Much has been said on the General Data Protection Regulation (GDPR), but many business owners still struggle to wrap their heads around it.
To make things worse, the GDPR is neither clear on how digital businesses should process data nor does it clearly explain what are the implications and for who.
SafetyDetectives asked Aaron Cowan from Full Circle Design to clear things up for business owners who want to make their website fully compliant with the current legal requirements, and for online users who are unsure of how the GDPR protects their identity and sensitive data online.
As an expert in website design and SEO, Aaron was able to provide a comprehensive breakdown of the GDPR regulations, and how websites can be sure to comply with them.
Can you explain what GDPR is and how it protects users?
GDPR, which stands for The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It came into effect in 2018, replacing the 1995 Data Protection Directive. GDPR strengthens EU data protection rules by giving individuals more control over their personal data. It applies to all organisations that process personal data of EU citizens, regardless of where the organisation is located.
You will see this in action through every EU website cookie consent and privacy pop up. These may seem annoying or bothersome but are actually designed to protect your privacy and your information. GDPR protects website users by giving them certain rights over their personal data, such as the right to access, rectify, and delete their data.
It also requires organisations to obtain explicit consent from users before collecting, using, or sharing their personal data, and to inform users of their rights and how their data will be used. If not done, then these organisations could face penalties and large fines.
What are the basic requirements for a website to be GDPR compliant?
In order for a website to be compliant with the General Data Protection Regulation (GDPR), it must meet certain requirements including:
- Obtaining explicit consent from users before collecting, using, or sharing their personal data. This consent must be given through a clear and affirmative action, such as a checkbox or button.
- Offering website users the right to access, rectify, and delete their personal data.
- Implementing appropriate technical and organisational measures to protect personal data from unauthorised access, alteration, and destruction. These can include website security such as SSL certificates and spam detection.
- Making sure that any third-party service providers, such as analytics or marketing platforms, that process personal data on behalf of the website are also GDPR compliant.
What if a company doesn’t comply?
If a company fails to comply with the GDPR, it can face significant fines and penalties. The level of the fine will depend on the severity of the violation and the size of the company.
These fines can include up to 10 million or 2% of the companies global annual revenue for less serious violations such as failure to maintain records of processing activities. In addition, more severe penalties can include up 20 Million or 4% of the companies global annual revenue for failure to obtain valid consent for the processing of personal data or for a data breach.
And, Once For All, Does GDPR apply to US-based businesses too?
It sure does. GDPR applies to any organisation, regardless of where they are located, that processes personal data of users located in the EU. As an example, if you are a US-based business that offers products, services or information to an EU audience online then GDPR applies to you. Appointing a DPO or Data Protection Officer will help an organisation to adhere to all GDPR policies to avoid any violations.
What is your checklist to make a website gdpr compliant?
We work with all organisation types to design and develop websites. Included in this is our GDPR compliance and policies creation. We follow a number of steps in our checklist to make sure our client websites are GDPR compliant. Our website GDPR checklist includes:
- Data auditing, where we work with our clients to discover their online audience, their locations and their business information. Doing this allows us to identify what personal data they may collect, process and store.
- Create and update private policies, terms and conditions and cookie consent.
- Develop explicit consent for website users. Developing this allows our website visitors to accept, decline or customise their consent for how we use their data.
- Review and record potential data breaches. This covers any potential data breaches that may occur, including reporting these breaches to data protection officers in Ireland.
- Provide data access for users: Allow website visitors to access and receive a copy of their personal data, and provide the ability for them to request the deletion of their data.
Apart from GDPR compliance, what security measures and technologies are essential to every website?
There are many additional security measures and technologies to can improve your website security and GDPR compliance.
To start, we would recommend every website have an SSL/TLS encryption security in place. This encrypts data transmitted between the website and its users to protect it from being intercepted and read by unauthorized parties.
If your website is developed on a website platform such as WordPress, Wix or Squarespace then performing regular updates and back-ups will help to keep your website protected from any known vulnerabilities being exploited. Website back-ups help to store important data and updates from your website. If any security threat or malicous attact unfortunatly occurs then you have the ability to remove the corrupted site and quickly restore the previously backed up site. If your website is developed by a custom development agency then we would recommend that they perform regular updates and back-ups and make sure your website is hosted by a trusted web hosting provider.
What’s the most serious data breach fulfilled or avoided that you heard of?
There are some major cases of data breaches over the years. A few that come to mind are the Yahoo data breach in 2017, which affected over 1 billion users worldwide, the Facebook ‘add friend’ data breach that affected over 530 million users and the more locally the HSE (Health Service Executive) cyber attack which caused all of its IT systems nationwide to be shut down.
These large scale data breaches and cyber attacks show the severity of having up-to-date and secure websites. If you are creating or developing a website for your business or organisation then make sure to include security and GDPR allowances in your budget.