GDPR, Whats it all about?
One question that people are starting to ask us is “should I be doing anything about this new thing called GDPR?”. Well as far as your website (and email marketing) goes, you most certainly do need to pay attention to it. That having been said, if you are running a tight ship and are using reputable systems then these new regulations should not prove too much of an issue.
What is GDPR?
GDPR stands for “General Data Protection Regulation” and is set out by the European Commission and builds on the existing Data protection laws. UK companies need to be fully compliant by May 2018 so the clock is ticking but there is still plenty of time to get things in order.
With Brexit will this still be applicable to us I hear you say. Well yes it will as the UK Government is looking to bring this into UK law by the time the compliance date arrives.
How the GDPR affects you and your website
Your website will undoubtedly ask for peoples personal data (it is a marketing tool after all). When you do this, you need to be clear about why you are asking for the data and also for how long you will be retaining it. This data can be as obvious as a name and email address or more subtle for instance an IP address. You need to pay heed as the Information Commissioner’s Office will have in place a complaint procedure that people can use if they feel you have breacher their rights and penalties look to be quite severe.
What practical actions do I need to take?
The first and most obvious step is to review your website and see what data is collected from visitors and where it flows to and is stored. The key here is that you are looking for “Personally identifiable Information”.
Once you have established what data is gathered and where it is stored etc., you need to set about making sure website visitors are clear about this. The best place to do this is on your website’s Privacy Policy (or possibly your websites T&C’s).
What if I am challenged about what data I collect?
You need to be able to easily access your data storage, wherever that is and be able to show what you collected. It goes without saying that this should be in line with what you have set out in your Privacy Policy.
On top of having quick and easy access to this data, you also need a procedure to be able to change or delete this information should the need arise.
Do I have consent to use this data?
Consent is probably one of the main issues that GDPR raises. You need to be able to prove that people have opted in to providing their data to you. Pre-filled boxed saying “I agree to opt in” are no longer acceptable as the user needs to take a physical action to tick the box in order to agree to opt-in.
Data Breeches
This is something we all dread either through negligence or a hack and it can happen even to the big boys as well as small businesses. If it does happen to you, it is your responsibility to contact the Information Commissioner’s Office and report the incident. You may also have to contact the individuals themselves but the Information Commissioner’s Office will give more advice about this when they know your specific details.
In Summary
Ultimately what you need to do to be compliant for GDPR is to be able to show you have thought through what data you collect and why. You also need to shown your website’s visitors what data you collect. as is often the case with legislation, it is not just doing the right thing but also documenting it so you can later prove you are compliant if the need arises.
If you do not already do so, you need to start implementing plans to maintain your website and use a secure, trustworthy hosting company. This is to avoid the possibility of a hack on your website.