As I'm sure you'll be aware there’s new data protection rules coming into force, the EU General Data Protection Regulation (GDPR) and as of May 25th 2018 you'll need to be able to demonstrate compliance.
The GDPR makes several significant changes to the way businesses process “personal data”, and this post is going outline the key points you need to consider.
Data controllers and data processors: what is the difference?
It is important for organisations to be able to determine whether they are acting as a data controller or as a data processor, in respect of data processing. The data controller must exercise overall control over the purpose for which, and the manner in which, personal data is processed. Once you understand what you are you can take the necessary measure to make sure you are compliant.
The Information Commissioner’s Office (ICO) have produced guidance on this subject.
As part of the process you should review and document what data you already hold, where it came from and what you do with that data. Doing this will help you to comply with the GDPR’s accountability principle.
You'll need to review your procedures to cover individuals rights to delete their data and be supplied with their data electronicaly.
The GDPR also includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
All forms on your website will require an explanation or a link to an explanation of what you plan to do with the data, with checkboxes for the user to give their consent.
Consent must be freely given, specific, informed and unambiguous. This means that you'll need checkboxes for each process you intend to use the data for eg one for your T&Cs, newsletter subscription, sharing of data with a third party etc.
You can no-longer simply subscribe all users to your newsletter by default or imply what you intend to do with their data. Clear consent must be given at every step of the way, with a simple method for users to update their preferences or delete their data altogether.
Going forward keeping a record of consent, when, how and what they consented to, will be key for a company in demonstrating their compliance to GDPR.
You should put procedures in place to effectively detect, report and investigate a personal data breach. If you discover a data breach you need to access its impact and whether it should be reported to the DPA.
Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure. If you're a small business then you as the business owner must be able to demonstrate your compliance.
If you haven't already you should consider putting an SSL certificate in place and serve your website over https to securely encrypt data, be it a contact form or ecommerce transcation.
We also provide customers with the opportunity to take up a support agreement that includes updates to their Drupal or Wordpress system, to keep the website and data secure.
We'll be contacting clients on an individual basis to help you become compliant but if you have any immediate questions do let me know. In the mean time here a link to the ICO guide for a full rundown of requirements.
So can you prove your company is compliant?
That said, I must stress that no one at DrupalCentric is legally trained and so, while we are acting in good faith, we recommend that if you have any concerns you should always work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization and how best to ensure compliance.