GDPR. Anyone heard of it? If you run a business in the UK, it’s essential knowledge. Anyone burying their head in the sand? It was introduced in 2016 and will start to be enforced in UK and the EU in May 2018, i.e. that’s when fines might start being dished out for non-compliance. This is a serious post. Don’t expect any fancy photos and stuff on this page. Just important words.
The goal of GDPR (General Data Protection Regulation) is to protect the data privacy and security of all EU persons by setting a new data protection standard for businesses and governments.
If you collect any personal data (pretty much all businesses do), this post is relevant to you. I’m not an expert. This is just my understanding of what I have read about so far. I’m sure more things will pop out of the woodwork soon.
1) “Data Controller”: Probably you.
2) “Data Processor”: If you collect and use data yourself, then it’s you. If you use a 3rd party like Mailchimp, it’s them.
If you have a business, you should run a privacy audit – posh words for checking to see if personal data is secure, access to it is properly managed, people know what you are up to with their data and people can manage their data.
This post just relates to websites. If you have a website, it should be part of the privacy audit. Often businesses harvest personal data as part of “lead capture” or eCommerce which are the most obvious parts to check, but GDPR also classes “IP Address” as personal data. Every device on the Internet has an IP Address, which can be used to track someone, e.g. via Google Analytics.
If you use a 3rd party to manage your website or email lists or eCommerce and eCommerce payments, they are data processors. You should immediately ask them if they are compliant or if they plan to be compliant. You should also ask them if the hosting server company they use is compliant. If you they aren’t compliant on time, you remain liable because you have chosen to use them. As of now, companies like Mailchimp and Infusionsoft are NOT compliant. Most just say “We plan to be compliant”.
If you manage your own website and hosting, you should immediately ask your hosting company if they are compliant and do your own website audit. Part of your website software should audit / log changes for you and notify you of any security concerns. Additionally you should be implementing Security measures to reduce the chances of data breaches. In WordPress, you can install a Security plugin and a Security Audit plugin.
Double-Optin should be the standard for signing up to anything on your website. This ensures they get sent an email before any data is added to the database in your website. This prevents someone being signed up without their knowledge.
Opt-out should be the default, so for example if you have a contact form with a little box that says “add me to the mailing list”, this should not be ticked by default.
Explcitly state what is being done with data. “Enter email for free eBook” isn’t enough if being added to a mailing list too. If a user has just provided their email to get a freebie and later receives a regular email newsletter you are in breach and they could report you. You don’t want to be reported.
Ask for permission. Add “I consent to COMPANY NAME collecting my name and email” (or whatever is in the form).
There should be a method for them to remove their data. Most 3rd party services provide this. Check yours.
If anyone asks to see what data is stored about them, you have 40 days to comply, and must be done for free. Yeah.
The UK ICO – Information Commissioner’s Office – has provided a phone number for advice for small businesses at the bottom of that link.