The General Data Protection Regulation is a piece of EU legislation which was adopted on April 14th, 2016 and is coming into force on May 25th, 2018.
At the moment, it is something of a hot topic and if you are operating any kind of business online, it is something which you will have heard about, and it is something which you must understand and comply with.
If you are not the most adept of individuals when it comes to the law and legal compliance, you may be asking yourself “is my website GDPR compliant?” Don’t fret, however, as it is a relatively simple piece of legislation and there are a few key measures you can take to check whether your website is in fact GDPR compliant. If you are feeling a little bit confused or flustered by it all, carry on reading for our GDPR website checklist.
What is the GDPR, Exactly?
It is a piece of EU legislation which is intended to strengthen data protection for EU citizens and residents. It does not just apply to the EU, though, it applies to any business which stores an EU citizen’s data. If you are a U.S. based seller and you have transacted with EU-based customers or clients, you will need to ensure your website is GDPR compliant, even if you have only transacted with a small handful of EU citizens.
Any person or entity which collects personal data (a “data controller”) will be obliged to follow the new regulations. This includes any website or business which stores or works with personal data, including mobile apps, organisations which store data on internal databases and e-commerce stores. In fact, GDPR e-commerce is one of the fundamental focuses of the new legislation.
The GDPR Website Checklist
Although the GDPR is not yet active and compliance is not required until the clock ticks over to May 25th, many businesses have already taken all the necessary steps and have become fully compliant. These websites serve as a yardstick when it comes to compliance and identifying key steps.
1: Opt-In Forms
If you encourage anybody to subscribe to an email list or other form of e-newsletter, you must have active opt-in forms which invite people to subscribe. The days of automatically subscribing individuals are over, unfortunately! You can no longer default these forms to “Yes”, either, they must be defaulted to “No” or left blank. It is worth checking any opt-in forms you have (including registration forms) to ensure that they are not automatically subscribing people by ticking the “Yes” box or similar.
Additionally, opt-in forms should provide consent separately for different types of contact processing (i.e. phone, email and SMS).
2: A Matter of Consent
If you are asking for an individual’s consent, this consent must be set aside from your terms and conditions. If, for instance, you are asking for a customer’s consent to disclose their data to third-parties, acceptance of this can no longer be hidden away in terms and conditions, it must be clearly set out separately with its own individual opt-in form.
3: Withdrawable Permission
Individuals who have given consent must be able to withdraw this consent if they so choose, and this must be easily accessible and instantaneous. Under the GDPR, individuals should be able to –
a. withdraw consent to communication completely;
b.change the frequency of communication;
c. withdraw consent for certain types of communication; or
d. withdraw consent for certain communication channels.
4: General Transparency
Any opt-in or web forms must identify all parties to whom consent is being granted. You can no longer just gloss over this and say that consent is being granted to “third party websites”, for example – you must name specific organisations and the extent to or situation under which your data will be disclosed to them.
5: GDPR for E-Commerce
E-commerce companies are some of the more largely affected businesses. Websites who process payments (even through payment gateways such as PayPal) must remove any personal information within a “reasonable period”. Unfortunately, the law is not known for being overly specific, and the number of days data should be held for is open to a business’ interpretation.
It is not just your website which needs to comply with the new GDPR legislation, it is your entire business. There are many resources which have been provided by the European authorities to help with GDPR compliance. If you hold any kind of personal data, you will need to have a comprehensive data policy in place which sets out how long you retain personal data, what you use it for and that it is kept up to date. This data needs to be held securely and there must be a designated individual (the “data controller”) who handles everything data-related and ensures that your company remains GDPR compliant.