But the world digital world is a different place since the introduction of GDPR back in May 2018 as users are either becoming data savvy or paranoid about what data you have, what you want and how you are going to use it.
Little has changed with the GDPR guidelines but since massive public data breaches by some of the biggest and most trusted companies mean that it’s more important than ever to make your site and processes water tight through policies, design and security
So, if you’ve just done the bare minimum then it’s very important that either you, your website developers or a experienced third party (Ahem!) look at your site to make sure it adheres to the challenges set out originally by the Information Commissioner's Office:
- Awareness: You should make sure that decision makers and key people in your organisation are aware that GDPR is LAW. They need to appreciate the impact it would have on the company should the ICO deem you as not correctly implementing the regulation and consequences both from a user trust and financially if falling foul.
- Information you hold: You should be documenting what personal data you hold, where it came from and who you share it with. You should have organised an information audit across the organisation or within particular business areas. GDPR requires you to maintain records of your processing activities.
- Communicating privacy information: You should review your current privacy notices again and make any necessary changes that were not implemented fully to the guidelines when they were introduced. Remember that under GDPR regulations there are additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data.
- Individuals’ rights: You should make sure you have the procedures in place to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format if requested.
- Lawful basis for processing personal data: You should have already identified and documented the lawful basis for your processing activity under GDPR regulation and make sure you have updated your privacy notice to explain it. Many organisations still will not have thought about their lawful basis for processing personal data but you need to explain this in your privacy notice.
- Consent: You should re-check how you seek, record and manage consent and whether you need to make any changes. Remember there must be a positive opt-in – consent cannot be inferred, pre-ticked boxes etc. Are you still using that opt-out tick box?
- Data breaches: You need to have the right procedures in place to detect, report and investigate a personal data breach. GDPR imposes a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals.
- Data protection by design: GDPR makes privacy by design an express legal requirement, under the term 'data protection by design and by default'. It also makes PIAs – referred to as 'Data Protection Impact Assessments' or DPIAs – mandatory in certain circumstances.
- Data protection officer: In most cases, you should have designated someone to take responsibility for data protection compliance in your company to take responsibility for your data protection compliance.
Everything you need to know is published and available at the Information Commissioners Office Guide to Data Protection.
And if it’s all still a minefield then here at Headland we have plenty of experience successfully working with the GDPR regulations for ourselves and our clients so contact us or give us a call on 0113 2721555.
Craig Pickles - Technical Director