Most of you know the new GDPR regulations come into force on May 25th 2018 this year. GDPR should be seen as an opportunity to build trust with your users and and improve brand presence.
We must however remind you that large fines are possible for non compliance - €20 million or 4% of worldwide revenue.
Most of the new regulations relating to your website are already required under the general data protection regulation but there are some new requirements that relate to the data collection and storage that we have outlined below.
This impacts all EU and many non EU websites that collect personal data, and/or provide goods or services to EU citizens even if you haven’t got a physical presence in EU.
1. Audit - what personal data is being collected on your website? Are you using cookies that are affected by GDPR? This will take an hour or two to check most websites and we will work on a time and materials basis. A question often asked is what is “personal information”? Any personal data about an identifiable person who can be directly or indirectly be identified - in particular by reference to their device, IP addresses, cookie identifiers, and GPS locations.
2. Consent Request - Implement a Consent Request procedure for all existing data collected and for all new personal data to be collected.
All personal data requires a “consent request” that means that inactivity and pre-checked boxes are not consent. Practically you need to have a form that is easy to understand, concise, and specific.
This is very important and we expect most of our customers will have to change they way they collect data to be compliant. Pre-ticked boxes, opt-out boxes or default settings do not constitute a valid consent request!
4. Cookies and GDPR
When cookies can identify an individual via their device, it is considered personal data whether or not on its own or in conjunction with other information. The majority of cookies are subject to GDPR for example cookies for analytics, advertising and functional services, such as survey and chat tools. Google Analytics in some circumstances may also be subject to GDPR.
5. Processes to consider - How will you as Data Controllers respond to a request to update and remove any personal information? A user has a right to reveal what information is held about them, what they have consented to, where it is being stored and to have this consent removed at any time.