“By failing to prepare, you are preparing to fail,” Benjamin Franklin.
The buzz created by the comprehensive EU data protection legislation, the General Data Protection Regulation or GDPR seems to have taken the business world by storm. Now that the law has already come into force on May 25, it is time you understood and implemented it through your business website. For if you don’t, your business runs the risk of being subjected to stiff penalties to the tune of 20 million Euros or 4% of the previous year’s turnover, whichever is higher. Does that seem to be a scary scenario? The answer is NO provided you understand the basic premise of the legislation and the ways you can make your business website GDPR compliant.
The GDPR subsumes all the earlier EU based data protection laws into a single all encompassing legislation. It aims at ensuring a greater transparency and protection of individual rights and freedom within the territory of EU. Even though GDPR is voluminous (260 pages, 11 chapters and 99 articles) not to speak of being quite complex as well, the blog will try to make it simpler for you to understand the key provisions of GDPR that can impact your business. Through this blog, we aim to remove some of the niggling doubts about GDPR and explain how you can let your business stay on the right side of it.
To begin with let us be clear about some of the key terms that have been used extensively in GDPR viz., personal data, data subject, data controller and data processor.
Personal data: This relates to any information belonging to an individual who happens to be the citizen of any of the EU member countries. The information can be his or her name, identification number, location, gender, or related to his or her social, physical, physiological, genetic, cultural, economic, or mental identity. For example: Mr. Mark, 0012, Athens, Male, Caucasian, Christian, income of 10,000 Euros etc.
Data subject: The individual whose personal data is being described above. For example: Mr. Mark.
Data controller: The entity (read business, company, enterprise, organization, government) that determines the purpose and means of collecting, storing, sharing and processing of personal data. For example, if your business carries out the above activities then it becomes the data controller.
Data processor: The third party vendor that analyses and processes the personal data of data subjects as approved by the data controller. For example, if you engage an experienced website design company to build your website, the latter will be the data processor.
Remember! You can prevent your business from falling foul of the stringent GDPR provisions by making the key interface of your business to the outside world – the website, GDPR compliant. Let us find out how to achieve the same preferably by availing professional website design services. This is of utmost importance as an experienced website development company will have the specific knowledge of the GDPR provisions and the key areas in your website where they will be applicable.
The GDPR provisions do not require drastic changes to be made to the basic architecture of your website. These are limited to only a few areas as described below.
Forms: If your website has a ‘Contact Us’ form with a checkbox inviting subscription to newsletters or promotional materials, it should either be ticked ‘No’ or kept blank. Unlike in earlier times, the checkbox should not be pre ticked. Moreover, should you seek consent from the data subject for using personal data for different purposes, then the checkboxes should be unbundled and separated. These are needed to help the customer (data subject) understand each of the services better.
Clear Withdrawl Procedure: If the data subject wants to withdraw from subscribing to a particular service(s), the website should have clear options showing the same. In fact, there should be clear checkboxes to unsubscribe from specific services. You can possibly add the reasons of unsubscribing as separate options for the customer to choose from. The same can be used for carrying out analysis of the reasons so that you can work on improving the services or UX.
Monitor Third Party Links: Your website might have links to third party sites to enable digital marketing services. However, these links can be used by thirty party vendors to collect personal data of data subjects. So, by providing these links, you are actually consenting to the vendors collecting personal data. Under GDPR provisions, you need to obtain specific consent from customers related to the sharing of their personal data with third party vendors. This is where a comprehensive audit should be carried out to understand and monitor how and where in your website the personal data are collected by third party vendors.
Privacy norms, Terms and Conditions: The Terms and Conditions page of your website should clearly display the modus operandi of collecting data. It should describe as to how you intend to use the personal data and for how long will you retain the same in your systems. Moreover, the privacy norms should list out the applications the website uses to track user interaction and specify customer consent in doing so.
Online payments: If you have an online store that collects personal information to be passed onto the payment gateway companies or banks for further processing, the information remains stored in your systems as well. According to GDPR, you cannot keep the personal data in your systems for an indefinite period unless they are needed for legitimate purposes. You should ensure the personal data collected for payment purposes by the online store are deleted within a reasonable period.
SSL Certificate: The SSL certificate ensures the browser bar displays a secure notice and a padlock symbol. The purpose is to securely encrypt all the details that are entered into any of the forms or fields on a website. You can contact your hosting server provider to purchase and install the same.
Encrypted Data storage: Store all passwords in an encrypted format to prevent their falling into wrong hands.
GDPR is not to be feared, for it is an enabling legislation to bring in transparency in the way businesses deal with customer data. If the above mentioned steps are incorporated into your website preferably by an experienced web development company, you will stay clear of compliance issues and create a greater level of trust among your customers.