Image credit: Pixabay
Slightly over two years since it was approved, the General Data Protection Regulation (GDPR) went into effect on the 25th of May 2018. Assuming you have an email account, you can’t possibly have missed the barrage of emails from concerned businesses seeking your consent to keep receiving their marketing materials.
The goal of the GDPR is to protect user data within Europe and for European citizens worldwide. That means its limits apply both to businesses that operate within Europe and those that operate elsewhere in the world but store data on people located in Europe.
While it isn’t the end of the world, the GDPR definitely isn’t something to overlook if you have a business website (or even if you have a non-business website that collects data of any kind). It’s a serious consideration meriting a serious response, and it’s important for any business that hasn’t prepared for GDPR to get up to speed as a matter of urgency.
Assuming that you are in Europe or store the data of European citizens, here’s how you can make your website GDPR-compliant as soon as possible:
Determine if you need a Data Protection Officer (DPO)
This might actually be the trickiest step, because the wording isn’t all that clear. Article 37 states the a DPO is required when the body processing data is:
- A public authority or body, except for courts acting in their judicial capacity.
- Carrying out regular, systematic and large-scale monitoring of data subjects.
- Doing large-scale processing of special categories of data relating to things like race, ethnicity, political opinions, religious beliefs, sexual orientation, biometric data, criminal activities, or criminal convictions.
You can most likely rule out the first and third criteria, but the second is more awkward, because what counts as ‘large-scale’ monitoring? WP29 guidelines clarified the following about the processing that would require a DPO:
- It must be an inextricable part of the operation. Any required processing for ‘ancillary’ functions like payroll or IT support is disregarded.
- It must be self-determined as large-scale based on the number of subjects, the volume of data, the duration of processing, and how far the processing spreads geographically.
- It must be consistent and methodical. This isn’t limited to online data, but can also apply to data about offline activity.
While you’re still unlikely to need a DPO (because large-scale data processing isn’t typical), you should note down your reasons for not appointing one, just in case you’re ever challenged on it. You can appoint one even if you don’t need one, but you then need to follow all the DPO criteria, so it’s not something to be done frivolously.
Get opt-in consent from your users
Now any data you collect has to be done in a very particular way to avoid falling foul of GDPR, so you will likely need to update your email policies at the very least. GDPR applies to data that allows you identify individuals, and since email marketing lists are based on just that, you need to have everyone on your mailing list opt-in.
In doing so, you need to provide a policy for your use and handling of their data, and it has to be crystal-clear and easy to access. If you have a mailing list but have yet to do anything for GDPR, you should stop any marketing campaigns you’re running and send out GDPR compliance emails prompting them to click a button to provide their knowing consent.
When sending out compliance emails, try to phrase your requests very gracefully. As previously noted, there have been so many going around that users are likely to ignore them entirely if you’re not delicate. You need to get your call-to-action just right.
If time passes and you don’t receive consent from some users, well, it’s up to you whether you keep the data until you hear from them or simply delete it. The former approach is somewhat risky. What you might want to do is anonymise the data, taking out the parts that could identify individuals and leaving you with data that is less valuable but probably still worth something.
Store your data correctly
GDPR is very clear about how you can store personal data. Also on, what you can do with it, and how you must handle it from a security standpoint. In general, you should make sure that your data stores are:
- Secured with tiered permissions on a need-to-know basis
- When an employee leaves, their access must be rescinded, and all steps should be taken to prevent avoidable data leaks.
- Able to be opened for access or deleted upon request
- Under GDPR, individuals may request to view or delete all of the data you have on them. You must oblige within a month.
- Viewable from one location
- Owing to the importance of monitoring and regulating processing scale, aggregate your data in one view.
- Lawful, accurate, and necessary
- If you no longer need data, you should delete it. If you can no longer verify its accuracy, you should delete it. You get the idea!
Handling all of these things can get complicated, so be sure to seek further assistance if necessary. No one is expected to know it all within the near future. You can also make use of software if you don’t have the time to learn more about it.
One of the primary advantages of a DIY website with WordPress has always been the availability of free or cheap plugins, and some have already been released to aid with GDPR compliance. If you run on WordPress, you can try using this GDPR plugin to save a lot of time. Otherwise, there are various GDPR toolkits that can point you in the right direction.
Establish security as a team priority
It’s no use getting compliant with GDPR if you don’t also adjust the way you approach customer data in general. Otherwise, you’ll just end up making some kind of mistake down the line. Ensure that every person in your company is aware of their responsibilities. You’ll find that security levels improve much more naturally.
Envision the prospect of a data breach. If data that you are storing leaks, it must be reported in 72 hours. They will need an explanation of why it could not be delivered in a timely fashion. Your management should understand GDPR. If someone on the processing team does not, you could end up with an undisclosed breach that ultimately harms your reputation to a greater extent and gets you fined.
Keep the required records
Article 30 requires that you keep track of various things about your data processing. This includes your name, contact details, data categories, reasons for storing data, and retention schedules. You’ll need to stay on top of that, but in the process, you should also look to make further notes.
Being able to look back and explain the actions you took to meet GDPR will count in your favour should a governing body come after you. Whatever you do, try to be open with your users. Do your best to show that you genuinely do care about keeping their data safe.
Should you have made your website GDPR-compliant by now? Well, ideally, yes. It’s been coming for couple of years, and that’s a good amount of time to learn about it.
If you can gradually bring GDPR concepts in your business, then within the next year you should find yourself in a solid position with little to fear from regulators. So don’t wait any longer. Make your website GDPR compliant now!
Kayleigh Alexandra is a content writer for Micro Startups — a site dedicated to spreading the word about startups and small businesses of all shapes and sizes. Visit the blog for the latest marketing insights from top experts and inspiring entrepreneurial stories. Follow us on Twitter @getmicrostarted.