On the 25th of May 2018, the GDPR (General Data Protection Regulation) will apply in the UK.
If the website you manage collects or holds any personal data, even a ‘contact us’ form, GDPR affects you.
Many GDPR principles are the same as the current Data Protection Act, so if you are compliant, then a lot of what you do already will still be valid under GDPR. However, there are some new things you’ll have to start doing and other things you’ll need to do differently.
Our understanding of the guidance is that GDPR gives individuals more control of the data held on them and how it is used. Under GDPR, an individual’s rights include:
- The right to be informed – typically via your privacy notices
- The right of access to their data, free of charge
- The right to rectification if their data is not accurate or complete
- The right to erasure, also known as ‘the right to be forgotten’
- The right to restrict processing of their personal data
- The right to data portability allows them to obtain the data you hold on them and reuse it across different services and IT environments
- The right to object to you using their data for things like research, direct marketing, profiling and statistics
- Rights in relation to automated decision making and profiling, safeguarding against systems making decisions taken without human intervention
The information Commissioners Office (ICO) has released a checklist and guidance that explains these concepts further and will help you plan your approach to GDPR compliance. Their checklist contains 12 steps an organisation needs to take, but we have highlighted 5 of the steps a website manager might want to consider now, to give you a flavour of what may need to be done.
5 steps to start preparing for GDPR
Run through these 5 steps and the go and see your organisation’s Data Protection Officer or Knowledge and Information Manager, to see how they are preparing your organisation for GDPR.
- Visit the ICO’s data reform website, download their guides and set aside half a day to read them with a highlighter pen in hand.
- Consider the personal information you hold. Have you documented:
- Where and when you obtained it?
- Why you have it?
- What you do with it?
- Who you share it with?
- Its accuracy?
- Think about how you would handle requests based on the individual’s rights discussed earlier and start planning the procedures and technical processes that you’ll need
- Review how you obtain and record consent at the moment to see if you need to do it differently. Look at your existing records and the way you obtained consent for those. Will you need to get fresh consents?
- Are your systems secure, patched and up-to-date? Is the data you hold encrypted? Is your password management up to scratch? If you are unsure about any aspect of information security, a good place to start would be Cyber Essentials certification, a government backed scheme to help organisations protect themselves against common cyber-attacks.
How we can help
Although we can’t give advice on GDPR legalities or help write your policies, as an ISO/IEC 27001 (information security management) and Cyber Essentials certified agency, we can help you implement secure methods of collecting, storing, processing and auditing any data you need to gather via your website.
Once we understand your information security requirements, we will make technical suggestions to help you achieve the required security standards. For example, you may need us to implement encryption of your data at rest or when it is in transit, or enable double opt-in mechanisms if you are collecting contact details for mailing lists.
Contact Chris Cowell, at firstname.lastname@example.org to chat about how GDPR may affect your website.