EU GDPR legislation is set to go into effect on May 25, 2018, and websites need to be prepared. The European Union’s General Data Protection Regulation (GDPR) is a regulation that regulates how companies in the European Union handle personal data, especially with regards to privacy. Companies all over Europe are scrambling to make sure they’re ready for this new law. One way of doing this is by ensuring that your website is compliant with GDPR by checking off all six steps below:
Ensure that personal data is handled securely and in compliance with the GDPR.
The following checklist will help you identify any issues with how your website handles personal information:
GDPR defines “personal data” very broadly.
The definition of “personal data” under GDPR is very broad. It includes any information that can be used to identify a person, such as name, address, email address and other information relating to a natural person (such as biometric data).
The GDPR also covers online identifiers like IP addresses and cookies as well as RFID tags. However, it does not apply to anonymous data – so if you don’t know who they are or why they’re visiting your site then there’s no need to worry about them!
Under GDPR, individuals have the right to be forgotten, to know what personal data you store about them, to correct their personal data, and to port their personal data.
- Under GDPR, individuals have the right to be forgotten, to know what personal data you store about them, to correct their personal data and port their information.
- The EU Commission states that any website that stores or processes EU citizens’ personal information must provide them with “clear and comprehensive” access to this information.
You can no longer use opt-out consent checkboxes.
You can no longer use opt-out consent checkboxes. Instead of asking for consent, you must ask individuals whether they want to be contacted by you or your business partners on an ongoing basis (for example, once every two years). If a person declines, then you need to respect that decision and stop contacting them.
You also need to inform individuals how you will use their personal data before collecting it, which means that if a user has never provided their email address or phone number in the past, it’s okay for you not always have their permission before collecting any new information from them.
Make sure you have the right tools in place.
Make sure you have the right tools in place.
You might be surprised to learn that there are several different ways to comply with GDPR, and each has its own set of requirements. The most important thing is to get your team on board with one consistent way of doing things, so that data isn’t lost or left out in the open where anyone can access it.
Here are some things you need:
- A process for collecting consent from users (either through opt-in forms or automated systems) before processing personal data about them; this should include information about who can withdraw their consent at any time, as well as how long this period lasts for each type of data being processed
Privacy policies are required by GDPR because they provide transparency about what kind of data you collect from people who visit your site or apps, who may be connected to those personally identifiable data sets (PIDS), who uses them for what purpose and for how long this will take place before deleting all traces of those collected PIDS from their systems or databases at some point in time after which they are not longer needed anymore – if ever needed again!
Individuals must give their consent for you to process their personal data.
Personal data is any information relating to an identified or identifiable natural person. This includes name, email address, and contact details (such as phone number or postal address). Consent is a voluntary decision by an individual to provide their personal data for a particular purpose. If you want to collect consent from your users, you must do so using clear language and with appropriate notice of what the website will be used for and how long their information will be stored on your system.
To help you comply with GDPR requirements regarding consenting for processing of personal data:
The rules are different for children under 16 (and 13 in some countries).
The rules for children under 16 (and 13 in some countries) are different. If you collect personal data from them, you must get consent from their parents or guardians. You should also make sure that any consent form is clear and straightforward, explaining how you will use the child’s data, where it will be stored and who else will have access to it.
You must also explain how you will protect their privacy—for example by making sure that any third parties with whom they share information do so only on an anonymized basis or using secure connections such as SSL encryption certificates.
You need a Data Protection Officer if your business regularly monitors or processes large amounts of personal data.
If your business regularly monitors or processes large amounts of personal data, or if you are a public authority, you may need to appoint a Data Protection Officer.
A Data Protection Officer (DPO) is responsible for ensuring that your organisation complies with EU law and can help you understand the GDPR. DPOs are also able to:
- Provide advice on how best to comply with GDPR requirements;
- Monitor how your company deals with personal information;
- Provide training for employees who handle customer data
If you use any third-party providers, make sure they are GDPR-compliant.
A third-party provider is a company that helps you with your business or personal needs. For example, they may provide office space or IT support services. If you’re using a third-party provider to help manage your website, it’s important to check whether they are GDPR-compliant.
Third party providers can be risky because they don’t have direct contact with the data subjects (i.e., customers) of their services and can therefore take advantage of laxer privacy policies without much oversight from companies like yours who do control how much information about customers is stored on their servers or transmitted over the internet at large.
Your website needs to be prepared for GDPR because it will go into effect soon!
If you are not yet ready to comply with GDPR, it’s time to start planning. The requirements are fairly simple:
- You’ll also need a way for people who want their information deleted from your database where possible (you should already have one in place). If not, start thinking about how you can make this happen!
We hope this checklist helps you prepare for the GDPR and make sure your website is ready for it. We look forward to seeing what changes come in the next few years, but for now, let’s keep working on getting our websites up to date!