What is GDPR and why should you care?
- by Urszula Richards
- 26 October 2018
GDPR, or General Data Protection Regulation, has been enshrined in EU Law since 25 May 2018.
What does a European data protection law have to do with your business here in Australia?
There are some reasons why you should care -
- All countries have various laws related to online and offline data and privacy. By adopting one of the more stringent laws, like GDPR, you can be fairly certain that you have gone a long way towards meeting the requirements of most other countries (though you will still need to verify any country specific requirements for countries where your website is accessed).
- While your primary business operations may be in Australia, people accessing your website or interacting with your business could be living anywhere, which means this law could apply to you.
- By having these policies and information explicitly articulated on your website and baked into your operations means you can demonstrate that you treat your client and prospects information with the security and transparency they expect.
GDPR is not just about your website.
Personal data is not just about how your website handles personal data. It relates to every way in which you collect, store and use information, which means this is something which requires auditing on a business-wide level.
When it comes to your website, every touch point with a third party also needs to identify how information is collected, stored and used by the third party.
Remember the Facebook privacy sagas?
This is all part of that same ‘how is my personal data being used’ conversation and if you didn’t like what Facebook was doing, you need to make sure you are also transparent about how you & your business handles personal data.
Key concepts to get familiar with.
You can view this video which offers a great explanation, or you can read the content of this video here.
If you want to know how to delete cookies, here is an article which will talk you through the process.
This is you / your business. You decide how the data you collect about people and what you do with this information.
Is the person/body which processes data on behalf of the data controller.
So for example if you are doing email marketing using a particular marketing software, you are the data controller, because you determine what is sent and to whom, and the data processor is the email software company.
What are the key requirements of GDPR and website compliance?
It is to do with transparency and control and security of your personal information including how it is
- stored and
Transparency - in that this information is clear and easily accessible (in plain English and/or relevant languages) and
Control - in that you can give and withdraw consent to its use, and ask for it to be exported and provided to you.
Where to start?
Step 1 - Audit Your Website
Check your website to ensure
- That site visitors have the ability to view and opt-in to accepting cookies from your website
- Go through every part of the website and list any data gathering functions (eg. forms) and all 3rd party integrations (eg. email list sign up, forum / comments sign ups) use this checklist.
Step 2 - Take Action
- Add a Cookie Banner to your website so visitors need top opt-in to accept cookies
- Go through your list of on-site data collection points, and add contextual privacy information (eg forms)
- For anyone in EU on your list, send a reconfirmation of existing mailing list members
Review your your internal security & how data is handled.
For example, where does sensitive data such as passwords or credit card details of your clients/customers go? Who has access, and what processes do you have when someone leaves?
We tend to think that data is most at risk from ‘cyber criminals’, however we often are quite blasé about security threats from within. This is something varonis.com specialise in and they identify three types of threats -
- An inside job - where someone from within the organisation leaks information or uses it for their own gains
- An inside mistake - slack systems and processes, or simply mistakes by someone - not malicious
- An outsider gaining access via insider credentials.
It may take some time to absorb what is required to become fully compliant with these new laws, but there are great resources available. One of these is this video - which summarises the key action points into 5 steps.
- Identify what you collect and hold
- Have simple privacy notices & procedures
- Have simple systems for changing, exporting or deleting customer data
- Examine any contracts you have with your Data Processing Partners and who is liable if something goes wrong with client data and
- You may need a Data Protection Officer, if you deal with a lot of data
Finally, if you have a complex global business, or deliver information in more than one language, you may want to check out these additional resources which talk about some additional requirements in particular circumstance.
Because for GDPR compliance, you need to store and track proof of consent, and stay up to date. Embedded solution mean it is always up to date as the original and master version is kept up to date.
If you would like some help with getting compliant, then get in touch. We can provide a report with recommendations for $125 + gst, together with a checklist of what needs to happen next, and help you with further implementation.