The GDPR (General Data Protection Regulation) is a new EU regulation aimed at strengthening data protection laws for EU (and UK) citizens. This comes into force today, May 25th, and there are several key points that website owners should know about in order to make sure websites are compliant.
The main take-away is that you cannot now assume that consent has automatically been given when someone has visited your website (for example consent for cookies to be used or for information to be stored when submitting a form or purchasing a product). EU (and UK) citizens will now have more control over their personal data. This applies then to any website taking and storing personal data from EU (and UK) citizens, regardless of where in the world the website is hosted or the website owner is based.
Organisations that are found to breach the GDPR risk fines of up to 4% of their annual global turnover or €20 Million (whichever is greater) for the most serious of infringements.
In its most basic form, for individuals and small businesses, here are the main things you need to be aware of / implement:
- Make sure you have permission to use the personal data you collect for the purpose you set out when you collect it. This includes adding an opt-in checkbox to a contact form if you intend to use the data for anything other than responding to and following up with those particular enquiries (such as signing people up to an e-newsletter). Make sure that opt-in boxes are never pre-ticked – consent can never be inferred.
- Make certain you’re storing personal data in such a way as that it can be linked back to that user for viewing or for future deletion on their request.
Please note that this article is just intended to provide a brief, simplistic overview – it does not represent legal advice. The Information Commissioners Office has compiled a comprehensive guide to the GDPR which I recommend taking a look through in order to fully understand what will be required of you (including a 12 step checklist of steps to take now).