you have not already referred to it then check out the ICO’s website – https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/
There’s also a handy 12 step guide – https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Where do you start?
Ask yourself these questions:
- What personal data do I have stored in both electronic and paper format?
- Do I need that data?
- Do I have a policy that shows how long I will retain that data for?
- Is the data being held securely?
- Do I need to register with the ICO?
- The ICO has an online questionnaire that will help you decide – https://ico.org.uk/for-organisations/register/self-assessment/
If you do a search on the web, you will find quite a few articles about GDPR, and your own professional body may have already provided guidance, but if you feel that ParadigmIT can be of assistance then please get in touch.