GDPR stands for General Data Protection Regulation, a European Union-wide law on how data is collected, used and stored. It applies to anyone who collects or processes personal data. Breaches of the law not only result in fines of up to €20 million, but can also seriously damage your company’s reputation.
If you have a website that can be accessed by EU users, you will probably need to make your website GDPR compliant. If you haven’t already done so, you could potentially face a significant fine as the GDPR compliance date is 25 May 2018.
The main purpose of GDPR is to protect the rights of EU residents and give them more control over their personal data. In recent years, many businesses have realised how GDPR affects websites and owners, with a host of changes following to ensure their sites are compliant. However, some businesses are unsure of how to make their website GDPR compliant, while others have ignored GDPR requirements entirely and could face severe financial penalties.
How to make your website GDPR compliant
One of the key requirements to make your website GDPR compliant is to address the issue of consent. Information cannot be collected and processed unless consent is obtained from the user. While most websites describe in their privacy policy the information that is collected and how it is processed, under GDPR this is not sufficient.
It is no longer possible to argue that continued use of the website constitutes consent to the site’s privacy policy. Consent must be explicitly obtained by clear, decisive action. If your website doesn’t collect personal data (including IP addresses), doesn’t use cookies, and doesn’t have contact forms or newsletters, you won’t have to make changes to comply with GDPR.
Under the GDPR, it is not acceptable to use pre-ticked boxes when obtaining consent to collect and process personal data. Users must provide clear consent and if checkboxes are used, they must be manually ticked by users. Visitors must be informed how long their personal data will be stored and the individuals with whom the information will be shared.
All data must be limited to the minimum amount necessary to achieve the purpose for which it is collected. GDPR also requires all personal data to be secure, so data encryption must be considered.
It is important that visitors are able to be easily contacted if they wish to exercise their right to be forgotten, request a copy of any data that is collected or check their personal details for accuracy, so all contact information must be up to date.
Should a website visitor wish to be forgotten, it is useful to have a mechanism that allows this to happen automatically. Performing such a task manually will be time consuming, especially if multiple requests are received.
It is the responsibility of all website owners to familiarise themselves with GDPR rules and make their websites compliant. If a breach is found, the supervisory authority must be notified within 72 hours.
