How the EU's latest data privacy laws impact the UK's online universe: Tips to prepare your website for GDPR

According to Spiceworks IT Snapshot from June 2017, UK businesses have a decent understanding that they need to do something to prepare for GDPR. But 29% of those businesses surveyed hadn't started any compliance projects yet because they weren't sure how it affected them. The three top concerns about GDPR in the UK include: unclear compliance steps; compliance needing a lot of user training; and the lack of understanding of the impact of GDPR by management.

But amongst the threat of legal fines and looming deadlines, businesses cannot forget the purpose of this regulation: GDPR aims to give European citizens full control over their personal information that is collected, used, and stored by organisations and third parties.

So while GDPR affects every aspect of an organisation, a major gateway to personal data could be the website. (Or in many cases, websites—organisations typically have more than one domain.) Organisations tend to underestimate the amount of personal data they handle, especially across these digital assets. Personal data about prospects, customers, or employees could include names, email addresses phone numbers and IP addresses.

However, If you've overlooked your website operations during your GDPR compliance projects, don't panic. Start with these tips:

1. Map Out All Website Processes

At least one department likely handles personal data on your website every day. Detail how all prospect, customer, and employee data is handled internally and externally across these categories:

• Transit – How is data transferred within your company and to external parties?
• Storage – How and where is data stored and safeguarded? The geographical "where" is important in GDPR because not all countries are considered adequate enough to handle personal data.
• Retention – How long is data kept and why? If the data doesn't fulfil a purpose, delete it.
• Deletion – How is online data deleted?

2. Perform a Data Audit

Audit all personal data you collect from EU citizens. (That includes all info collected through cookies.) Then, you can decide which data to keep and which to toss. Having this overview will make it easier when citizens reach out and ask you to delete their personal information.

3. Revamp Your Privacy Policy

Be upfront with visitors by requesting their consent in a way that is clear, concise, and free of vague wording or confusing jargon. Work with your legal department on your privacy policy to dive deeper into the uses of personal data, following these guidelines set out by GDPR.

4. Create a Response Plan for Data Breaches

If personal data you handle is exposed, lost, or altered incorrectly, GDPR requires organisations to notify the authorities within 72 hours. Draft a response plan for how you will notify the authorities and the people whose data was breached so you can rebuild trust from the beginning.

Start with these tips to get a firmer grip on how GDPR impacts your online operations. And at the end of the day, remember two things: GDPR affects organisations far beyond the EU who want to do business there, and secondly, it's truly about the importance of protecting personal data. Remember, the two key features of GDPR are transparency and accountability. Let these be the guiding principles at every level of your business and throughout your processes.

Mikkel Landt, Product Unit Director, Siteimprove.