This website works best using cookies to improve your experience... »

No Nonsense Web Design

Sunday 9th December 2018

Website design, development & marketing

No Nonsense Web General Data Protection Regulation

Introduction

The General Data Protection Regulation (GDPR) was approved and adopted by the EU Parliament in April 2016 and supercedes the previous 1995 directive. Compliance will be mandatory as of 25th May 2018. The regulation applies to all businesses dealing with customer data within the EU regardless of their location, and whatever the outcome of Brexit the regulation will still apply.

Failure to comply could result in a fine of up to 4% of your turnover or €20 Million.

Data Collection

If you collect any personal information via your website, even if it is only a name and email address, you have a duty to comply. The most common example is collecting data to generate a mailing list. How you store this information determines the steps you need to take to comply.

If you store this information in a database (either online or offline), you must ensure that the database is secure (password protected) and ideally encrypted. If you store this information in emails, a spreadsheet or a plain text file, again these should be encrypted and/or password protected. If you also store this information on a backup device, USB stick or any other removable media these also need to be encrypted and/or password protected.

If you use a third party to manage your mailing lists, you should ensure that they are compliant, but ultimately it is their responsibility to manage your data securely and comply with the GDPR.

Website Forms

When you use forms to collect personal data, you need to make it very clear what data you are collecting, how that data will be used and processed, and whether that data will be passed on to any other third parties. Other than critical information for completing a transaction (e.g. online purchase, subscription etc.) visitors should be given the chance to opt out before submission. It is also no longer acceptable to have opt in tick boxes selected by default.

Although a clearly written data protection notice and privacy policy are still essential, not only for compliance but also for customer reassurance, it is no longer acceptable to bury opt in/out or terms and conditions to be buried here. GDPR is all about transparency and openness.

Consent

One of the key areas of the GDPR is all about consent. Be completely open with your visitors and explicitly request their consent to save and process their data. Do not collect or save their details without their consent. Tell them why you want the data, how you will use it, and give them the option to opt out either from the outset or at a later date.

Data Processing

However you use or process the data you collect, it must be used within the boundaries that you have publicly set out on collection. Any deviation from this would be a breach of compliance.

Data Storage

All data must be stored securely to guard against online hacking or loss/theft of a local device. See 'Data Collection' above for further information.

Mailing Lists

For most SME's this will be the main focus for GDPR compliance. If you already have an active mailing list you firstly need to consider how you obtained that data. If your subscribers came from your own website forms and opted in of their own accord following the above guidelines, there is little for you to do other than to make sure that you are GDPR compliant regarding data storage and opting out advice.

If your forms did not comply, or you purchased a third party mailing list, then you should send out an email clearly outlining your awarness of GDPR and requesting their permission to remain on your mailing list. If subscribers fail to reply or decline to remain on the list, you must remove them.

Opting Out and Removal

Whatever the reason for your data collection, you must at all times give customers the option to remove their details from your system. If this data is mission-critical, such as ongoing services, you need to point out that these services will no longer be available if they are removed.

Conclusion

All told, the GDPR isn't a drastic change from the previous directive. The main emphasis for UK businesses is on people consciously opting in, clarity, storing data securely, and allowing them to opt out easily.

Disclaimer

The above information is for guidance only and aimed at UK based SME's. For further details, please visit the Information Commissioners Office website.


If you have any questions about GDPR or how you can make sure that your website is compliant, please contact us. We will be happy to help.


Case Studies Case Study ...

Case Study - No Nonsense Cookies No Nonsense Cookies

We created this informational website to help people understand the complexities of compliance issues. All you needed to know about cookies, and more!

read more »

Contact us to see how we can help your business succeed online...