Is your business’s website GDPR compliant? If you are unsure, you need to find out sooner rather than later, as it officially commences on 25th May 2018.
The GDPR specifies that fines for non-compliance can lead to fines of up to €20m or 4% of a company’s worldwide revenue, whichever is greater. The reality is that businesses cannot afford to be non-compliant.
At Netmatters, we strongly value integrity and transparency. Therefore we have been aware of the GDPR for some time.
The legislative text of the GDPR is a massive document but we have outlined 3 key areas you can assess today to ensure you are on the right path to GDPR compliance.
1. Changes to Your Online Security
- Implement Transport Layer Security (TLS)
TLS is a standard security technology for establishing an encrypted link with a web server and browser. This encrypted link ensures privacy for any data passed between the server and browser.
One of the key principles of GDPR is ‘Integrity and Confidentiality’. This specifies that satisfactory measures are in place to protect data against accidental loss, theft or destruction.
A 2017 government report on cybersecurity found that 74% of UK businesses consider cybersecurity a high priority amongst senior management. You may have encountered the term ‘privacy by design’. Security measures need to be a part of anything you put online from the outset. This could be a new page for your website, or a new way of collecting data.
2. Changes to Your Privacy Policy
- Update your websites privacy policy to better inform your users on how you work and process the data you collect
Every website should have a privacy policy. A privacy policy outlines how and why you will collect data from visitors to your website. The usual intent is to understand user behaviour, so you can bring them a positive online experience.
GDPR regulations will prompt you to take a step further. You must keep audiences as informed as possible as to what data you will be collecting and why.
The key principle to bear in mind is ‘transparency.’
Your new privacy policy should empower users to make informed decisions about what data they are comfortable with you collecting. Therefore, you should anticipate requests for people to have access to, or even destroy, their personal data.
- Update your website cookie policy to better inform your users of all types of cookies used and the purpose of use
Not all cookies are used in a way that could identify users, but the majority are and will be subject to the GDPR. This includes cookies for analytics, advertising and functional services, such as survey and chat tools.
To become compliant, organisations will need to either stop collecting the offending cookies or find a lawful ground to collect and process that data.
3. Changes to Your Data Collection Forms
- Ensure all forms on your website collect marketing data in a GDPR-compliant manner: For example, if people who use your contact form are also added to your email marketing list, this form should include an opt-in tickbox to collect their explicit consent to receive such emails from you. This is because GDPR requires explicit user consent for direct marketing.
The GDPR defines consent as: “Freely given, specific, informed and unambiguous consent; which informs subscribers about the brand that’s collecting the consent and provide information about the purposes of collecting personal data,” via the ICO, May 2017.
- Ensure all forms on your website collect non-marketing data in a GDPR-compliant manner, If there are forms on your website with which:
- you are collecting sensitive information;
- the intended use of the information is likely to be unexpected or objectionable;
- providing personal information, or failing to do so, will have a significant effect on the individual; or the information will be shared with another organisation in a way that individuals would not expect.
Then, you need to actively communicate privacy information on these forms. For example, adding people who use your contact form to a profiling software you use internally.
- Ensure all forms on your website collect only the data necessary for the purposes for which they are processed: GDPR stipulates that any personal data collected should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
An email newsletter form that collects email addresses as well as phone numbers would be in breach of this GDPR principle.
Are you concerned that your website doesn't comply with the changes listed above?
At Netmatters, our experts in cyber security and data protection can advise you on what steps to take. We spend every day creating bespoke strategies for businesses. The ability to understand the unique needs of a company is critical to what we do.
So if you want to ensure that your website is GDPR compliant, contact us via the form below or ring us on 01603 515007 today.