The GDPR will be enforced from 25 May 2018. UK organisations that process the personal data of EU residents don’t have long to ensure that their websites are compliant with an updated user management system.
What is GDPR? : The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies.
What this means for you : As a business you need to prove that a contact has explicitly agreed to you collecting, storing, using or sharing their data. Contrary to some reports, this applies in a B2B context and to all contacts, regardless of whether they are existing customers or you have a prior relationship with them. You should think about…
- Website User Registration
- Website Comments
- Contact Form Entries
- Analytics and Traffic log solutions.
- Email Marketing
- Can your website users access their data?
- Can your users delete their data?
Give it to me in Plain English: You’ll need to check how you store user data on your website and make sure it can be accessed and deleted by the users!
So, you need to strengthen the consent requirements on your website. If you collect or manage any EU citizen’s data, you must:
- Request the explicit consent of every user before any data collection takes place. Requests must be in clear, plain, easily understandable language free of legalese. It also must stand alone from other matters or requests and not be buried in other text.
- Have a means for users to request access and view the data you have collected on them.
- Provide users with a way to withdraw consent and purge personal data collected on them; i.e. the “Right to Be Forgotten”.
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.