LATER THIS MONTH NEW EUROPEAN GDPR REGULATIONS COME INTO FORCE, WHICH WILL AFFECT THE WAY THAT YOU STORE AND PROCESS THE PERSONAL DATA OF EU CITIZENS. TO BE COMPLIANT THERE ARE SOME IMPORTANT CHANGES THAT YOU’LL NEED TO MAKE TO YOUR WEBSITE.
Let’s start by reminding ourselves what GDPR is all about…
GDPR doesn’t just affect large companies. If you have a website or hold any personally identifiable information (including name, email address, phone numbers etc) for your clients, suppliers, partners and / or employees located within the EU you have to be compliant. GDPR does not apply to non-personal or commercial data eg sales@ email addresses.
In a nutshell it means you have an obligation to:
- Be clear about the lawful basis upon which you are storing or processing the personal data of EU citizens and only use it for the purpose that the consent was given. There are 6 types of lawful basis (consent, contract, legal obligation, vital interests, public task or legitimate interest).
- If you don’t have a lawful basis upon which to store and process personal data you will no longer have the right to use it after the 25th May 2018 and the data should be erased
- Ensure you get (or, in the case of older data, have) agreement, in a GDPR compliant format, from the EU individual for you to store the data, and communicate (via privacy notices and help text) how you will process the data collected, including the rights of the individual to access, remediate or erase the data.
- If you are collecting personal data for more than one purpose, gain separate consent (unbundled and freely given) for each purpose and have a clear, audit-able process for recording (and storing) the date and method of consent.
- Only hold the data you actually need and only store it for as long as you need it
- Keep the information secure and, in the event of a serious data breach, notify the ICO (or applicable body in other EU countries) within 72 hours
- If you process the data of under 18’s, have systems in place to verify individuals’ ages and obtain parental or guardian consent for any data processing activity of individuals under the digital age of consent (in the UK the digital age of consent is 13 years old and over, in other EU countries it is 16).
For the purpose of this article we have focused on the implications of GDPR for your website. Please be aware that you probably also store and process personal data in places other than your website, such as your email marketing software, CRM software, accounting software, payroll software, in offline printed formats and more. We strongly recommend that you familiarise yourself with your obligations under GDPR for data held elsewhere.
Lets get started!