The General Data Protection Regulation (GDPR) is a new EU regulation designed to enable consumers to better control their personal data and many businesses are becoming more wary of where workplace data is held.
While employees are able to access work emails on their personal laptops and smartphones, many companies may choose to put in place more stringent measures to access it.
A survey of 2,000 UK office workers, conducted by tech retailer Ebuyer, shows that 66% of people log on outside of their normal business hours, with most of those (91%) using their personal devices to do so.
Whether you are operating a large online store or just a small personal blog, if you process any kind of data taken from the users who visit your site, then you will be subject to the new regulations and you must make your website GDPR compliant.
In order to that, you must conduct a personal data audit in order to identify all of your data processes. You must consider all important aspects such as what are you using the data for, where is it being stored and, most importantly, do you still need it?
GDPR compliance checklist
- Document the personal data your organisation holds, where it came from and who it is shared with. A systematic audit of your current processes is a good start to identifying what changes need to be made.
- Review your privacy notices. Under the GDPR, you will need to explain the lawful basis for processing customer data, as well as how long you retain it for and the customer’s right to complain about how you are using it. This must be communicated clearly and concisely.
- Have a robust process in place for locating and deleting individual customers’ data if and when requested. This is one of the key rights individuals will be made aware of under the GDPR.
- Be aware of the new right to “data portability”. This means individuals have the right to request their personal data in a commonly-used, machine-readable format, provided free of charge and within one month. Consider how your organisation will provide this.
- Review how you seek, record and manage consent for data collection. Remember consent must be explicitly provided: assumption of consent (for instance, via pre-ticked boxes on a web form) may land you in trouble.
Review how you will verify individuals’ ages, and how you will obtain parental consent to process the data of under-13s if required. This will also mean your privacy notices must be written in a way children can understand.
- Reinforce your existing data breach reporting procedures to ensure your organisation can meet the new timelines. Failure to comply may be a much more serious matter under the GDPR than it currently is.
- Take steps to appoint a Data Protection Officer if you are required to, and consider who should be responsible for GDPR compliance even if not.
For advice on what GDPR means and how it will affect both businesses and individuals, click here.
For advice on what GDPR means and how it will affect both businesses and individuals, click here !