{"id":49,"date":"2018-12-20T10:43:07","date_gmt":"2018-12-20T10:43:07","guid":{"rendered":"http:\/\/new.1wl.agency\/?p=49"},"modified":"2021-06-29T11:51:29","modified_gmt":"2021-06-29T10:51:29","slug":"whats-the-general-data-protection-regulation-and-how-do-i-make-my-website-gdpr-compliant","status":"publish","type":"post","link":"https:\/\/1wl.agency\/2018\/12\/20\/whats-the-general-data-protection-regulation-and-how-do-i-make-my-website-gdpr-compliant\/","title":{"rendered":"What’s the General Data Protection Regulation and how do I make my website GDPR compliant?"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

In less than 3 months time<\/strong>, on 25th May 2018<\/strong>\n the UK’s data protection laws will be updated and the GDPR will take \neffect. If you collect personal information through your website, these changes apply to you<\/strong>.<\/p>\n\n\n\n

Here’s exactly what you need to know<\/strong> to ensure your website is playing ball.<\/p>\n\n\n\n

The GDPR. What is it?<\/h2>\n\n\n\n

The General Data Protection Regulation (GDPR) is an EU regulation<\/strong>\n that will supersede the Data Protection Directive (aka Data Protection \nAct) in regulating how personal data can be obtained, stored and used. <\/p>\n\n\n\n

The purpose of the GDPR – An end to smoke and mirrors<\/h2>\n\n\n\n

Its purpose is to strengthen the position of the public in protecting their privacy<\/strong> online. It does so by ensuring information is secure, and only used for purposes agreed to.<\/p>\n\n\n\n

It clamps down on questionable marketing practices and puts control back<\/strong> in the hands of the data owners.<\/p>\n\n\n\n

Who must comply with the GDPR?<\/h2>\n\n\n\n

Anyone (worldwide) who collects personal data from EU citizens and residents is a ‘Data Controller’ and must comply.<\/strong><\/p>\n\n\n\n

It also applies to anyone who processes data on behalf of a data \ncontroller (‘Data Processors’) e.g. Software providers like MailChimp, \nSalesForce, Xero and in some cases your website designers.<\/p>\n\n\n\n

As a UK business it’s mandatory<\/strong> (Brexit doesn’t \nexcuse you), and although this article focuses on just website \ncompliance, GDPR extends to other areas of your business too.  Any personal data you collect<\/strong>, irrelevant of how you collect it, needs to be handled in compliance with the GDPR.<\/p>\n\n\n\n

From comments in a blog post, to names and contact details from a restaurant feedback card, the Data Controller shall be accountable<\/strong> for obtaining, securing and using it appropriately.<\/p>\n\n\n\n

We’re just covering compliance of your website, but the full documentation for the GDPR<\/a>, provides information on the wider policy landscape.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Web GDPR compliance – Key things you need to know<\/h2>\n\n\n\n

Be Transparent to Get Consent<\/h3>\n\n\n\n

It’s simple. Clearly explain why <\/strong>you’re collecting personal information and what you will do with it.Detail why it’s necessary or beneficial<\/strong> in a way that’s easy to understand, and there is more chance people will agree to it.<\/p>\n\n\n\n

Ambiguity (deliberate or accidental) is bad for business. It will \nturn people away and it could land you in the mix with the ‘GDPR \nrozzers’. Be open, be honest and be relevant<\/strong>.<\/p>\n\n\n\n

If your audience is young, you’ll need the consent of a parent or guardian.<\/p>\n\n\n\n

And you have to make it simple<\/strong> for people to revoke their consent<\/strong>. It’s got to be just as easy as giving it.<\/p>\n\n\n\n

‘Legitimate Interest pursued by a controller’<\/h3>\n\n\n\n

There may be circumstances where it’s just not possible to obtain<\/strong> consent but the data you hold is essential to your business.<\/p>\n\n\n\n

Maybe your website uses personal data to deliver a personalised experience to customers.<\/p>\n\n\n\n

Maybe it relies on using data in a way that is expected.<\/p>\n\n\n\n

If so, you can claim<\/strong> to have a ‘Legitimate Interest pursued by a controller’<\/em>.<\/p>\n\n\n\n

There’s such huge scope for interpretation, it isn’t something we can cover now.  We simply advise seeking legal advice<\/strong> if you think ‘legitimate interest’ fits your type of usage.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Securing the Data with SSL and Pseudonymisation<\/h3>\n\n\n\n

Applying an SSL certificate to encrypt your website traffic<\/strong>\n is a first step to protecting the data you collect. If you don’t have \none already, you should get one. It’s already best practice and they are\n readily available, so speak to your web developer about it.<\/p>\n\n\n\n

If you collect and hold personal information in volume, or for any length of time, it’s also worth considering ‘pseudonymisation’<\/strong>.<\/p>\n\n\n\n

In simple terms, it’s a process of splitting the data to make it less\n meaningful. Instead of storing everything in one location, you store \nthe contact names separately from the rest.<\/p>\n\n\n\n

It adds a layer of protection<\/strong> where, in the event of a security breech, the data obtained would no longer be personalised.<\/p>\n\n\n\n

Making the data available<\/h3>\n\n\n\n

It’s important to remember that as a Data Controller, you never own the data<\/strong> you hold. You’re a custodian trusted to use it properly and keep it safe.<\/p>\n\n\n\n

In the event of an investigation, GDPR will require proof of consent<\/strong>. That means proving something that is particularly hard to prove.<\/p>\n\n\n\n

For example, an export from your customer database showing a tick in a\n ‘GDPR Consent’ column, doesn’t prove how consent was obtained. A \nsnapshot of your Privacy Policy at the time of consent, timestamped and \nsaved to the user profile, would be more credible.<\/p><\/blockquote>\n\n\n\n

Like it or not, your business procedures need to change to protect yourself<\/strong>, and to service the requests of your data subjects when they exercise their GDPR rights. They can ask to:<\/p>\n\n\n\n