What is GDPR and what does it mean?
If you’re still asking that question, then you need to get a move on! GDPR is the General Data Protection Regulation, and is the single largest change in data protection in the last 20 years. In short, it pushes the ownership of personal information back onto the citizen, ensuring that they have the knowledge of who has their data, how they are using it, and how they can stop it being used.
The regulation comes into force on 25th May 2018, and affects every business that interacts with EU citizens, regardless of where the business is located. Recent studies suggest nearly half of businesses in the UK won’t be ready in time.
What is involved in GDPR compliance?
Firstly, I need to post a disclaimer. This post is not legal advice. We’re not lawyers.
The key elements of the GDPR are:
1. Collecting personal data
You need to audit and document the personal information that you collect, or have access to, for members of the public. Where did you get the data, how do you use it, and who do you share it with? For example, if you have a contact form on your website, do you store that information in your database, in a mailing list, or in a file on your desk?
- Do you have a policy for ensuring that you’re using the data in the way it was intended?
- Do you share the information with anyone else, or does anyone else have access?
- Can others within the company access and download a copy of your mailing list? If so, do you know what they do with it once finished?
- Are you collecting more information than you need? For example, certain sensitive data needs extra safeguarding (such as race, health, sexual orientation), so only collect what you need.
2. Review privacy notices and policies
In the past, a simple ‘opt-in’ checkbox was enough for you to collect information and use it. However, you need to be clearer about what you will use the data for, and how the customer can revoke that privilege. For example, rather than a simple “Yes, you can contact me via email”, you may need a more specific statement explaining why you are collecting their data, how long you will keep it, and who will have access. Using the contact form as an example, if you want to be able to use the email address entered to send out monthly newsletters and to send out event reminders, you need to explicitly allow the customer to choose whether to opt in to each one individually.
3. Data retrieval and right to be forgotten
This is the key element, and follows on from the previous two points. At any point, a member of the public can request a copy of all of the information you hold on them. You must be able to provide this in a readable format within a reasonable amount of time. Without knowledge of what you store and where you store it, you cannot do this.
Further to this, the customer can request that you remove all of their data from your systems. Can you do this easily? Again, the audit comes in here, as you know what you store and where you store it, so should be able to provide this service.
4. Consent and changes
It is also advisable to keep an audit trail of every change to personal data. If the customer logs onto your website and ticks a consent, log what they consented to and when. If they then call you and wish to revoke, log it again. That way you have an audit trail of every interaction with the customer. And make sure it is clear how they can opt out of, or revoke consent for, a particular activity.
5. Data breaches
If there is a breach that poses a risk to the customer, you must inform them. You must also take reasonable measures to ensure you keep any data as secure as you can.
Make sure you know who has access to the data (either directly or via websites and apps), and control that access. Ensure passwords are secure, and changed regularly.
And don’t forget it’s not just your server or premises. Ensure backups are kept securely, and make sure any other third-parties have a clear GDPR policy.
How does this affect my website
Firstly, your website or app is only part of the solution. You may well store your customer information in your website, but is it also stored in your stock management platform? In third party email systems (such as mailchimp)? Do you print orders or receive enquiries by post? All of this forms part of your compliance.
Don’t store more information than you need, and be clear about what you’re going to use and why. And give a clear and simple way of revoking the consent.
Can my CMS help with this?
Possibly. Many software vendors will provide a GDPR add-on or plugin, although they may require you to pay for it, or upgrade to the latest version of their software. This is generally a good approach as upgrades are part and parcel of running a website, and should be implemented periodically anyway. Also, if it’s part of their core platform like Kentico 11, they will have tested it.
But sometimes this isn’t possible, and there is no platform-specific module. In this instance you will need to seek assistance from your developers – they will be providing a similar module for all of their clients.
If you have a form builder, you can build the additional policy requirements into your forms. Make sure you keep track of entries, and when they were submitted.
Many popular platforms such as Wordpress and Drupal suffer and benefit from their open-source nature. There are numerous GDPR plugins available, with new ones being added all of the time in the run-up to May, but which one is best? And is it supported? Given the changing landscape, what is the best one now, may not be next week! Installations, reviews and support response time are useful guides, and following standard processes as part of the research.
What if I’m not compliant?
The regulation states that failure to comply can result in a fine of 4% of turnover, so non-compliance isn’t something to sniff at. There is a scale of reprimands, but don’t be complacent. Compliance officers can perform audits, so make sure you’re on top of it.
What next?
Still want more? You can read more about GDPR on the official website, on the UKs ICO website, and Kentico’s GDPR page.
And get in touch if we can help with your GDPR compliance.