If you haven't already kicked-off a project to get your website GDPR compliant, you should start now
With less than a year until it’s implementation it is essential to plan your strategy to ensure GDPR compliance now and to secure ‘buy in’ from key stakeholders in your organisation.
What’s the Difference between GDPR and the DPA (Data Protection Act)?
Even if your business is fully compliant with the DPA then there will still be some additional measures to take. Many of the principles and concepts are similar to the current Data Protection Act, however some parts are totally new where others have been enhanced.
This means in real terms you may need to put in place new procedures to deal with the GDPR’s new transparency and individuals’ rights provisions. In a large or complex business this could have significant implications for several areas including budget, IT, personnel, governance and communications. As this will affect more than one department it is essential that all staff members are aware of the changes that are due to take place and action is taken long before the deadline.
Full details of the measures required can be found on the Information Commissioner’s office website but we’ve looked at some of the points relating to your website below:
What changes might I need on my website?
1) GDPR requires you state your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO - meaning your privacy notice will need to be updated on your site. Start with a Data Flow Audit of personally identifiable information (PII) and map out the flow from your website to it's database and other systems.
2) You need to have procedures in place to allow for deleting personal data and providing it in an electronic format that is commonly used. This will need to be done free of charge so needs to be performed as efficiently as possible. In our experience clients often have data stored in many different systems, so careful planning on how to achieve this is important.
3) The right to data portability - This applies to personal data that an individual has provided to a controller; where the processing is based on the individual’s consent or for the performance of a contract; and when processing is automated. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting usability - if your site doesn’t already allow quick downloading of your clients’ account transactions (for example) then this will need to be rectified.
4) The right not to be subject to automated decision-making including profiling. As many of the insurance industry use this for underwriting this could mean a longer process of obtaining specific consent for the use of automated decision-making - something which will need to be added to the site as part of the online buying journey.
5) Consent - Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. If your site says ‘if you do not consent please tick this box’ or assumes consent unless advised otherwise then this will need to be changed.