Let’s be clear about GDPR: when it comes being compliant, for you there’s no opt-out.

The following HCOMS article is a brief overview about the new GDPR legislation. It’s likely that we’ll be posting more in-depth articles on this subject, but we want to give you some basic guidance as to what you need to have in place immediately.

The information in this article is not provided as legal advice on GDPR compliance. We advise you to contact a legal expert with experience in this area of legislation. However, the following information is a basic guide to putting things in place that will enable you to be GDPR-compliant.

HCOMS can assist you with this: to find out more, contact HCOMS today.

Five months on, many websites STILL aren’t GDPR-compliant

In our communications and interactions on the Web since 25th May 2018, we at HCOMS have noted that an astonishing number of websites are still not complying with the GDPR.

In the first few weeks after the GDPR became active legislation, it might be expected that big organisations who were non-compliant would be the first ones to face hefty fines of up to 20 million euros or 4% of annual turnover (whichever is larger).

However, nearly five months on, we would strongly suggest that it isn’t wise to be non-compliant with the GDPR on the assumption that, for example, one runs an SME business – or in other words, “I’m not big or important enough for the GDPR to affect me”.

Here are the main errors HCOMS has witnessed:

  • No cookie consent: They may seem annoying, but those pop-up boxes on arrival at a website that request consent to cookies with a link to the website’s privacy policy are not an option. They’re mandatory, as is a brief, informative description in the pop-up itself to describe what the cookies are used for.
  • No terms and conditions agreement on contact forms: To be compliant, there must be a link to your organisation’s full T&Cs.
  • No privacy policy: Under the GDPR, you must show a privacy policy that clearly sets out how, when, where and why personal data is collected, stored and processed.
  • Not showing contact details of the organisation: you must have clear contact details and any other associated information, such as if you are a VAT-registered business with the VAT number quoted, or if you are a Registered Charity, quoting the registration number.

GDPR: it’s in force NOW – so you’d best be on the right side of it

The GDPR (General Data Protection Regulation) came into force on the 25th May 2018. It dovetails with the PECR (Privacy & Electronic Communications Regulations).

The PECR’s coverage is for email communications and the use of cookies, and the GDPR covers elements of these too, with the emphasis on protecting individuals’ data privacy in their online interactions with websites.

These two pieces of legislation are part of the EU’s ePrivacy Directive – and following Brexit in 2019, the British Government would need to create and enact similar legislation to cover the UK.

However, it’s important to remember that wherever you, your business or organisation is based in the world, if your website can be viewed in the EU and individuals’ personal data is gathered, then you need to be GDPR-compliant.

Put simply, there isn’t an opt-out for you regarding the law.

Accountability and EU Citizens’ rights under the GDPR

Under the GDPR, a citizen of the EU is known as the Data Subject whose personal data is being collected, stored and processed by your website.

You and your organisation who are in overall charge/direction of this process are known as the Data Controller – and the person(s) who collect, store and process the data via back-end management of your website are known as the Data Processor(s)

A Third Party is someone authorised to process personal data on behalf of the Data Controller or Data Processor.

The Data Recipient(s) are those to whom such data is disclosed.

Here are the main Rights of Data Subjects (this is not the full list, but the ones specifically pertaining to this process:

The Right to Access: As a Data Subject an EU citizen has the right to ask for and receive confirmation on what personal data is being collected, where and how, and what it will be used for. If the Data Subject requests the data, it must be sent to them free of any charge in electronic form.

The Right to Be Forgotten: A Data Subject must have an easy-to-access and easy-to-use way to withdraw consent. On such withdrawal, all collected personally-identifiable data must be purged.

Portability of Data: If a Data Subject requests it, and they must be given a clear option to do so, they should receive all personal data held on them by your website and, if they wish to, be able to transfer the possession of that data whenever they request it.

Notification of a Data Breach: Should any form of breach or access to personal data that is not authorised occur, a full notification of said breach must be made within 72 hours of knowledge that the breach has occurred. The potential outcome of such a data breach could be considered a “risk to the rights and freedoms of individuals”.

Your initial GDPR checklist: actions to take

  • Make sure your website displays a cookie consent pop-up on a visitor’s arrival at your website, with a clear, concise description as to what the cookies are used for. Ensure it also has a link to your website’s privacy policy.

IMPORTANT: Remember that there must be a separate request/consent mechanism in place on your website if you wish to offer site visitors the opportunity to receive newsletters/promotions/offers etc., by email or SMS.

  • Ensure that any contact form your website generates has a link to your full terms and conditions page. You must have full terms and conditions on your website.
  • Check that you have a clearly-explained privacy policy on your website that explains how, when, where and why you collect personal data. It must also provide site visitors with access to that data, the right to withdraw consent and to have their data purged, and the right to portability of said data.
  • Display clear contact details for your company (email address, telephone number, business address) and any associated information, e.g. VAT or Registered Charity numbers.

Need assistance? Busy doing what you do best? Talk to HCOMS today

Whether you have a Web manager or not, you might simply be so busy attending to business that attending to GDPR compliance is the reason why you haven’t done it yet. Or maybe you just simply need assistance with putting it in place. HCOMS can help: contact us today.

Read more