The General Data Protection Regulation (GDPR) is a new EU regulation which has been put in place to help strengthen data protection for EU citizens and residents both within the EU and the rest of the world. The regulation will ensure that websites look after your personal data.
You can see this in more details and the full GDPR here.
When does the GDPR come into effect?
The GDPR comes into effect on the 25th May 2018 and it replaces the data protection directive from 1995.
What if my website does not comply with GDPR?
You can be fined up to €20,000,000 or up to 4% of your annual worldwide turnover. It is VERY serious!
Should you be put in this unfortunate position, make sure you contact all of the relevant people (I.E., Supervisory Authority, DPO, customers, etc.) and be sure that all the necessary notification forms are in place.
Who has to be GDPR compliant?
The GDPR is applicable to anyone who collects or processes personal data and is defined by the GDPR as a Data Controller.
Does my mobile app need to be GDPR compliant?
YES! the GDPR also applies to personal data collected through mobile devices and apps.
How about Third-party Data Processors?
EU-based businesses, as well as anyone processing the personal data of EU citizens, will be affected by the GDPR.
If you use third-party data processors and are asking yourself the below questions then keep on reading!
Does my Mailchimp need to be GDPR compliant? Does my Google Tools (Analytics, Tag Manager) need to be GDPR compliant? Does my Salesforce need to be GDPR compliant?
The GDPR would call Mailchimp, Google and Salesforce third party data processors. Essentially this means that they are processing the data controller’s data on their behalf. The likely answer to this question is that they will have updated their Data Processing Agreements to allow their customers to continue lawfully transferring EU personal data to their softwares.
The best thing to do is to just Google it! You will be able to find guides from these companies telling you about what to do and safeguarding you and your work.
To find out more about a Third Party’s individual efforts to be GDPR compliant, read more on:
If you are still confused about how GDPR affects your business and you would like to seek professional advice, feel free to drop us an email here and we can help!
How can I check if my website is GDPR compliant?
First things first, is do not panic! You can do a few things to check whether your website is GDPR complaint. If you are really panicking and don’t know what to do and need an answer NOW, then drop us an email we will get back to you within a few hours and as long as you are on a UK timezone and it’s outside typical downtime hours (11pm – 7am).
Our GDPR Compliance Checklist:
The GDPR tells us that Cookies should be treated as personal data. So as with other data on the site, to become compliant, organisations will need to stop collecting cookies or find a lawful ground to collect and process this data.
Most organisations rely on consent (either implied or opt-out), but the GDPR’s strengthened requirements mean it will be much harder to obtain legal consent. This will cover almost all advertising/marketing cookies; lots of web analytics cookies; and functional services like survey and chat tools that record user ids in cookies.
If you are going to collect cookies you need to have the following features present in a GDPR-compliant cookie consent:
- Make sure your visitors are informed: How and why is their personal data used?
- The visitors needs to be able to change his/her mind and withdraw consent
- The user needs to be able to have all his information properly deleted
- All given consent must be recorded as a documentation
CookieBot do this very well. You can see their cookie bar below:
They then go on to detail all the different Cookies they show on their site:
A simple ok button for accepting cookies is also not sufficient. If you are on WordPress there is an easy way to do this through the use of a plugin called Cookiebot. You can see details of this plugin here.
What personal data is your website currently collected and is it GDPR compliant?
You need to be aware of all the different types of personal data is collected on your website. Websites collect all different types of data so determining what data you can / can’t collect needs to be realised. The less data you collect and store the better! Identify all the places on your site where you are collecting data, and make sure you are getting consent. Visitors to your site must know exactly how you are planning on using their data and must agree to each specific purpose.
Is data submitted encrypted and complying with GDPR?
Companies need to consider encryption of personal data one way to make sure that you have done this is through adding an SSL certificate to your website. This is very easy and can be done by your website developers. It is easy to know if your website has an SSL and you can tell this if you have a padlock in your address bar of the browser.
Are your consent forms UNCHECKED by default and have an easy confirmation process?
This is an important one! Make sure none of the contact forms on your website forms have default opt-in check boxes selected. Double, triple, quadruple check!
See an example of what NOT to do!
Have you made it clear who your Data Protection Officer is?
You might not have one yet, but you need to designate who in your team is going to be in charge of your data privacy. Once chosen, then make this clear on your website and make their contact details clear should people have any questions.