I only have to worry about GDPR if my site gets hacked?
Well that’s a big no right there! General Data Protection Regulations or GDPR is at the forefront of most clients minds when commissioning a new website, and if they are not then it should be. As a web designer or developer it is of paramount importance to ensure that clients know what responsibilities GDPR incurs to them. If you do not advise them, then quite rightly they can look to you if they fall foul to the regulations. The content of GDRP is relatively dry in a literary sense so it’s best to explain in plain language, and then provide a written account, highlighting relevant areas. Attaching this documentation to the sign off of design is a good idea as it can be clearly seen by the client as an important part of the process, and it also creates a clear record that everyone was informed.
It is feasible that with new rights to access how data is being used that many website users will exercise that right. Failure to prepare for this is likely to cost far more in retrospective action, than actually making the effort to be ahead of the curve. Its also wise to remember that the regulating authorities have the right to inspect GDPR procedures in place at any time regardless of whether or not there has been any reported security breach.
Is there an official list of actions to take or of things that I need to do?
Nope. That’s Just wishful thinking. In fact the regulations ask more question than they answer. GDPR sets out and defines required outcomes, it requires the ability to answer questions from the owners of the data you hold, and to provide accurate information in response. Identifying how GDPR affects your company or website and acting upon it is not a step by step tick box procedure. You really do need to think about the required outcomes and truly work out if they effect you.
Here’s a thought. If you are collecting data which you never use, maybe a MailChimp plugin collecting names and email addresses, or a Contact Us page promising a call back. Think carefully about why its there. Does anybody ever use it? If they do, does it give quality leads? Is it just there because it seemed like a good idea when the site was made or designed? If the answer is anything less than a resounding “Yes” to either of the first two questions, then you should seriously consider getting rid of it.
GDPR is not here to cause problems, it has been in my view long over due. If you collect data for a legitimate reason and are clear about what that reason is. Then the new processes should be a minor inconvenience. If you are collecting data under false premises, and then using it for purposes that the owner of the data would not appreciate then I guess its time to change your business model. After all the reason we all have to do this work is due to the unscrupulous behaviour of such people and business.
Can I buy a product or software to make this go away? Im sure someone will make one but should you buy it?
I don’t think so! As I see it the whole point of GDPR is to make you think about how your website or company or organisation treats other peoples data. This data is their privacy, and if they give it to you there is an element of trust.
If people don’t trust they will provide semi false data, such as the wrong date of birth or make up an email just for supplying to companies that require one to use the service or product. This means there is no point in collecting data in the first place as it will be positively evasive.
Any process you put in place to avoid the responsibility of GDPR is in its self an admittance guilt, and any one size fits all approach is flawed because one size does not fit all.
GDPR is a European law so the UK won’t be affected, Right?
Absolutely not. Websites and companies exist as much in Europe, China, USA and anywhere else as much as they do in the UK. So it important to move with the times and do business in a modern forward thinking way. In any case the UK will adopt all European laws, with a view to changing some of them in the years after Brexit. It is unlikely that future governments will prioritise the loosening of regulations designed to protect the individual from unscrupulous behaviour.
The fines won’t be a big deal.Will they? Wrong again.
There seems to be a pattern emerging here.
The fines are potentially crippling! 4% of global turnover up to £30 million, for each significant infringement. Once again thats “turnover” not pre tax “profit”. There will be some proportionality taking into account the organisation involved and the nature of the infringement, but the potential level of the fines shows clear intent to make GDPR stick.
GDPR strengthens the arm of the regulating bodies, so assuming the status quo of low fines and slaps on the wrist for negligent use and control of peoples data is a mistake.
Having said that, if you show clearly at the point of data entry the use for which the data is required. You then use it for the reason it was given, and then you ensure a sensible level of security.
Make sure you have an audit-able process for deleting data on request, as well as to define what it has been used for. Then you cant go too far wrong.