The GDPR takes effect on 25 May 2018, but with most organisations not yet compliant, a lot of work will occur after the compliance deadline. Even if you don’t think you’ll be ready in time, it’s important to show signs of progress to ensure leniency from supervisory authorities.
There are many things you need to consider when preparing your website for the GDPR. This blog outlines three of the most important questions.
- Why are you collecting personal data?
The GDPR’s philosophy is essentially that, the less data an organisation collects, the less chance there is of it being misused. Gone are the days of amassing as much information as possible and putting it into a database for future use. Instead, you must have a specific plan for how you intend to use personal data, and justify it using one of six lawful grounds.
Consent is currently the most common lawful ground, but the GDPR toughens the rules for getting and keeping it, so organisations should only use it if no other grounds apply. There are detailed rules for how to seek consent, which vary depending on what kind of information you want and who you are seeking it from. Sensitive personal data requires explicit consent, and there are separate requirements for getting consent from children.
Policies should be written in clear language, explaining how you are collecting data, where it is being stored, how long you intend to keep it (the GDPR states that information can only be kept for “as long as necessary”) and how individuals can exercise their data subject rights.
These rights include:
- The right of access: Individuals must be allowed to submit subject access requests, which require organisations to provide a copy of any personal data pertaining to them.
- The right to rectification: If the information an organisation holds is inaccurate or incomplete, individuals can request that it be updated.
- The right to erasure (also known as ‘the right to be forgotten’): In some circumstances, individuals can request that the organisation deletes their personal data.
- The right to restrict processing: As an alternative to erasing data, there are times when individuals might prefer to simply restrict processing (such as when they contest the personal data’s accuracy).
Individuals have eight rights in total, which you can read about in more detail on our blog.
- What cookies are you using?
Cookies are only subject to the GDPR if they contain personal data. Many cookies fall into this category, such as those used for analytics, advertising and functional services (e.g. survey and chat tools).
Organisations must account for all cookies that contain personal data and decide whether there is a legitimate, specific reason for using them. If there is no justifiable reason, the offending cookies should stop being used. If there is a reason, the website should make this clear.
Cookie Law recommends that organisations do this via soft opt-in consent: “This means giving an opportunity to act before cookies are set on a first visit to a site. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action.”
Document your compliance
At the core of each of these concerns – as well as many other requirements of the GDPR – is documentation. Organisations need to have written evidence to justify their data collection practices. This is essential both internally, helping staff stay on top of data protection and meeting individuals’ rights, as well as externally. In the event of a breach, an organisation’s supervisory authority will conduct an investigation. If it finds that the organisation is compliant with the Regulation’s requirements, disciplinary action probably won’t follow.
For help creating that documentation, take a look at our EU General Data Protection Regulation (GDPR) Documentation Toolkit.
This toolkit contains easy-to-use templates, customisable worksheets, policies and expert guidance. It will help you:
- Identify risks to personal data and put in place the necessary controls to resolve those issues;
- Embed the documentation in your organisation quickly and easily; and
- Integrate GDPR documentation alongside your ISO 27001