The deadline is drawing closer for the EU General Data Protection Regulation, and it’s important to make sure that your website complies. Basically, it’s a set of new regulations that require businesses to focus on protecting the personal data and privacy of EU citizens. It’s not optional; penalties involve heavy fines, and that’s just the starting point! The good news is that it’s not tricky to avoid all this hassle though – it just involves making sure you’re prepared.
The European Union’s General Data Protection Regulation is commonly viewed to be setting a new standard for consumer rights regarding data. Privacy and security are definitely hot topics in the industry right now – you may have already read our blog about Google’s latest update to make the Chrome browser more secure.
Essentially, the core aim of GDPR is to ensure that businesses properly protect their customers’ information. It also takes quite a broad view as to the definition of ‘personal information’. Names and addresses are obviously top of the list, but so are things like IP addresses, which GDPR judges to be just as identifying as phone numbers, physical addresses and that sort of information.
There are well over 50 pages in the Regulation itself, so for your convenience I’ll sum up its key points for you:
Though obviously there’s more depth to it than that, it all sounds pretty simple and achievable so far. Quite fair, too!
Depending on who you ask – and what your business is – you might hear all sorts of various recommendations on how to prepare for GDPR. You’ll be glad to hear though, than no matter how large-scale and complex they seem, they all have the same few key points in common. If you’re a small to medium enterprise (as many of our customers are), you should simply make sure to:
Take an in-depth look at the data you already hold on your customers, and make sure that it’s all in line with GDPR. For example, that means that you shouldn’t have any more information than is strictly necessary, and you need to make sure it’s accurate and up to date.
Get together with key members of staff and come up with a plan for how you’re going to store and protect data going forward. Amongst other things, that means creating an audit trail for the data from the moment you collect it to the moment you delete it, identifying any potential weak points in your system, and planning how you’re going to respond in the event of a data breach.
Bigger companies will often need to hire a data protection manager specifically to be responsible for huge databases, but if you’re a smaller business then there’s no rule that says you have to hire someone new; it can be a part-time duty for an existing member of your team. Essentially, as long as there’s someone making sure that your data collection and storage processes are staying within the law at all times, then you shouldn’t have much to worry about.
The Right To Be Forgotten is exactly what it sounds like. According to the GDPR, you’re only permitted to hold information about someone with their consent. That means if they contact you requesting it be transferred, updated or removed entirely – in other words, if they exercise their ‘Right To Be Forgotten’ – it’s really important that you’re prepared (and able) to do so.
Don’t forget, if you’re worried or stuck, at Twentyone we’re here to help! Feel free to call into the office on 01254 660 560, and one of us will be only too happy to put your mind at ease. While you’re here, you can find out more about our Web Development services, and it’s also a good plan to check out our blog on SSL Certificates, and why you should get yours sorted!
Michael Cain is Twentyone’s Technical Director, responsible for developing, coding and maintaining the technical infrastructure of our clients’ websites here at Twentyone. A die-hard Clarets fan with a passion for football, in his spare time he’s a coach and talent scout for Manchester City Youth Academy.