Is Your Website GDPR Compliant?
How the new regulations will affect your business and what you need to do to ensure your security standards meet the new GDPR standards.
Need to know
So to get straight to the point; GDPR stands for General Data Protection Regulation. Now before you click away at the fear of being bored or perhaps panicked out of your skin, give us a chance; I will try to make this interesting and to furnish you with enough of the right information to put your mind at ease.
Whether or not the topic interests you personally, it is, nonetheless, an important forthcoming regulation that we all need to get a handle on. Yes, this EU regulation is set to become law in May 2018 and will enforce high-level stipulations on how global organisations control, process and protect the personal data of EU citizens. Sounds pretty heavy, right? Hopefully, this blog will show you it doesn’t have to be and with a few pointers from us, followed up by a little research from you, you’ll be well on your way to knowing how to become a GDPR compliant pro.
Who will be affected by the GDPR?
This new legislation will impact any organisation that does business with an EU organisation or individual. Businesses and organisations that will need to be GDPR compliant essentially include all businesses that control and process EU citizen data. This applies to those businesses and organisations operating from within the EU as well as those operating from outside the EU. The key is those that control and process EU citizen data.
The GDPR is the most significant and comprehensive data privacy regulation to date. Compliance with the GDPR is mandatory. A non-compliant website violating data protection risks heavy sanctions. If deemed to have made intentional or negligent misdemeanors offenders can be administered with large fines of up to €20 million or 4% (whichever is greater) of their global annual turnover.
New security responsibilities and obligations
So to make sure your website is GDPR compliant you’ll need to make sure you adhere to the new security responsibilities and obligations you, as an organisation or business dealing with EU citizen data, are required to undertake. It’s all about protecting personal identifiable information (PII) and data at every stage of handling and complete transparency in terms of what the data will be used for and who will have access to it.
You will need to:
- Notify authorities of any data breaches. You don’t have long; this needs to be done within 72 hours of the incidence of data breach coming to your attention.
- Provide transparent information to data owners.
- Be able to demonstrate the data owner’s consent to the processing of personal data.
- Pseudonymised and encrypt personal data.
- Act speedily when asked by data owner to delete personal data from your systems.
It would be worth putting some effort into getting your website data protection policies absolutely spot on and in line with GDPR well in advance of it coming into effect in May next year.
As a business take some time to analyze the risks your website poses currently and define a plan to make the necessary amendments and improvements. Why not try using the SWOT analysis and SMART objectives approach to help you identify a plan of action and implement it?
Familiarise yourself with the policies contained in GDPR and exactly how the new regulations will impact your current security and data protection procedures. What action do you need to take to merge the new requirements into your business model to ensure full GDPR compliancy? For example, what exactly are the new limits on the transferring and processing of data? What do you need to implement or update to make sure you are in compliance with every requirement.
You may wish to consider appropriate training for your team where everyone involved in data processing and data control can receive actionable guidance about the GDPR. This will ensure your staff are informed and the right people are aware of precisely what the new regulations stipulate and what part they have to play in implementing them. Do your staff know the differences between privacy and security, for instance? Are you on top of your data mapping and inventory? Does the team know what your GDPR accountability obligations are and are systems in place to support this? It’s imperative the company as a whole is on the same page, up to speed and able to enforce and adhere to the strict data protection legislation soon to be law.
Do what needs to be done. Then relax.
This new regulation has upped the ante in terms of data protection and how our personal information is dealt with and protected, and how we, as businesses, control, process and protect the personal data of our EU customers. In our humble opinion, this is a good thing. Once the effort has been made to get your website GDPR compliant, it should take little effort to maintain compliance and the result will, if nothing else, be peace of mind that you’ve met your legal obligations and your work here is done. With policies and procedures in place, should you be required to take action at some point in the future on a data protection issue, the systems will be firmly in place for you to easily do so.
h/t to: Chillibyte