Businesses in the UK — whether B2B or B2C—are racing against the clock to get ready for the General Data Protection Regulation (GDPR), coming into force on May 25, 2018. Even though the UK has opted to leave the EU after GDPR was agreed upon, the rules still apply. In fact, it will be applicable as British law. Any organisation in the world that holds or processes the personal data of EU citizens will be obliged to protect that data.
"If you want to do business in Europe, you need to understand GDPR. At the end of the day, if you can't demonstrate GDPR compliance, EU companies will probably say no to you," the managing director at think tank DigitalNations, Rasmus Theede, warns.
According to Spiceworks IT Snapshot from June 2017, UK businesses have a decent understanding that they need to do something to prepare for GDPR. But 29% of those businesses surveyed hadn't started any compliance projects yet because they weren't sure how it affected them. The three top concerns about GDPR in the UK include: unclear compliance steps; compliance needing a lot of user training; and the lack of understanding of the impact of GDPR by management.
But amongst the threat of legal fines and looming deadlines, businesses cannot forget the purpose of this regulation: GDPR aims to give European citizens full control over their personal information that is collected, used, and stored by organisations and third parties.
So while GDPR affects every aspect of an organisation, a major gateway to personal data could be the website. (Or in many cases, websites—organisations typically have more than one domain.) Organisations tend to underestimate the amount of personal data they handle, especially across these digital assets. Personal data about prospects, customers, or employees could include names, email addresses phone numbers and IP addresses.
However, If you've overlooked your website operations during your GDPR compliance projects, don't panic. Start with these tips:
1. Map Out All Website Processes
At least one department likely handles personal data on your website every day. Detail how all prospect, customer, and employee data is handled internally and externally across these categories:
- Transit – How is data transferred within your company and to external parties?
- Storage – How and where is data stored and safeguarded? The geographical "where" is important in GDPR because not all countries are considered adequate enough to handle personal data.
- Retention – How long is data kept and why? If the data doesn't fulfil a purpose, delete it.
- Deletion – How is online data deleted?
2. Perform a Data Audit
Audit all personal data you collect from EU citizens. (That includes all info collected through cookies.) Then, you can decide which data to keep and which to toss. Having this overview will make it easier when citizens reach out and ask you to delete their personal information.
4. Create a Response Plan for Data Breaches
If personal data you handle is exposed, lost, or altered incorrectly, GDPR requires organisations to notify the authorities within 72 hours. Draft a response plan for how you will notify the authorities and the people whose data was breached so you can rebuild trust from the beginning.
Start with these tips to get a firmer grip on how GDPR impacts your online operations. And at the end of the day, remember two things: GDPR affects organisations far beyond the EU who want to do business there, and secondly, it's truly about the importance of protecting personal data. Remember, the two key features of GDPR are transparency and accountability. Let these be the guiding principles at every level of your business and throughout your processes.
Mikkel Landt, Product Unit Director, Siteimprove.