General Data Protection Regulation is a new set of rules from the European Commission governing the privacy and security of personal data. It becomes law on 25th May 2018, and all companies must be compliant by that day.
At its heart GDPR is about protecting users' data, providing transparency about why, how and where it's stored, and allowing users to update or erase any information about themselves. We hope these guidelines for website owners are useful, but bear in mind that the scope of the regulations goes beyond that of just your website.
Hosting companies, developers and website owners all shoulder some degree of responsibility for the secure collection, storage and processing of user data. Amazing Creative will help where we can to make sure that your website complies with GDPR, but ultimately you, as the website owner, have responsibility to research, understand and comply with these new regulations.
If your website collects and stores data about users in any way, then you should make sure you understand how to become compliant with this new law. If your website includes any of the following then these regulations will affect you.
The GDPR states that organisations shouldn’t process or retain extraneous personal data. That means data should be collected for a specific purpose, used only for that purpose and retained for only as long as it meets that purpose.
Before you can keep or process user data you must get consent from the user. You must also have mechanisms in place to periodically confirm the consent of users who's data you are storing. You can’t hide the terms and conditions for consent, and you can’t make them so vague or complicated that people won’t read or understand them. Giving consent must be easy and kept separate from other terms and conditions, and requests must be written clearly and concisely.
Consent requests need to make it as easy (or easier) for individuals to withdraw their consent as it is for them to give it. This means individuals need to be told straight away that they can withdraw their consent at any time, and you must explain how to do it.
The GDPR gives users the right to access any information that your organisation holds on them. To meet this requirement, organisations need a system in place that allows staff to access information quickly. This information should be made available to download where possible.
Under the right to erasure (also known as the right to be forgotten), users can request that you delete the data you hold on them.
In the event of a data breach, you must now inform all users within 72 hours.
Make a list of all the data sets you currently capture on your website. (ie forms, email, registrations)
For each data set consider the following:-
Finally, if your website collects user data of any kind, we would recommend adding an SSL certificate (providing an https connection in the browser). This will mean all information sent and received by the site will be encrypted.
The ICO webside contains a comprehension guide for GDPR, and this document is a good starting point.