onlineiq blog

What is GDPR and why should you care?

  • by Urszula Richards
  • 26 October 2018
What is GDPR and why should you care? onlineiq blog

GDPR, or General Data Protection Regulation, has been enshrined in EU Law since 25 May 2018.

What does a European data protection law have to do with your business here in Australia?

There are some reasons why you should care -

  • All countries have various laws related to online and offline data and privacy. By adopting one of the more stringent laws, like GDPR, you can be fairly certain that you have gone a long way towards meeting the requirements of most other countries (though you will still need to verify any country specific requirements for countries where your website is accessed).
  • While your primary business operations may be in Australia, people accessing your website or interacting with your business could be living anywhere, which means this law could apply to you.
  • By having these policies and information explicitly articulated on your website and baked into your operations means you can demonstrate that you treat your client and prospects information with the security and transparency they expect. 

GDPR is not just about your website.

Personal data is not just about how your website handles personal data. It relates to every way in which you collect, store and use information, which means this is something which requires auditing on a business-wide level.

When it comes to your website, every touch point with a third party also needs to identify how information is collected, stored and used by the third party.

Remember the Facebook privacy sagas?

This is all part of that same ‘how is my personal data being used’ conversation and if you didn’t like what Facebook was doing, you need to make sure you are also transparent about how you & your business handles personal data.

Key concepts to get familiar with.

Cookies

You can view this video which offers a great explanation, or you can read the content of this video here.

If you want to know how to delete cookies, here is an article which will talk you through the process.

Data Controller

This is you / your business. You decide how the data you collect about people and what you do with this information. 

Data Processor

Is the person/body which processes data on behalf of the data controller.

So for example if you are doing email marketing using a particular marketing software, you are the data controller, because you determine what is sent and to whom, and the data processor is the email software company.

You can read more about this distinction here

What are the key requirements of GDPR and website compliance?

It is to do with transparency and control and security of your personal information including how it is

  • captured,
  • stored and
  • used

Transparency - in that this information is clear and easily accessible (in plain English and/or relevant languages) and

Control - in that you can give and withdraw consent to its use, and ask for it to be exported and provided to you.

Where to start?

Step 1 - Audit Your Website

Check your website to ensure

  • It has a privacy policy
  • The privacy policy is up to date
  • That site visitors have the ability to view and opt-in to accepting cookies from your website
  • Go through every part of the website and list any data gathering functions (eg. forms) and all 3rd party integrations (eg. email list sign up, forum / comments sign ups) use this checklist.

Step 2 - Take Action

  • Update (or create) Privacy Policy if you don’t have one
  • Review and update your Privacy Policy after you have understood all the elements a Privacy Policy has https://privacypolicies.com/blog/gdpr-privacy-policy/, or we can do this for you
  • Add a Cookie Banner to your website so visitors need top opt-in to accept cookies
  • Go through your list of on-site data collection points, and add contextual privacy information (eg forms)
  • Go through your list of third party integrations which handle data and list the data processor’s privacy policy (eg. crm or email marketing software)
  • For anyone in EU on your list, send a reconfirmation of existing mailing list members
  • Prepare data export, modification & deletion protocols and ensure these are clearly outlined in your Privacy Policy.
Step 3 - Look On The Inside

Review your your internal security & how data is handled.

For example, where does sensitive data such as passwords or credit card details of your clients/customers go? Who has access, and what processes do you have when someone leaves?

We tend to think that data is most at risk from ‘cyber criminals’, however we often are quite blasé about security threats from within. This is something varonis.com specialise in and they identify three types of threats -

  • An inside job - where someone from within the organisation leaks information or uses it for their own gains
  • An inside mistake - slack systems and processes, or simply mistakes by someone - not malicious
  • An outsider gaining access via insider credentials.

It may take some time to absorb what is required to become fully compliant with these new laws, but there are great resources available. One of these is this video - which summarises the key action points into 5 steps.

  1. Identify what you collect and hold
  2. Have simple privacy notices & procedures
  3. Have simple systems for changing, exporting or deleting customer data
  4. Examine any contracts you have with your Data Processing Partners and who is liable if something goes wrong with client data and
  5. You may need a Data Protection Officer, if you deal with a lot of data

Finally, if you have a complex global business, or deliver information in more than one language, you may want to check out these additional resources which talk about some additional requirements in particular circumstance.

Advanced Requirements

Multi-Lingual

https://privacypolicies.com/blog/privacy-policy-multiple-languages/#how-to-create-multiple-versions-of-your-privacy-policy

https://www.iubenda.com/en/?code=tendiscref&aic=S9GT3VZ

Robust Solutions

https://www.iubenda.com/en/?code=tendiscref&aic=S9GT3VZ

Because for GDPR compliance, you need to store and track proof of consent, and stay up to date. Embedded solution mean it is always up to date as the original and master version is kept up to date.

If you would like some help with getting compliant, then get in touch. We can provide a report with recommendations for $125 + gst, together with a checklist of what needs to happen next, and help you with further implementation.

comments powered by Disqus
Captcha Image