***disclaimer*** I’m not a lawyer and what follows is my understanding of GDPR. It’s up to you to check it out fully and I’ve included some links to help you with that.
Yay! A new regulation (said nobody, ever)
This week I’m going to look at this new regulation and how it affects you.
This is the official website to explain it all to you:
Don’t want to read all that? Well, let’s try and figure it out…
What is it?
Remember the Data Protection Act? Well, this replaces it. It comes into force on 25th May 2018 and is all about how an individual’s personal data is dealt with and stored.
Do I need to do anything?
Probably. Let’s take a look at the GDPR definition of personal data:
“The GDPR applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
As a website owner, you’re bound to have a contact form for enquiries. That would be personal data. You need to clearly define what you do and how you use that data.
What do I need to do?
- Who you are and how you can be contacted
- Why you need the data
- Who will have access to the data
- How long you’re keeping the data
- How someone should request removal of any of their data that you hold
- How, in the event of a hack or security breach, you will notify the person
You need to get explicit and clear consent to collect the data in the first place via an opt-in (you can’t use a negative “tick if you don’t want to” type box). You also can’t have the “yes, I agree to this” type box ticked by default.
OMG, What should I do?
Don’t panic! This is the point to look at how you deal with peoples’ personal data.
- Your contact/enquiry form – All those questions and tick boxes you’ve got on there… do you really need all of that information? Take a look at how you can just request the bare minimum of information to be able to move forward. This will probably have the bonus of also helping your contact rate, as people hate filling in long contact/enquiry forms.
- Insert a paragraph that explains that by filling in the contact form they are giving consent. Plus, perhaps an unchecked tick box to indicate they give their explicit and clear consent for you to use the data to contact them.
Think about how you store peoples’ personal data. Do you store it on a computer or on your phone? Do you take reasonable steps to keep it secure? Is it password protected. When do you delete it or does it stay wherever forever? A lot of this is going to involve you looking at what you do with the data. Security of data is a whole area in itself, but follow best practice regarding passwords and encryption.
What about my mailing list?
If you collect data and add people to a mailing list, then you need to make sure people understand that that is what you are going to do and how they can get their data removed. The easiest way to do this is to use one of the many mail list products like MailChimp and make sure you follow all of the advice on set up. You must get explicit and clear consent to do this.
What about Facebook?
What about clients already on my mailing list?
You’ve probably been getting loads of emails recently from companies where you’ve signed up to email newsletters etc in the past – well, that’s because of GDPR. You need to do the same and contact each person on your list to get explicit and clear consent to continue.
So the upshot is…
Basically, to make your site GDPR compliant, it boils down to making sure you’re transparent with people. Let them know what you’re doing with their personal data, don’t ask for extraneous information, and let them opt-in to giving it to you, rather than you taking it by default.
There are mentions of huge fines (up to 20 million euros!) if you’re not found to be complying with the regulation and “I didn’t know” is not an excuse. Show that you’re striving to be compliant and you should be ok, but don’t bury your head in the sand and ignore it.
Well, that’s it until next week.
If you have anything you’d like me to explain in a blog, drop me an email.
We build WordPress websites primarily for local businesses in the Oxfordshire area. If you’d like to get in touch to see how I can help your business to get on line or improve its online presence, then drop me an email: firstname.lastname@example.org