Just four little letters: GDPR. Doesn’t sound like much, does it?
Only, those four little letters actually stand for ‘General Data Protection Regulation’, which is a set of legislative measures that will replace the Data Protection Act 1998.
This is big, big stuff, and if you fail to comply with the new rules, you could risk fines of up to €20 million or 4% of global turnover.
But, let’s address that burning question you have…
What is the GDPR?
Devised by the European Parliament, the Council of the European Union and the European Commission, the GDPR comes into effect in May 2018 and is designed to strengthen data protection for all individuals within the EU.
It sets new standards for data collection and processing and gives power back to the owners of personal data when it comes to retrieving their information and requesting its removal.
But what about Brexit?
Sorry - it doesn’t matter. The GDPR will come into effect quite some time before the UK leaves the EU, and even after that time it will still apply to all EU personal data, which your business will almost certainly come into contact with either from EU nationals living within this country or from customers overseas.
How does the GDPR relate to my website?
If your website collects personal data which you in turn store somewhere in a database (for example, a newsletter list), you’ll be defined as a ‘Data Controller’ under the GDPR.
Therefore, the way you gain consent to retrieve said data, the ease with which you provide access to it for the individual and the security built into your website will all come under scrutiny.
So, it’s down to the people who built my website and the hosting company, right?
Your website falls under the ownership of your business, and no matter what tools it uses to collect, store and process data, you will be defined as the controller and therefore held accountable for any GDPR rule breaches.
Reasons your website might not be GDPR compliant
Here are the most common reasons your website might fail the GDPR test come May 2018:
1. You’re not obtaining the right consent
Under the GDPR, you need to obtain explicit consent from people when requesting their personal data. A tiny pre-filled tick box in the footer won’t cut it.
2. You’re using plugins that aren’t compliant
Many websites are unfortunately built with a multitude of third party ‘plugins’. That means you’re at the mercy of the developer (or several developers) when it comes to compliance on their part.
3. You’re not enabling people to access their data
A key part of the GDPR revolves around giving data owners easy, unrestricted access to their data, so they can either review it or delete it entirely. Can people do that on your website?
4. You’re not encrypted
That little padlock you increasingly see within the web address bar of your browser will become more important than ever next year. If your website doesn’t use industry-standard SSL encryption, you’re at risk of non-compliance.
What should I do next?
Talk to the experts. Like us.
We’re investing a huge amount of time investigating the GDPR in order to gain a better understanding of how it impacts website design.
While this blog will hopefully have demystified some of the GDPR, there’s nothing quite like speaking to people who know how to help you comply.