What is GDPR and what does it mean for my website?

GDPR stands for General Data Protection Regulation, which is legislation enacted by the European Union (EU) that will go from proposed to enforceable on May 25, 2018.

The General Data Protection Regulation was created to strengthen the rights of EU citizens when it comes to the collection and use of their personal data.

GDPR lays out rules for collection, use, and storage of personal data. The regulation:

  • Gives individuals eight specific rights regarding their personal data.
  • Lays out principles for protecting user data, incorporating security by design and reporting data breaches.
  • Specifies requirements for accountability, or your responsibility to demonstrate that you comply.

In a nutshell, you must abide by the individual rights, ensure that you are properly securing personal data and be able to document how you are doing so.

What is personal data?

Personal data is defined as any data that can be used to identify a living person, directly or indirectly. It includes things such as a name, photo, email address, personal bank or medical details, or a computer IP address.

From 25th May 2018, this new European law will make the data collection such as contact forms and shopping carts on your website illegal without some crucial changes. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

When it comes to your website, there are a few things you need to consider:

  • Before any data collection takes place, you must get explicit consent of each user.
  • Requests must plain, easily understandable language and also stand alone from other matters or requests and not be buried in other text.
  • Have a clear and easily accessible privacy policy that tells your users how data you have collected about them will be kept and used.
  • Have a process for users to request access and view the data you have collected about them.
  • Provide users a process to withdraw consent and purge personal data collected about them; i.e. the “Right to Be Forgotten”.

Let’s consider a basic contact form on your website. A key part of the GDPR compliance is that you should request as little information as possible. Every field on your contact form must be able to be justified and you must clearly inform the user what each piece of information will be used for and how it will be stored before they submit it. The user must actively consent to this, usually, by clicking a checkbox.

GDPR compliance and Cookies

Starting May 25, you will need affirmative consent from your users to use certain types of cookies.

What are cookies?

Cookies are small files that are stored on a user’s computer. By design, cookies contain a small amount of data about both the website and the user, helping to provide a specialized experience for the user upon return trips. For instance, a news site may use a cookie that tracks what content you typically view to help tailor a better browsing experience for you. Or an e-commerce website might use cookies that keep track of the items you view and put in your cart to better suggest additional products to you. Cookies can be accessed by both the web server or the user computer.

How do i make my website compliant?

For GDPR compliance, you need a cookies and privacy policy, a cookies consent popup and SSL as an absolute minimum, but it depends on the nature of your website. The more data you collect from your users, the more you need to do to become compliant with GDPR.

The only way to determine if you need to take action is to audit your website against the requirements of GDPR.

Free GDPR compliance website audit

Claim a free GDPR website audit before May 25th. Hurry and claim yours today!

Claim FREE Audit