If you haven't already kicked-off a project to get your website GDPR compliant, you should start now
With less than a year until it’s implementation it is essential to plan your strategy to ensure GDPR compliance now and to secure ‘buy in’ from key stakeholders in your organisation.
What’s the Difference between GDPR and the DPA (Data Protection Act)?
Even if your business is fully compliant with the DPA then there will still be some additional measures to take. Many of the principles and concepts are similar to the current Data Protection Act, however some parts are totally new where others have been enhanced.
This means in real terms you may need to put in place new procedures to deal with the GDPR’s new transparency and individuals’ rights provisions. In a large or complex business this could have significant implications for several areas including budget, IT, personnel, governance and communications. As this will affect more than one department it is essential that all staff members are aware of the changes that are due to take place and action is taken long before the deadline.
Full details of the measures required can be found on the Information Commissioner’s office website but we’ve looked at some of the points relating to your website below:
What changes might I need on my website?
1) GDPR requires you state your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO - meaning your privacy notice will need to be updated on your site. Start with a Data Flow Audit of personally identifiable information (PII) and map out the flow from your website to it's database and other systems.
2) You need to have procedures in place to allow for deleting personal data and providing it in an electronic format that is commonly used. This will need to be done free of charge so needs to be performed as efficiently as possible. In our experience clients often have data stored in many different systems, so careful planning on how to achieve this is important.
3) The right to data portability - This applies to personal data that an individual has provided to a controller; where the processing is based on the individual’s consent or for the performance of a contract; and when processing is automated. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting usability - if your site doesn’t already allow quick downloading of your clients’ account transactions (for example) then this will need to be rectified.
4) The right not to be subject to automated decision-making including profiling. As many of the insurance industry use this for underwriting this could mean a longer process of obtaining specific consent for the use of automated decision-making - something which will need to be added to the site as part of the online buying journey.
5) Consent - Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. If your site says ‘if you do not consent please tick this box’ or assumes consent unless advised otherwise then this will need to be changed.
6) Data Breaches - The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant disadvantage. You will need to have your site’s security regularly checked and updated to ensure you don’t ever have to advise your customers that their data has got into the wrong hands.
7) Data Protection by Design - the GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. This will need to be considered when designing a new site or updating an existing one. It is already safer and more cost effective to think about data privacy from the start rather than adding it in afterwards.
Do I need to comply?
If you are a company which operates within the EU and processes any kind of personal information then you have to comply with these new rules. Brexit does not affect this, as the rules will come in force before the UK leaves the EU.
What are the penalties for non-compliance?
For the most serious violations the consequences of not adhering to the GDPR are severe. The ICO will have the power to fine companies up to 20 million Euros or 4% of a company's annual turnover for the preceding year. It is essential that companies prioritise this sooner rather than later.
Where do I start?
If you would like get a head-start on ensuring your website's compliance with the GDPR then let us help you. Email us at email@example.com or call 0207 977 9230
Please note: This article does not constitute a recommendation for your company nor professional advice. These are only the parts of the GDPR that may require changes to your website or it’s design. There are many other components to the GDPR not listed here that may be applicable to you, these can be found on the Information Commissioner’s Office website. We take no responsibility for actions taken as a result of this article.