The following HCOMS article is a brief overview about the new GDPR legislation. It’s likely that we’ll be posting more in-depth articles on this subject, but we want to give you some basic guidance as to what you need to have in place immediately.
The information in this article is not provided as legal advice on GDPR compliance. We advise you to contact a legal expert with experience in this area of legislation. However, the following information is a basic guide to putting things in place that will enable you to be GDPR-compliant.
HCOMS can assist you with this: to find out more, contact HCOMS today.
Five months on, many websites STILL aren’t GDPR-compliant
In our communications and interactions on the Web since 25th May 2018, we at HCOMS have noted that an astonishing number of websites are still not complying with the GDPR.
In the first few weeks after the GDPR became active legislation, it might be expected that big organisations who were non-compliant would be the first ones to face hefty fines of up to 20 million euros or 4% of annual turnover (whichever is larger).
However, nearly five months on, we would strongly suggest that it isn’t wise to be non-compliant with the GDPR on the assumption that, for example, one runs an SME business – or in other words, “I’m not big or important enough for the GDPR to affect me”.
Here are the main errors HCOMS has witnessed:
- No terms and conditions agreement on contact forms: To be compliant, there must be a link to your organisation’s full T&Cs.
- Not showing contact details of the organisation: you must have clear contact details and any other associated information, such as if you are a VAT-registered business with the VAT number quoted, or if you are a Registered Charity, quoting the registration number.
GDPR: it’s in force NOW – so you’d best be on the right side of it
The GDPR (General Data Protection Regulation) came into force on the 25th May 2018. It dovetails with the PECR (Privacy & Electronic Communications Regulations).
These two pieces of legislation are part of the EU’s ePrivacy Directive – and following Brexit in 2019, the British Government would need to create and enact similar legislation to cover the UK.
However, it’s important to remember that wherever you, your business or organisation is based in the world, if your website can be viewed in the EU and individuals’ personal data is gathered, then you need to be GDPR-compliant.
Put simply, there isn’t an opt-out for you regarding the law.
Accountability and EU Citizens’ rights under the GDPR
Under the GDPR, a citizen of the EU is known as the Data Subject whose personal data is being collected, stored and processed by your website.
You and your organisation who are in overall charge/direction of this process are known as the Data Controller – and the person(s) who collect, store and process the data via back-end management of your website are known as the Data Processor(s)
A Third Party is someone authorised to process personal data on behalf of the Data Controller or Data Processor.
The Data Recipient(s) are those to whom such data is disclosed.
Here are the main Rights of Data Subjects (this is not the full list, but the ones specifically pertaining to this process:
The Right to Access: As a Data Subject an EU citizen has the right to ask for and receive confirmation on what personal data is being collected, where and how, and what it will be used for. If the Data Subject requests the data, it must be sent to them free of any charge in electronic form.
The Right to Be Forgotten: A Data Subject must have an easy-to-access and easy-to-use way to withdraw consent. On such withdrawal, all collected personally-identifiable data must be purged.
Portability of Data: If a Data Subject requests it, and they must be given a clear option to do so, they should receive all personal data held on them by your website and, if they wish to, be able to transfer the possession of that data whenever they request it.
Notification of a Data Breach: Should any form of breach or access to personal data that is not authorised occur, a full notification of said breach must be made within 72 hours of knowledge that the breach has occurred. The potential outcome of such a data breach could be considered a “risk to the rights and freedoms of individuals”.
Your initial GDPR checklist: actions to take
IMPORTANT: Remember that there must be a separate request/consent mechanism in place on your website if you wish to offer site visitors the opportunity to receive newsletters/promotions/offers etc., by email or SMS.
- Ensure that any contact form your website generates has a link to your full terms and conditions page. You must have full terms and conditions on your website.
- Display clear contact details for your company (email address, telephone number, business address) and any associated information, e.g. VAT or Registered Charity numbers.
Need assistance? Busy doing what you do best? Talk to HCOMS today
Whether you have a Web manager or not, you might simply be so busy attending to business that attending to GDPR compliance is the reason why you haven’t done it yet. Or maybe you just simply need assistance with putting it in place. HCOMS can help: contact us today.