I’m sure by now you’re acutely aware that GDPR’s on its way — but how well developed is your plan for ensuring your business is compliant?
If you don’t have a plan yet don’t panic — you’re certainly not alone. But dedicate the next few minutes of your life to this article and you’ll feel much more prepared!
If you still need more information on GDPR basics, read our introductory blog here and if you’ve got a few days spare you can tackle the full, 99 page regulation document here.
Otherwise, let’s get cracking.
Data types & user rights
Under GDPR some attributes are classed as “personal data” and others as “sensitive personal data”. Here’s the difference:
Personal Data: Name / Address / Email Address / Social Security Number / Location Data / IP Address
Sensitive Personal Data: Race / Health Status / Sexual Orientation / Religious Beliefs / Political Beliefs
The latter set should be handled even more carefully and securely than the former.
If any of the above data is collected by your website and/or your wider company, here are the personal data rights you need to provide to individuals:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision making including profiling
Further information is available here via the ICO.
So, as a website owner, what do you need to prepare for GDPR?
It’s best to create a spreadsheet that covers every system, application or program used to capture and store personal data — i.e. Web Forms, CRMs, Email Clients, Analytics Platforms, Social Pixels, CMS plug-ins etc.
You then need to work out:
- Is it 1st or 3rd party data?
- How long is it stored?
- How do you use it?
- Do you share it with any additional parties?
- What’s the legal basis for processing this data?
Once you’ve sifted and separated using the criteria above, you should consider:
- Removing any redundant data that is no longer in use – storing data is getting riskier so mitigate wherever possible!
- Are you using any of this data incorrectly? i.e. are you automatically adding people who’ve completed your website contact form in to your mailing list? If so, that needs to stop or have a consensual opt-in added.
- Should you be sharing data with third parties and if so, are they handling it correctly?
- If there is no legal basis, are you seeking the appropriate level of consent to gather and process data?
We then advise completing this stage of your preparation by fully documenting all processes —this makes them easy to evidence if they’re ever requested by an individual or organisation.
Audit existing data capture processes
As briefly touched on above with the Web Form, it’s essential to confirm that all personal data, however captured, is done so consensually — and that in turn, the data is only used as intended by the users giving of consent.
So there are a few things you may need to change:
- Adding Newsletter opt-in boxes to all Contact Forms
- Verbally recording opt-in to mailers if out networking
A crucial rule here is that the Opt-In box should NEVER be pre-ticked.
