All I hear about at the moment is GDPR, there seems to be a last minute rush to be ready for the deadline, 25th May 2018. I guess there will be people out there who don’t even know what GDPR is but I am afraid that this is not one of those things that we can ignore in the hope that it will go away.
GDPR stands for General Data Protection Regulation. The main principles of the original Data Protection Act set in 1995 still hold true but this goes a step further to protect all EU Citizens from privacy and data breaches. There are some key changes that businesses must be aware of.
My Take on the Key Changes
Data Breach – if you have a data breach or any of your data is lost or stolen you must notify the relevant authorities within 72 hours of first becoming aware of the breach.
Right to Access – individuals have a right to know whether or not their personal data is being used and how it is being used. If they ask, you are legally obliged to provide them with an electronic copy of all of their private data that you hold.
Right to be Forgotten – when an individual wants their data removed the data controller must erase everything they hold and cease any further use of that data. This is going to be a real boon for those who have been trying to get their Facebook data erased for years! Data controllers will also potentially be responsible for ensuring that any third parties they have passed data to also erase those records.
Data Portability – an individual has the right to move their data from one company to another.
Privacy by Design – when a new system or database is designed it should be done in such a way that only the minimum required data is collected. Equally, access should only be given to those who absolutely need it.
Data Protection Officers – generally speaking companies will no longer be required to notify government Data Protection Authority (DPA) of their data processing activities. Instead there will be internal record keeping requirements and this can be done by a staff member or external service provider, whose contact details must be given to the local DPA. The individual concerned must have the required resources and knowledge to carry out the task; they must also report directly to the highest level of management within the organisation.
Things you will need to do within your website
Forms – these could be contact forms, newsletter signup forms, questionnaires, basically any form where the end user must add their details and submit.
Make sure that every form on your website has a checkbox that is a required field (meaning that the form cannot be submitted if it is not ticked). The checkbox must be unticked by default. The text to be used should read something along the lines of “By using this form you agree with the storage and handling of your data by this website“.
WordPress Comments – if you allow user commenting on your website, you must add a checkbox exactly as described above to the WordPress comments form.
Online Store Checkout Form – if you sell online with WooCommerce or similar you will again need to add the same checkbox to your checkout page.
You can install the WP GDPR Compliance plugin and it will do the heavy lifting for you.
Companies who do not comply with GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater) and that is potentially devastating.