Is Your Website GDPR Compliant?
The handling of data crops up in the news fairly often. Questions are often raised about website GDPR compliance and how social networks such as Facebook, TikTok, and more process our information. It extends much further than these two social powerhouses though. Each click of your mouse button, each website you browse, and each form you fill out, pulls a vast array of data from you to make your experience potentially better or to further yank you into the tractor beam of the company you are engaging with.
You’ve no doubt done it yourself, landed on a site, had the accept/reject cookies message appear and blindly hit accept or OK. In all likelihood, you aren’t even sure what you are accepting but behind that click lies a whole load of things you have now agreed to see your data used for. Let’s not confuse things or start running before we can walk though. Whilst cookies and GDPR are linked there are a few differences, and whilst that is a blog for another time, we thought we should help you get a handle on being website GDPR compliant. Otherwise, that website you’ve attempted to build might be dwarfed in cost by the fine you receive for not being compliant!
Ready to navigate the GDPR maze? Let’s go.
What is GDPR?
Unless you’ve been living under a rock for a few years now, it’s unlikely that that four-letter initialism is a new one for you. Whether you fully understand it though is another thing! GDPR stands for General Data Protection Regulation and since our exit from the EU, it’s changed a little.
So, what is it? GDPR is in place to protect people from privacy and data breaches and applies to all businesses processing the data of citizens resident to nations adhering to GDPR rules. This means that if you are based in the USA for example, but are handling data of UK citizens, you’ll still have to comply with UK GDPR rules. Likewise, if you are a UK business and are going to be handling the data of citizens from Italy for example, you’ll have to ensure you comply with the GDPR rules relevant to the EU. Still with us? Good!
When did GDPR come into force?
Where GDPR was a Europe-wide regulation, what we see now implemented in the UK is a variant of the EU law. In fact, it’s more or less the same, it just added the UK moniker to it.
It first sprung up in the EU in 2016 but didn’t take effect until two years later in the May of 2018. For a brief period, we shared the same law as our EU friends but on January 1st 2021UK GDPR came into effect, and whilst, more or less the same, had a few small changes. Mainly, that UK GDPR only applies to the UK whereas the original GDPR covers the entire EU.
Will GDPR apply to my UK website then?
Of course! And you may even have to follow two sets of GDPR rules if you handle the data of citizens from both the UK and the EU. You’ll need to ensure that if you are operating in the EU and UK compliance with both sets of regulations is met. Don’t worry though, we are going to list out exactly what you need to do!
Hang on, what about the Data Protection Act 2018?
Ah, we thought this may be asked. It’s a good thing you did! The Data Protection Act 2018 is the UK’s implementation of GDPR so if you are already fully DPA 2018 compliant, you are pretty much on track with your GDPR compliance! The main difference between the two is that whilst DPA is purely UK-based, UK GDPR extends to businesses outside of the UK if they are handling the personal data of UK residents. So, if you’ve got that website in the USA and are dealing with UK residents, you need to get on board the GDPR train!
Need some clarity though? Perhaps GDPR and DPA are just two letter combinations that you are still aware of but don’t still get. Well, let’s clarify so your website can be kept within the rules and keep you clear of the high fines you may face if you breach them.
What does my website need to be GDPR compliant?
We are going to make this as easy as possible, a trawl through government websites and other informative websites show they can get really deep with this stuff, and whilst you may like an in-depth read, we appreciate you literally want the facts and then be on your merry way. So, let’s go.
A lawful basis for processing
Before you go collating data from those who land on your website, you need a lawful basis for doing so. This lawful basis can come in varying forms.
Consent
The person on your site has agreed to the processing of their data for one or more specific purposes.
Contract
The processing of data is necessary for a contract agreement between the site and the site visitor.
Legitimate interests
The processing of data is necessary for the legitimate interests of the person visiting the site.
A way to grant consent to data handling/processing that is explicit
You need to make sure that a customer or site visitor knows exactly what is happening with their data. Therefore, you must ensure that:
- Consent is given freely, it’s specific, informed and unambiguous.
- That only clear and plain language is used when requesting consent.
- The giving of consent is separate from any other t’s and c’s the website may have in place.
- Those who have given consent can withdraw it any time.
- You have proof consent was given.
Minimal data collection
You should be ensuring that only the data necessary for the purpose of the site visit is collected.
Transparency
You should ensure those heading to your website know who you are, how you plan to use the data, how long it may be kept and where else it may be shared. Look back at the cookies notification when you land on a site, and you’ll get an idea of how far your data can often reach!
Provide rights to the site users
You may feel the wealth of data gives you a pathway to sales and marketing, but you must remember, people often change their mind about things. With that in mind, you will need to be aware that anyone can ask:
- To access their personal data you hold.
- To have any inaccuracies corrected.
- To have their data erased.
- To object to direct marketing
Security
Digital security is something that concerns many of us. A leak of personal data could lead to cloned identities, hacked bank accounts and so much more. A website must ensure that data is protected in a way that minimizes risk of data theft, unlawful use, loss, destruction or damage. This could mean using encryption or pseudonymization of data and that only relevant people have access to the data. UK GDPR or DPA 2018, also states that measures must be in place to restore the availability and access to the data should there be a security breach.
What happens if my site has been breached?
If your website has been hacked or tampered with in any way, and as a result, data is potentially stolen, you must act fast. You’ll be required to check the severity of the breach and assess whether there is a potential or actual impact likely for the individuals. If it is deemed likely that this breach could put an individual’s data at risk, the Information Commissioner’s Office must be informed immediately, and no later than 72 hours after the breach occurred.
What trouble could I get in if I fail to comply with GDPR?
Now this, if anything, will make you see how serious data handling and processing is. Failure to be compliant and transparent could see you hit with a hard fine. Currently the law states that a fine could be as much as £17.5m or 4% of the annual turnover, whichever is greater. This will be similar if you are complying with EU GDPR law. A failure to comply there could see a fine of up to €20m or 4% of annual turnover, whichever is greatest.
It’s certainly not pocket change and an amount that could set your business back considerably.
How can I keep up with staying GDPR compliant?
In all likelihood, you will be handling data of UK citizens and those from abroad. Do the following and you’ll always be following the regulations:
- Understand the law: Requirements for GDPR may change at any time, so keep updated with the law and any future amendments. Keep an eye out for guidance issued by regulatory bodies to ensure consistent compliance.
- Conduct audits: Keeping things in check with quarterly checks on how data is handled, stored and used will allow you to spot any flaws in your system and rectify them. Proof of audits is always worthwhile should there be an issue in the future.
- Appoint someone to be a Data Protection Officer: Recruiting someone to oversee all data handling within the business may seem a cost you’d rather not cover but with their expertise, that £17.5m fine can easily be avoided. Plus, their knowledge will ensure compliance is always met.
So, GDPR? It all makes for a highly complex, yet at the same time, simple process to follow. Putting it simply, hold data securely, process only what is needed, be fully transparent and allow access to data to those who have provided it, and you are on the right path. Add in that you’ll need to be aware of whose data you are handling, and you may have a few more boxes to tick. The internet is a big place, and even though you may be a UK company if citizens of EU countries use your service, you’ll need to ensure you are handling data exactly as the EU requires you to.