The Europe Union (EU) General Data Protection Regulation (GDPR) proposed by Europe Commission becomes active after May 25, 2018. GDPR has very strict rules about collecting, storing, and processing data. Gathering even very small piece of information about an EU citizen requires consent from customer/visitor and very high responsibility for the companies. The fines are quite high in case of breach, they are up to as high as 20 million Euros or 4% of annual global turnover (yes, you read it right. It is global!), whichever is the highest.
Therefore, asking to fill a form even for a newsletter requires some adjustment to comply GDPR rules and to avoid penalties.
How do I know if my website requires to comply GDPR rules?
If your website has any of the following, then you definitely need to consent to a lawyer to check that if you meet the GDPR requirements. Your website;
The long story short, with GDPR, EU wants companies and corporations to understand what data (personal or not) that they (or their third parties) collect and how they use it. If any way, your website asking to enter any data from visitors, then you may need to comply GDPR rules. You need to understand that you have the responsibility for providing notice and obtaining consent for each data collected through your website, even those you have not knowingly authorized.
My company is not in Europe. Should I worry about GDPR?
If you expect visitors/customers from Europe, or with any tiny possibility that you may collect data from an EU citizen, then the short answer is Yes. If any of your third parties which collect information on behalf of you in Europe, then the answer is still Yes.
Preparations before making your website GDPR compliant
- The very first thing you need to do is to review and identify all the personally identifiable information (PII) that you or your third parties collect and store on your website, and process/distribute. Remember if you collect too much data, according to GDPR, you have to assign a Data Protection Officer responsible from monitoring this data.
- Determine your digital supply chain. Check if your website has any tags from third-party vendors (used for digital marketing tools to function) embedded on your webpage.
- Track down visitor actions to understand the data you and your third parties collect and why you collect them.
- Check legal basis for collecting data. If you do not have any legal basis such as requirement to fulfill a contract, protection of rights or safety of others, a valid court order, or legitimate interest to collect the data (like shipping address for an online order), then you definitely need to get customer’s/visitor’s consent.
- Update your terms and conditions on your website to reference GDPR jargon.
- What data are collected,
- For what purpose you need them,
- Where and how long you store them,
- Who can access it,
- How the customer reach it
- How the customer move it to another company (right to data portability)
- How the customer remove it (right to be forgotten)
8 steps to make your website GDPR compliant
- Since GDPR is all about privacy, make sure you have an SSL certificate
- Do not use pre-filled or pre-ticked forms. This is considered as manipulation of the visitor or taking advantage of visitor’s carelessness. Thus, make sure all your consent forms are unchecked. It is also important that they have an easy confirmation.
- Make sure you do not use bundled opt-in. You should ask for consent separately for each item. For instance, you cannot have a check box for “I agree the terms and conditions and I’d like to receive e-mail about offers” (no more naughty marketing).
- Make sure you only ask for essential and necessary information. If you never call your visitors, then do not ask for it.
- If you give all or some part of the data that you collect to a third party (such as Google Analytics), then you exclusively ask customer’s/visitor’s consent for it.
- Based on GDPR, customers have right to withdraw their consent any time and it should as easy as to give the consent. So, it must be one-click away.
- Another right of EU citizens in GDPR is the right to be forgotten. Thus, if a customer demands to be forgotten, all related data should be easily removed, that includes not only name, e-mail addresses, etc, but also comments and posts of the customer. (Remember, if the data you collect become unnecessary after some time, you are obliged to remove them without customer demand). So make sure that customer can easily demand such requests and the data can easily be removed.
- User can opt-in and opt-out (in a granular basis) cookie tracking, IP tracking, social media advertising. Make sure your website allow the customers to do so.
How to prevent, detect, and inform breaches
Prevention of breaches starts with knowing your cyber risk and to see what hackers see when they look at your company and your third parties. If your company or your third parties pose high cyber risks, then breaches may be inevitable. So the first thing you should know is to determine your cyber risk.
If a breach happens despite of all your efforts to prevent it with your cyber defense mechanisms, then you need to inform Information Commissioner’s Office, and in many cases, to individuals in a very short time. Thus, to be aware of such breaches is quite important to avoid late notifications. This requires monitoring dark and deep forums, hacker shares on these forums or on social media.
Black Kite Cyber Risk Scorecard can help a company to determine its and related third parties cyber risk and proactively take necessary measurements to prevent data breaches. It also constantly monitors hackers shares on dark and deep forums and social media. If any information is out related to your company, Black Kite can detect and inform you.
Before GDPR is on, take action now and learn your cyber risk here.
To learn your company’s risk score with a free of charge scorecard, please visit Black Kite and click on Learn Now.