Back to Blog Posts

GDPR - What's that all about then?

Phil Evans
By: Phil Evans
March 21, 2018
GDPR

Let me start with the disclaimer that we're not lawyers or legal experts, so you should always seek proper legal advice, but hopefully this article will give you some guidance on preparing for GDPR.

But don't panic, it's not as scary as it sounds.

We've had questions from a few clients about GDPR and what they should be doing to make their websites GDPR compliant so we thought this might be of help.

So, what in earth is GDPR

GDPR is short for General Data Protection Regulation which was approved by the European Parliament in 2016 and will come into force on 25 May 2018, so it's coming up fast.

While this is European legislation, it affects any organisations or individuals who collect data on European citizens.

There's a lot of detail in the legislation, but the main points to consider are

  • Increased territorial scope. This legislation affects not only businesses and organisations operating in Europe, but also those ‘processing the personal data’ of people living in the European Union. Which is pretty much any website or app in the world.
  • Consent. Everyone whose data you collect must consent to you doing so. This doesn’t just apply to data gathered via forms but also to data picked up in the background such as IP addresses, if it’s used to identify an individual. So, make sure that you have double opt-in enabled if you're collecting user data for email marketing campaigns etc.
  • Right to access. Individuals will have the right to access to their data and to information on how it’s being processed and used.
  • Right to be forgotten. An individual will have the right to have their data erased, and for it to no longer be disseminated.
  • Privacy by design. This means that instead of bolting on data privacy, it will have to be incorporated into the design of a system from the outset.

Fines can be hefty and a plea of ignorance just isn't going to cut it. So please take the time to look into this ...

But this doesn't affect me, does it? I'm not Facebook or Google.

Even if all you have is a "brochure-ware" site with a simple contact form, at the very least you should provide an updated privacy and cookies policy.

Have a think about the following:

  • do you store any data from contact forms, and/or use services like MailChimp etc.?
  • does your site uses any analytics or tracking services where a user can be identified by IP, email, name etc.?
  • do you have any interactive elements on your site that allows people to comment on posts or pages?
  • do you collect customer data via any e-commerce applications?
  • do you operate any social platform on your site?

In the event that a customer or user requests to see the data that you hold on them, or requests that you delete the data you hold on them, then you must have the processes in place to handle these types of requests within the timescales laid out in the new GDPR regulations.

The new legislation may also have an impact on your wider organisation or business, so bear that it mind as well.

So what do I do now?

A good place to start is with the ICO in the UK.

They provide a really useful guide to the new GDPR legislation which you should take a look at. They provide links to a 12 step plan and a GDPR checklist which is a great place to start.

If you don't have the time or resources to re-write your existing privacy policy to cover GDPR, have a look an online resources. SEQ Legal have some GDPR specific templates that are worth looking at.

What else should I think about

The above will get you started, but you should also carry out an audit for your site and for your wider organisation as suggested by the ICO 12 Steps plan.

You owe it to your customers/users and your organisation to keep their data safe.

  • do you have a cookies warning enabled?
  • make sure that your site is secure and that admins and managers are using super strong passwords
  • change passwords regularly, and make sure they're strong
  • think about enabling two factor authentication for admins and managers
  • enable SSL if it isn't already enabled
  • if you're storing sensitive user data, think about encrypting that data

I hope this helps answer some of the questions that have been raised. For most, this shouldn't be major issue, but I recommend acting now rather that leaving it to the last minute.

If you have any questions, or need any help, feel free to raise a support ticket via our help desk.

Keep up to date with our latest news and insights
Name(Required)

About Us
Rubber Duck Digital is a full service digital agency providing a range of digital products and services to companies and organisations around the world.
Contact
+44 (0) 7887 545137
[email protected]
arrow-left