You have more than likely heard about the General Data Protection Regulation (GDPR), but you may not know how it is going to affect your business, and what it means for your website. Most businesses will find that there are areas of their website which need to be checked, and potentially revised, before GDPR becomes a reality in May 2018.
The aim of this article is to look at how GDPR can affect the set up of your website and the data you hold as a result of people visiting the site.
What You Need to Think About
There are several areas of your website that you need to look at, when it comes to the collection and processing of data. Here are a few of the areas that you should check, prior to May 2018.
- Format of contact forms and storing of data received.
- Comments on your blog pages.
- Live chat facilities.
- Comments on forums.
- Registration facilities and how data is used and stored.
All of these areas need to be examined.
What You Should Ask Yourself
When you are determining whether or not your website is GDPR compliant you need to check what information you are holding, whether it is being held securely, whether you can easily access it if you receive a system access request (SAR) and whether you have consent to use the data and whether you need to continue holding it. The last point is very important; any data that you do not need should be deleted, both to comply with GDPR and because it makes things a lot easier for your business.
If you have not already determined whether or not your website is GDPR compliant, and taken action to resolve issues, you should do so immediately. Failure to do so could result in sanctions for non-compliance, potentially including a fine.
GDPR Certification: Not Mandated But Useful Process
You may have seen several organisations offering certification and training for the General Data Protection Regulation (GDPR). This sort of training is intended to inform as to the rules of GDPR, and look at issues such as consent, security and data access. The truth is that none of these certificates are officially recognized as they are not issued by recognized certifying authorities.
The Information Commissioner’s Office in the UK is intending to set up some recognised certifying authorities, prior to the May 2018 deadline for GDPR compliance. Certification by these authorities is not mandated, but your business may find it useful in helping it to ascertain how it can achieve, and prove, compliance.
Why is proof so important?
When GDPR comes into the force, a Data Protection Authority (DPA), such as the ICO, will be able to audit businesses, and punish them for non-compliance. It is not enough for a business to be compliant; it has to be able to prove that it is. This means that your business has to have compliance processes and procedures in place, and they need to be integrated into the running of the business. There is also a need for controls and risk mitigation plans, as well as plans on how to report data breaches within the mandated 72 hours.
In order for your business processes and procedures to be compliant, you need to ensure that the whole of the GDPR is considered, not just specific parts of it. In reality, DPAs are likely to concentrate on dealing with businesses that are obviously non-compliant, at least at first.
You should always remember that your business could be audited at any time. If your business is found to be non-compliant, you could be faced with a hefty fine as a result. You do not need to be GDPR certified, but you do need to be GDPR compliant.