On May the 25th 2018 GDPR became the new European law for businesses and organisations that store or process personal user data. This post is from the perspective of what you need to consider when storing and collecting data from your website users.
The object of GDPR is to bring back more control to the individual about how their personal data is used. This includes the ability to change or withdraw their personal information at any time. Now that detailed personal information is stored electronically, it’s easily transferred due to hacking, leaks or unethical practices. GDPR covers hard copy as well so be sure to consider anything held also in this form.
If your business has appropriate consideration to your users and their privacy, then you’re on the right path. This means not sharing mailing lists, passing data on to others or using personal information for reasons other than your users would want. This doesn’t mean don’t do anything, because compliance includes regular monitoring of data storage and handling practice. After your users have submitted their information to you, they will also have the right to change or withdraw it on request. This could be access to a user account or at the very least, a point of contact where the request can be made.
A quick checklist for website owners to assist with GDPR compliance:
- Obvious consent must be given by users that submit data, checkboxes for mailing lists must be opt-in only and not checked by default.
- Have a clear procedure defined for what will happen when someone requests a change or removal of their data. You also need to be able to supply a copy of the data in format that can be read. This is possible with WordPress.
- If you have old data no longer in use, it’s probably best to destroy it. Be sure to check old computers/storage that may no longer be in use
- Ensure that reasonable measures of security are in place for protection of personal information
- Have a plan in the event of a security breach. If any of the information held is ‘high risk’, inform any users that have sensitive information affected.
There’s currently a fair amount of scaremongering happening about GDPR based on enormous fines threatened. This is largely hype based around clickbait and extra avenues of consulting. At the time of writing, there are no GDPR experts because the law has not been passed yet. There is not yet a qualification available for GDPR. Investigations will only be instigated following complaints and fines will only be issued on further failure of compliance.
This is not legal advice although it is based on information collected from trusted sources:
Information Commisioner’s Office – Charity
GDPR for Business Owners & Senior Executives – Heather Burns
GDPR Forum, London, November 2017
Guide to the General Data Protection Regulation (GDPR)