Here at HITS, we like to keep a close eye on any forthcoming regulations that will impact our clients. The latest development to be aware of is GDPR, also known as the General Data Protection Regulation. It will become enforceable from 25th May 2018. This regulation will dictate the procedures for the control of personal data and the consequences and notifications required for data breaches. It will apply not only to your website but also to other areas of your business organisation.
Key Points About GDPR
Personal data applies to ‘personal data’ – any information relating to an identifiable person who can be directly or indirectly identified.
Consent – All individuals must be provided with accurate information such as the data you collect and process and why. Individuals must give consent to have their data stored, and this must be freely given, informed and unambiguous.
Right to be forgotten – Individuals have the right to request that their data is deleted or removed, where there is no compelling reason for you to continue to process it.
Notifications of breaches – All organisations must report data breaches to the ICO within 72 hours unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Special categories of data – New provisions for particular data, such as for children and genetic, medical and biometric data, are more stringent.
Check What You Do With Information
- Are you registered with the ICO?
- What personal data do you store at the moment? For example (Leads, Customers, Networking, Suppliers)
- How did you obtain this personal information?
- How long have you held this information?
- Who do you share it with, for example, suppliers?
- How is it stored (paper or electronic)?
- If electronic, where do you store this information?
Check Your Processes
- Do you have a lawful reason to hold the personal data? Article 6(1) of the GDPR sets out the six possible ideas for the processing of personal data to be lawful.
- Do you need all this personal data?
- What are your processes for recording and managing consent? Do you need to make any changes?
- Refresh existing consents if they do not meet the standard
- Do you have a process in place to detect, report and investigate a data breach?
Review Your Policies
- Privacy by design – if necessary, do a privacy impact assessment.
- How are you keeping the personal data secure?
- Review your website privacy & cookie policies.
- Review your consent wording.
- Review your wording on communication with contacts.
- Review contracts and terms with customers and suppliers.
Summary Of GPDR Actions
You should now know and have written down:
- What data you have?
- Where is it?
- Who has access?
- How is it processed?
- What are your data protection responsibilities?
If you are using open-source software such as WordPress for your website, you must be aware of any security vulnerabilities and patch them straight away. Proactive website maintenance will be vital. Already the ICO has fined a couple of organisations where data breaches were caused by open-source software not being kept up to date.
How Can HITS Help?
Thanks to our website solutions being bespoke through design rather than code, HITS can continually update the digital framework on which they are built. So as soon as the new regulatory compliant plug-ins from WordPress and WooCommerce are released, we will implement them across all our client sites as quickly as possible, at no additional cost. This will ensure that all our clients can be GDPR compliant for 25th May 2018 when the new regulations become enforceable.