Though you may be aware of General Data Protection Regulation (GDPR), you may not be aware exactly how it is going to impact your business, and what it means for your company website.
The majority of businesses will discover that there are areas of their website which need to be reviewed, and possibly amended, before GDPR becomes enforceable on May 25 2018.
GDPR Considerations to Make
There are several aspects of your company website that you need to examine in relation to the collection and processing of data. Some of these include:
- The specification of contact forms and storing of data gathered
- Blog pages comments
- Live chat services
- Forums comments
- Process for Registration
- Privacy policy
When trying to decide if your website is currently GDPR compliant you need to check what information you are storing, whether it is being held safely, whether you can simply access it if you receive a system access request (SAR) and whether you have consent to use the data and whether you need to continue storing it. The final point there is vital; any data that you do not need should be removed, both to adhere with GDPR and because it makes things a lot easier for your company.
If you have not already ascertained whether or not your website adheres with GDPR, and taken steps to resolve issues, you should do so quickly. Failure to do so could leading sanctions for non-compliance, potentially including a financial penalty.
GDPR Certification Process
You may have seen many companies offering certification and training for the General Data Protection Regulation (GDPR). This type of training aims to increase awareness of the rules of GDPR and look at issues such as consent, security and data access. None of these certificates are recognized as they are not awarded by recognized certifying authorities.
The Information Commissioner Office in the United Kingdom hope to establish some recognised certifying authorities before to the May 2018 deadline for GDPR compliance. Certification by these bodies is not mandated, but your company may find it useful in helping it to decide how it can achieve and establish compliance.
The Importance of Proof
After the GDPR ‘go-live’ date of May 25 2018, a Data Protection Authority (DPA) such as the ICO, will be able to investigate businesses, and punish them for non-compliance. It is not sufficient for a business to be compliant; it has to prove that it is. To do this your business has to have compliance processes and procedures implemented and they need to be integrated into the operation of the business. There is also a requirement for controls and risk mitigation plans, as well as plans on how to report data breaches within the required 72 hours.
For your business processes and procedures to be GDPR compliant, you need to make sure that the whole of the GDPR is considered, not just particular element of it. In actuality, DPAs are likely to focus on dealing with businesses that are obviously non-compliant, at least initially.