The GDPR (General Data Protection Regulation) is a new EU regulation aimed at strengthening data protection laws for EU (and UK) citizens. This comes into force today, May 25th, and there are several key points that website owners should know about in order to make sure websites are compliant.
The main take-away is that you cannot now assume that consent has automatically been given when someone has visited your website (for example consent for cookies to be used or for information to be stored when submitting a form or purchasing a product). EU (and UK) citizens will now have more control over their personal data. This applies then to any website taking and storing personal data from EU (and UK) citizens, regardless of where in the world the website is hosted or the website owner is based.
Organisations that are found to breach the GDPR risk fines of up to 4% of their annual global turnover or €20 Million (whichever is greater) for the most serious of infringements.
In its most basic form, for individuals and small businesses, here are the main things you need to be aware of / implement:
- You should have an easily accessible and easy-to-understand privacy policy on your website that states what data you collect as well as how you store and use that data.
- Make sure you have permission to use the personal data you collect for the purpose you set out when you collect it. This includes adding an opt-in checkbox to a contact form if you intend to use the data for anything other than responding to and following up with those particular enquiries (such as signing people up to an e-newsletter). Make sure that opt-in boxes are never pre-ticked – consent can never be inferred.
- Make certain you’re storing personal data in such a way as that it can be linked back to that user for viewing or for future deletion on their request.
- Give users the “right to be forgotten”, which means providing an easy way for people to request that you no longer collect data on them, delete collected data, or provide a copy of collected data (this could be, for example, a link to a form from within your privacy policy).
Please note that this article is just intended to provide a brief, simplistic overview – it does not represent legal advice. The Information Commissioners Office has compiled a comprehensive guide to the GDPR which I recommend taking a look through in order to fully understand what will be required of you (including a 12 step checklist of steps to take now).