Data protection is one of the most important aspects of running and maintaining a website, as failing to meet the basic standards of it will merit legal action, as well as it being a key focus of users and clients. Until recently, most UK website owners have had to mainly worry about the 1998 Data Protection Act, and the EU Data Protection Directive 1995, alongside a bunch of other EU and UK regulations on freedom of information and cybersecurity. But with the passing of the General Data Protection Regulation in the European Parliament, website owners have a whole new set of regulations to worry about.
Despite the Brexit vote undermining EU authority in the UK in the views of many, we are still expected to follow any rules and regulations passed down from the EP, with the GDPR voted on before the Brexit vote and the government expecting full compliance by UK businesses by 2018. Even if your website follows the 1998 act to the letter, the GDPR will supersede it by the May 2018 deadline. So what do you need to do?
Things To Look Out For
Your website needs a clearly-documented deletion process of old/junk data. Make sure that data can be compressed into a readable, common filetype (.CSV) when you need to display compliance with the GDPR. A process must in place to allow any personal data that an individual has provided to be moved, copied or transferred easily from one IT environment to another. This must be done in a safe and secure way, without affecting usability.
If your site uses ADM (Automated Decision Making), you need to show that the ADM is operating within fair and transparent limits, and demonstrate the logic and reasoning used by your ADM programs when it uses user data. If your website gathers data on users without their explicit consent, things like pre-ticked boxes or general inactivity, these systems must be removed by the 2018 deadline.
Data breaches are also tackled in this regulation. Any data breaches that may affect the rights and livelihood of your users must be disclosed to the proper authorities (usually the ICO) and to affected individuals, as a breach may result in financial loss, defamation, discrimination and a loss of confidentiality for affected individuals. Your website’s security should already be a priority, but make sure that user data is secure, as the penalties for violating the regulations can be steep: up to 20 million EUR (18 million GBP) or 4% of your company’s annual turnover. Ensure that your website meets these regulations before May 2018, as these new regulations are no pushover. For WordPress users, a general site audit to see how your site tracks, monitors and stores user data wouldn’t be remiss. Check and see how your site handles:
- user registrations,
- contact form entries,
- analytics and traffic log solutions,
- any other logging tools and plugins,
- security tools and plugins.
According to an independent survey conducted by WatchGuard Technologies, around 37% of global businesses don’t know if they need to comply with GDPR, while 25% of businesses in the UK are also unaware of how GDPR will affect them. The general rule with GDPR is that if your company stores information and data that belongs to EU citizens, you need to comply with GDPR to avoid fines or legal action.
At The Change Consultancy, we’re dedicated to ensuring that businesses in the UK are ready to adapt and evolve when political, legal or technological changes threaten the success of your company.